Guarding against password reset attacks with pen and paper

With the recent announcements of password breaches at LinkedIn, and warnings from Google about state-sponsored attacks on Gmail accounts, it seems like a good idea now to review some password security basics.  In this blog post, we’re going to take a look at a rather low-tech solution to a decidedly high-tech problem:  How to guard against password reset attacks, and where to securely store the answers to your password reset questions.

Even if you use highly secure passwords, it is possible someone might still be able to compromise your account if they were able to gather enough information about you to know—or at least guess—the answers to your password reset questions.  Many services use the same questions, e.g., your mother’s maiden name, the name of the town you were born in, the name of first pet and so forth.  Because similar questions are used over and over again to reset passwords, it can be fairly easy, even somewhat boring, for an attacker who gathers this type of information to use it to gain access to all sorts of accounts one might have, across services ranging from those which are purely social to financial institutions, or even identity theft.

Password Reset Hack Attacks

Sometimes, though, it’s even simpler than that:  An example of this is former Alaskan governor Sarah Palin, whose personal Yahoo! mail account was compromised via password reset using data about her available from public resources.  Of course, most people are not going to have enough biographical data available online to make such an attack easy…. Or do they?

With the rise of social networking has come a kind of blurring of the sorts of personal information it’s okay – and safe – to put online.  Eager to generate more revenue, social media sites encourage—and in some cases may even require—people to share information about themselves such as birthdays, hometowns, where they went to school and so forth. While this is the sort of information we readily share with friends and family, social media companies request it because it allows for more targeted advertising.   The fact that it is the same type of information needed to perform an attack or an impersonation is not something those companies typically tell you about when asking you to fill out your profile, or warn you that profile is not complete.

To date, I cannot recall any criminals going after aggregate personal data en masse in order to perform password reset attacks.  Data breaches typically provide the password themselves or other information that can be readily used for identify theft, such as birth dates, information about credit cards and, in some cases, even social security identification numbers.

Defending Your Passwords

But even if you are not a politician, celebrity or somewhere between the two, you should still take steps to safeguard your privacy and, these days that means some creativity is needed when filling out online forms, such when filling in the answers to questions used to reset a password.

One of the largest problems is, of course, deciding exactly what to enter.  In the case of birthdates, some web sites, such as online stores, might require you to enter your birthdate so they can send you a birthday offer or as the answer to a password reset question.  They have no other reason for asking for this information, though, and there’s no guarantee they will keep this information secure or use it for other purposes, including selling it to marketing firms. On the other hand, there are plenty of web sites—financial, insurance and government all come to mind —where you may not only need to enter your correct birth date but you may be obligated to give them the correct information.

There’s also another issue to consider, both for you and the web site, and that’s the issue of ethical behavior.  Knowingly providing false data to a web site is something of a gray area, even if there is no legal requirement  to do so.  How does your obligation to provide a web site with correct information balance with your right to freedom from the theft of that data, let alone the issue of privacy?  Measuring these competing—and often contradictory—needs is something everyone has to do for themselves, and we cannot make the decision for you.  You will need to decide if breaking this social contract is justified as a matter of practical protection.

If you have made the decision not to enter your actual birthdate, than what should you enter?  The correct month and day of your birthdate, but the wrong year?  The correct year, but with January 1st as your date of birth?  The date of your favorite holiday?  Making the answers to your password reset questions as unique as your passwords is the key to protecting against attacks on them, so using the same answer over and over again is out:  That simply provides another widely-disseminated piece of information for a criminal to collect during the data aggregation phase of the attack.

One Low Tech Solution

There is a solution, though, and it is a decidedly low-tech one:  Write them down in a small notebook (that is, the kind you write in with a pen or pencil, not a laptop computer).  Or, if you are not partial to keeping a little black (or orange) book, a business card or recipe card holder filled with index cards works just as well, too.  Store your little “code book” in the area near—but not directly at—the computer, preferably in a location where it is at least out of site.  The ubiquitous junk drawer works well for this purpose.  Of course, if you use a computer in a shared area, you might want to look at storing your code book in a locked desk drawer, filing cabinet or safe.

Now that we have discussed what to you use your code book for and where to place it for safekeeping, exactly what sort of information should you write in it?  I would recommend something along the following lines:

  • name of web site
  • username
  • date you signed up for the service
  • answer(s) to password reset questions
  • date of last password change (and/or date of next password change)

For additional security, do not store the actual answers to your password reset questions, but rather mnemonics or clues that will tip you, but not an attacker, to the answers.

During the course of writing this blog post, I came across the rather descriptively-named Personal Internet Address & Password Log Book, which, as the name implies, is a place to store information about your web site and email accounts.  It does, however, contain fields to enter the actual passwords, and not the answers to the questions used to reset those passwords.

Regardless of whether you choose to store password reset questions or the actual passwords, it’s important to keep in mind, though, that the physical security of any written-down information in your notebook—whether it be the passwords themselves or just the responses password reset challenges—is paramount:  Writing down that information is the equivalent to putting your passport, driver’s license, social security card, check book, credit cards and debit cards (and their PINs) all together in one convenient bundle.

If you do not have a place that is physically secure enough to store a password reset notebook in, than you should not be using a notebook for this purposes. Keep in mind that an accident or disaster could result in the notebook being destroyed or unavailable, and plan accordingly.  Another thing to keep in mind is that as a tangible, physical object, your password reset notebook is subject to loss.  Making a copy of it with a photocopier and storing that offsite in a secure location like a safe deposit box is far less risky than scanning it and storing the copy on your PC where an attacker can access it.

Password Redux

Choosing good passwords and protecting them, along with the answers to the questions which reset them is vital, but it is only part of the process of staying safe online.  Other important components are to keep your operating system and applications up-to-date and running effective security software on your computer.   Here are some of the recent blog posts and a white paper we have written on the matter:

In November 2010, ESET North America launched Cybersecurity Training to help educate people about the things they need to do beyond running security software to keep themselves safe—something that ESET is the only security vendor to do so far.  This online training is free for users of ESET’s consumer products.  Visit the ESET Cybersecurity Training web site for more information.

If you are looking for even more information about staying safe online, I strongly recommend visiting Securing Our eCity, a non-profit service for protecting yourself, your family and your community from cyberthreats.

The author would like to extend thanks to his fellow password-protector David Harley for assistance in preparing this post.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s