Current time: 04-20-2014, 07:05 PM Hello There, Guest! (LoginRegister)

Post Reply 
password recovery: is anyone happy?
04-30-2011, 02:25 PM
Post: #1
password recovery: is anyone happy?
The password recovery process gets discussed from time to time, but nothing ever happens. Well, maybe a significant number of customers are perfectly happy with the status quo.

So if anyone likes the way things are, I invite them to say so here, and why. To set the scene, I will say what happens now; then I will say what I think is wrong with it. Then (as a probably irrelevant appendix) I will say what I think *should* happen.

(1) WHAT HAPPENS NOW

On the panel login screen, anyone can enter any email address and press the "please email me my password" button. If the email address corresponds to an active dreamhost account, the password for that account is immediately emailed to that address.

(2) WHAT IS WRONG WITH IT

First, three lemmas:

Lemma 1: dreamhost actively encourages the use of gmail
[img]http://tavoy.net/pix/dh110430a.jpg[/img]

Lemma 2: gmail actively discourages deletion of messages
[img]http://tavoy.net/pix/dh110430b.jpg[/img]

Lemma 3: the dreamhost password recovery email actively encourages you not to fret
[img]http://tavoy.net/pix/dh110430c.jpg[/img]

So: if you behave as actively encouraged to do by dreamhost and gmail,

if you (or indeed anyone else) have ever invoked the dreamhost password recovery mechanism on your email address, then there will be an old message sitting in your gmail account worded as above, and you will not be fretting about it.

This means that whenever you are logged into gmail, if anyone (your prankster brother-in-law, for example) gets hold of your keyboard, while your back is turned for just a few seconds, they can do a quick "search mail" for the text "don't fret", which will bring up any emails which dreamhost has sent you containing your password. They can then return the screen to your inbox, and when you come back a few seconds later, you will be none the wiser. I just tried it, and the process took 7 seconds.

(3) QUESTION: is anyone happy with this?

(4) WHAT I THINK SHOULD HAPPEN

I'm adding this section so that people don't get the idea that doing things properly would make the process horribly complicated. It's actually really simple. The password recovery button should cause an email to be sent to your email address, containing a time-limited invitation to a dialog that asks you your security question and then reveals your password.

~Tom
Find all posts by this user
Quote this message in a reply
05-04-2011, 09:16 AM
Post: #2
RE: password recovery: is anyone happy?
Holy cow!

So I just realized I forgot my panel password and did the reset thing expecting to get a new password. Instead I get my actual password meaning that Deamhost is storing my password either un-encryped or in a method that has reversible encryption. I'd expect this from my bank, because banks are idiots about computers, but I honestly expected better from Dreamhost.

What's really messed up is that I also forgot my Forum password and had to do the reset for that too, only to find that the forum has better password security then Dreamhost...
Visit this user's website Find all posts by this user
Quote this message in a reply
05-04-2011, 11:16 AM
Post: #3
RE: password recovery: is anyone happy?
Well, just to give another point of view, I'm quite happy with dreamhost storing our passwords in recoverable form,

thinking about the balance between convenience and risk, and bearing in mind that dreamhost positions itself to attract novice users, which is a good thing cos it (presumably) keeps costs down.

Novices presumably forget their passwords more often than anyone else, and it might be too much to ask of them to create a new password every time they forget their old one.

Also, if the dreamhost citadel is ever breached by an attacker, all of our websites would be in an undefined state (aka toast), and the fact that our passwords have been stolen would be a minor extra detail

(assuming we don't re-use passwords elsewhere ~ which I think even novices ought to be clued up enough not to do)

However, putting a security question in between the email and the password recovery is, surely, an essential step that novices should be able to cope with. "What is your mother's maiden name" is perfectly adequate for first-time users, and more security-conscious folk can dream up their own less crackable questions.

BTW in my previous message, sorry about the non-working bbcodes. I suppose images aren't enabled in this forum. So the magnificent proofs of lemmas 1 to 3 will have to remain hidden.

~Tom
Find all posts by this user
Quote this message in a reply
05-05-2011, 04:20 AM
Post: #4
RE: password recovery: is anyone happy?
recoverable password is not acceptable. That opens a potential dangerous hole for hackers. It is always suggested to use one-way encryption to encrypt your password. There is no way to retrieve your password but you can reset it upon request.

Maximum $97 off with promo code: 97YES Sign Up NOW or More Codes Here
Visit this user's website Find all posts by this user
Quote this message in a reply
05-05-2011, 06:15 PM
Post: #5
RE: password recovery: is anyone happy?
(04-30-2011 02:25 PM)tomtavoy Wrote:  The password recovery process gets discussed from time to time, but nothing ever happens. Well, maybe a significant number of customers are perfectly happy with the status quo.

I'm not perfectly happy with anything. But DHs system is convenient enough.

Quote:So if anyone likes the way things are, I invite them to say so here, and why.

Did I mention it was convenient? Oops, yah, did that.
Have I ever needed it? Nope.
Has my password ever been stolen? Nope.
Do I rotate administrative passwords on a reasonably frequent (..if perhaps irregular) basis? You betchya.
Do I have GMail? Sure, why not.
Do I use GMail for web or network administration purposes? Hell no.

But why wouldn't I complain?
Because there's about a gazillion other things I'd rather have the DH folks deal with than molly-coddling them that can't be arsed to remember their own administrative passwords.

Quote:To set the scene, I will say what happens now; then I will say what I think is wrong with it. Then (as a probably irrelevant appendix) I will say what I think *should* happen.

(..deletia..)
(2) WHAT IS WRONG WITH IT
First, three lemmas:
Lemma 1: dreamhost actively encourages the use of gmail
[img]http://tavoy.net/pix/dh110430a.jpg[/img]

Ok, that's worth a big LOLZ if it's your idea of evidence that DH "actively encourages" GMail for administrative accounts.

Quote:Lemma 2: gmail actively discourages deletion of messages
[img]http://tavoy.net/pix/dh110430b.jpg[/img]

Do you use GMail for bank accounting or credit cards or ANYTHING other than maybe a Facebook subscription?
If so, it's a clever strategy you *may* want to re-think.

Quote:Lemma 3: the dreamhost password recovery email actively encourages you not to fret
[img]http://tavoy.net/pix/dh110430c.jpg[/img]

And yet here you are still fretting over it.

(..deletia..)
Quote:This means that whenever you are logged into gmail, if anyone (your prankster brother-in-law, for example) gets hold of your keyboard, while your back is turned for just a few seconds, they can do a quick "search mail" for the text "don't fret", which will bring up any emails which dreamhost has sent you containing your password. They can then return the screen to your inbox, and when you come back a few seconds later, you will be none the wiser. I just tried it, and the process took 7 seconds.

Ok, *definitely* worth a big LOLZ.

If you're logged into an administrative account on your computer and your bro-in-law japes you on it - you got what ya planned for. Which is to say, your clever administrative scheme has failed and you need to devise a new one. If your THAT INCREDIBLY CARELESS with your administrative information you're just not administrative material.

Quote:(3) QUESTION: is anyone happy with this?

Actually, I'm more satisfied with it now then when I started reading this post. This scheme weeds out the people who think they know how the Internet works and gives them an abject lesson in how much they need to learn.

Quote:(4) WHAT I THINK SHOULD HAPPEN
I'm adding this section so that people don't get the idea that doing things properly would make the process horribly complicated. It's actually really simple. The password recovery button should cause an email to be sent to your email address, containing a time-limited invitation to a dialog that asks you your security question and then reveals your password.

Better hope that prankster-in-law of yours doesn't figure out you leave your bank account info on GMail or you're may (unwittingly) be buying the beer on his next fun drinking binge. So when that hot chick with an awesome pink headband goes jogging by, keep your eyes on your keyboard lest mayhem occur.

The additional step you're proposing just means another 7 seconds added to the process. Your brother-in-law takes 14 seconds to steal your password instead of 7. If you're using GMail for your admin account(s) you've made a mistake and DH is certainly NOT to blame for it. If you have told your computer to remember a password that it should NOT know and you SHOULD know, again, you've made a mistake that DH is not to blame for.

Dreamhost should add a wiki page about very basic administrative password management and move on to more important things.

Now I'm off to go see how many people in my apartment complex have open wireless connections on their home routers; some Nigerian dude promised me $10,000,000 US if I'd help him send a few anonymous emails and daddy needs a new pair of shoes. And lots of hookers and blow. And maybe a nice Ferrari too.
Find all posts by this user
Quote this message in a reply
05-06-2011, 08:04 AM
Post: #6
RE: password recovery: is anyone happy?
Hello netdcon. Your post is quite illogical.

Quote:But why wouldn't I complain?
Because there's about a gazillion other things I'd rather have the DH folks deal with than molly-coddling them that can't be arsed to remember their own administrative passwords.

Molly-coddling "them that can't be arsed to remember their own administrative passwords" is exactly what dreamhost is doing now, by having a password recovery mechanism geared for maximum convenience and minimum security.

I am suggesting that dh improve it to a level of medium convenience and medium security.

Two other posters are saying they should improve it further, to the level of industry-standard security. I also would be happy with that.

The point I am trying to make is that the customers who are most at risk due to the current insecure mechanism are the ones who are least knowledgeable in how to protect themselves through good practice, so if dreamhost wishes to attract novices users (which, as I suggested, benefits everyone by keeping costs down) they really ought to re-think the password recovery mechanism.

~Tom
Find all posts by this user
Quote this message in a reply
05-06-2011, 08:38 AM
Post: #7
RE: password recovery: is anyone happy?
I don't see anything wrong with their password recovery procedure. I would rather have my password e-mailed to me instead of having perhaps a link sent to reset the password or something like that. Personally I have never forgotten my password for my account and you should always keep some sort of file with your various accounts and passwords and take proper security measures with it in any case. If you are so concerned with your password being e-mailed to you and the fact that gmail retains your e-mails you should use another e-mail provider. Just because DH can recommend gmail doesn't mean you have to use them. Even gmail gives the option to permanently delete messages instead of keeping them in the trash forever. Wouldn't it be more prudent to not be looking at e-mails that have sensitive information where other people can see you? I think that is most of your concern and not the security of the setup.

http://www.marciesgifts.com
PM for manual CMS(drupal,joomla,etc)/Blog(WP,MT,etc
)/forum(phpbb,smf,etc) install/transfer $75.
$25 Off w/promo code SPRINKLES
Visit this user's website Find all posts by this user
Quote this message in a reply
05-06-2011, 09:25 AM
Post: #8
RE: password recovery: is anyone happy?
Well maybe you don't have a prankster brother-in-law (PBL), but surely you can imagine what it would be like to have one, and please can you say what is wrong with the following?

PBL knows the email address that you use for admin-related activities. Reasonable or unreasonable? Keeping such an email address secret from close relatives seems excessive.

PBL could surreptitiously get hold of your keyboard for 30 seconds while you are logged into your email. Reasonable or unreasonable? Logging out of email if you are going to leave the room for 30 seconds seems excessive.

Given that, even if you are the kind of person who never forgets your password, PBL can discover your password without you ever knowing.

(In 30 seconds, he can go to the dreamhost login panel, trigger the sending of the recovery email, read it, and delete it.)
Find all posts by this user
Quote this message in a reply
05-06-2011, 11:00 AM
Post: #9
RE: password recovery: is anyone happy?
don't let the bastard in your house! Whip his ass! Folks don't mess with my stuff. But here is a hint! takes several minutes. you gots other problems

Mayor
Find all posts by this user
Quote this message in a reply
05-06-2011, 12:38 PM
Post: #10
RE: password recovery: is anyone happy?
(05-06-2011 09:25 AM)tomtavoy Wrote:  PBL knows the email address that you use for admin-related activities. Reasonable or unreasonable? Keeping such an email address secret from close relatives seems excessive.

You must be joking. Why would you have any relatives know about your business related e-mail account? If you know this person is prone to messing with your stuff you should change the e-mail address you have associated with DH and any other type of service you administer and keep it to yourself.

Quote:PBL could surreptitiously get hold of your keyboard for 30 seconds while you are logged into your email. Reasonable or unreasonable? Logging out of email if you are going to leave the room for 30 seconds seems excessive.

Logging totally off would be unreasonable. Locking your computer when you know someone might want to do nefarious activities while you step away, however, is highly recommended.

Quote:Given that, even if you are the kind of person who never forgets your password, PBL can discover your password without you ever knowing.

(In 30 seconds, he can go to the dreamhost login panel, trigger the sending of the recovery email, read it, and delete it.)

I assume this person doesn't know your computer password and that even if you allow him to use your computer, it is under a login that you have created for family members that can only do limited activities (like browsing the web but not installing programs). If this is not the case I suggest you set up your computer like that immediately. If you know your computer is not secure you should always lock the screen when you step away from it. Your carelessness and lax security measures in an insecure environment seems to be the real problem.

http://www.marciesgifts.com
PM for manual CMS(drupal,joomla,etc)/Blog(WP,MT,etc
)/forum(phpbb,smf,etc) install/transfer $75.
$25 Off w/promo code SPRINKLES
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: