Dear Bob,

I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. It's been great, by the way: I love the way I can simply think what I want to make the system perform properly. The only problem I've had is what happens when I daydream, but let's not go there.

Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.

The very nice agent cheerfully demonstrated that your help desk has no clue how to deal with lost passwords for SpinalTap. She:

1) Asked me for my user ID: unacceptable because it began a phone-based process for resetting a password;

2) Asked me one of my verification questions (“What was the last name of the girl who arranged for me to step on her foot on a ski trip in 1963?”): UNACCEPTABLE because it means the authentication data are not one-way encrypted;

3) Read me my old password: UNACCEPTABLE because it means the password file is not one-way encrypted!

Normally, passwords and other authentication data are one-way encrypted: the responses to questions are encrypted and the ciphertext of the response is compared to the stored ciphertext of the correct answer; however, it is difficult (expensive, slow) in practice to regenerate the original cleartext data unambiguously from the stored ciphertext. (See my lecture on cryptography fundamentals if you like.) 

Access to the authentication questions, to their answers, and to the passwords implies that the help desk agent(s) can impersonate customers at any time by logging into SpinalTap using their purloined IDs. The damage caused to your company's reputation if one of your employees were to sabotage a customer’s settings and cause serious damage – psychotic breakdown, for example, due to the impression that two-headed lizards were chewing on his left hallux – could be disastrous.

To put the problem in perspective, it would be the same kind of problem of impersonation as if a member of your staff were falsely accused of damaging company records, sending inappropriate e-mail within the company or to external recipients or posting inappropriate materials on a company Web page. Not only would the victim of the impersonation suffer – so would the company.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.