in credential management - it's Security (NASA is asking you for advice) vs. Convenience of use (all my passwords are the same so I won't forget it)
Last year I was working on a system where we were implementing a 'shared secret' sys
tem - just like Yahoo and others, we wanted to allow a person that forgot their password an easy way to recover it. To do this we created a stack of questions so people can choose a few best suited to them. Somewhere in the middle of this design I had one of those "Homer Simpson" moments - DOH! The easier I make it for the embarassed user to recover his own password, the easier I make it for the hacker to take it over - DOH!!!apparently I wasn't the only one ...
Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack
Posts
No comments:
Post a Comment