This is why you absolutely need to safeguard user passwords. 60-70% of your users will use a variant of their email password for your app as well. Normal people don't memorize or write down 10 passwords, or even 2. Lose a user's password, you've cost them their bank accounts.
You sorta missed the point. Kim never gave a single password out. The "security questions" on one of her accounts allowed access to her account by anyone who could answer them. The weakness was largely her college's fault for having such weak validation, and also her fault for using that email as the secondary for her GMail.
I don't think he missed the point. The point is that user management of multiple passwords just doesn't work. This includes the reusing of passwords for multiple accounts and there being too many disparate password recovery schemes. There is too much asked of both implementers of web apps and users of web apps.
I think the current practices, which enabled this domino effect where the security level of the whole is that of the weakest link, are also to blame. We must find something better.
For some reason, my electric utility has introduced Javascript that disables copy/paste into the password field of their website. This kills my use of KeePass as an encrypted password vault. If some of the users are going to use KeePass or a similar program, I think this should be encouraged. At least those users won't be subject to these sorts of attacks.
It's been talked about before, but the "password reset" concept really needs to be looked at. Compromising somebody's e-mail means you have access to everything they've ever signed up for, because every site has a password reset and lots of them just send an e-mail without any further questions
I've never found myself in a situation where I REALLY need to reset a password to a free web service.
I've had to reset school and bank related passwords, which I've done in person or over the phone.
I have reset passwords for free web services, but I could've lived with just making a new account. If I forgot my password, it's because I'm not using it - if it's free and I'm not using it, chances are I don't really care about it.
I've never had to reset my password for free web services I CARE about, because I use them regularly.
What I'm getting at is - do free services really need unverified password resets? If it's a paid service, it's easier to justify the cost of phone support.
If you keep your company's business in a Basecamp account, and you lose the password, what are you going to do? Give up and spend the money for a new Basecamp account?
People forget passwords all the time. Spend some time in an F2k IT department; they have whole teams of people and actual application development projects dedicated to trying to solve this one problem.
Basecamp isn't free, so they can likely devote a few more resources to a slightly more stringent password reset system than, say, icanhascheezburger.com.
What I was trying to put forward for discussion is the idea that if a site can't do password resets "properly" (by phone? or something more secure than the example given in the article) then maybe it shouldn't do it at all, and that this might not be as catastrophic for the user as it seems, since the site is less likely to be essential.
Looking at what I use online:
- all my server stuff: Extremely important, but it's my own problem.
- online banking, bills, etc: Important stuff, not free. I'd be really upset if I got permanently locked out, but all can be reset by phone.
- Digg, Reddit, News.YC, even Facebook: Not important stuff, free. I wouldn't really care if I have to make another account.
- Gmail: This is the only one which doesn't fit. However, I use it daily, so I'm not going to forget my password. On the flip side, if I used it only once a year, it obviously wouldn't be that important to me.
Yeah, I know it's not very realistic, and it's probably not something I'm willing to practice myself. Consider it a thought experiment.
The best solution, rather than changing every website, is for banks to not offer email password resets. Email password resets are ok when you aren't taking something that should be really secure like your bank account and transfering it to email. It seems almost criminally negligent of the bank.
I recently set up a new savings account and for some reason when the paperwork came through I couldn't recall the password I had used. Getting a new one issued did require a phone call but the questions asked were only the standard things like mothers maiden name, first school etc. These sorts of things are as easy to compromise on the phone as they are online.
On the plus side they only gave me half a password on the phone. The other half was emailed to me.
Do people think that a decent OpenID provider would sort this out?
I quite like the idea of using an OpenID provider for everything which had very strong authentication (e.g RSA fob). You'd only need to log in a couple of times a day with a login timeout of an a few hours.
I got caught like this once. Someone hacked a forum I visit, and they got the same password I used for my email. Luckily they didn't do anything, and I changed my password before any damage was done.
Now I have about a dozen different passwords. And to tell the truth its really not that confusing, I have one main one for BS stuff, but all the vital information usually has its own password.
