How not to manage lost passwords

The long view of security strategies for your network.

Dear Bob,

I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. It's been great, by the way: I love the way I can simply think what I want to make the system perform properly. The only problem I've had is what happens when I daydream, but let's not go there.

Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Dear Bob,

I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. It's been great, by the way: I love the way I can simply think what I want to make the system perform properly. The only problem I've had is what happens when I daydream, but let's not go there.

Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.

The very nice agent cheerfully demonstrated that your help desk has no clue how to deal with lost passwords for SpinalTap. She:

1) Asked me for my user ID: unacceptable because it began a phone-based process for resetting a password;

2) Asked me one of my verification questions (“What was the last name of the girl who arranged for me to step on her foot on a ski trip in 1963?”): UNACCEPTABLE because it means the authentication data are not one-way encrypted;

3) Read me my old password: UNACCEPTABLE because it means the password file is not one-way encrypted!

Normally, passwords and other authentication data are one-way encrypted: the responses to questions are encrypted and the ciphertext of the response is compared to the stored ciphertext of the correct answer; however, it is difficult (expensive, slow) in practice to regenerate the original cleartext data unambiguously from the stored ciphertext. (See my lecture on cryptography fundamentals if you like.) 

Access to the authentication questions, to their answers, and to the passwords implies that the help desk agent(s) can impersonate customers at any time by logging into SpinalTap using their purloined IDs. The damage caused to your company's reputation if one of your employees were to sabotage a customer’s settings and cause serious damage – psychotic breakdown, for example, due to the impression that two-headed lizards were chewing on his left hallux – could be disastrous.

To put the problem in perspective, it would be the same kind of problem of impersonation as if a member of your staff were falsely accused of damaging company records, sending inappropriate e-mail within the company or to external recipients or posting inappropriate materials on a company Web page. Not only would the victim of the impersonation suffer – so would the company.

Although I realize you probably know this perfectly well, for the record, I will assert that:

1) The problem is not the individual help desk agent's: she was courteous and professional and doing her job as she was instructed to do it. She deserves no blame.

2) IMNHO,* The SpinalTap system, not the help desk, should have a mechanism for resetting the password by ASKING THE USER the authentication questions on screen before e-mailing a one-time password to the officially registered e-mail account for recovery.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.