Current time: 04-23-2014, 03:49 AM Hello There, Guest! (LoginRegister)

Post Reply 
password recovery: is anyone happy?
05-06-2011, 01:43 PM
Post: #11
RE: password recovery: is anyone happy?
Quote:But here is a hint! takes several minutes.

Hello mayor, what takes several minutes? I just tested it, and the time from clicking "email me my password" until receipt of said email was 21 seconds, and that is on a dialup connection.

My estimate of 30 seconds for the whole process, on broadband, is quite reasonable.

Ryo-ohki, I am not joking, and I never mentioned anything about "business related".

I am not talking about people who use the web for business and who take a corresponding approach to security.

I am talking about a typical novice user who uses the web for, let us say, a blog.

That such a user should be expected to keep his or her email address secret from their relatives is ridiculous.

That such a user should be expected to lock down their computer when they leave it for 30 seconds is also ridiculous.

The current dreamhost system allows a PBL to discover that user's password in 30 seconds without their ever knowing.

~Tom
Find all posts by this user
Quote this message in a reply
05-06-2011, 04:25 PM
Post: #12
RE: password recovery: is anyone happy?
(05-06-2011 01:43 PM)tomtavoy Wrote:  That such a user should be expected to keep his or her email address secret from their relatives is ridiculous.

It is quite common to have one e-mail address that you use for administrative type things and another more personal e-mail address.

Quote:That such a user should be expected to lock down their computer when they leave it for 30 seconds is also ridiculous.

The current dreamhost system allows a PBL to discover that user's password in 30 seconds without their ever knowing.

Those statements are just you not wanting to take responsibility for your own bad personal practices. You think the password protocol should be harder just because YOU don't want to take your own precautions and the fact that you put up your relative's outrageous behavior instead of beating the fear of god into him with a crowbar.

I have a desktop computer that anybody can use but the can only surf the web and they cannot install programs on it. I do all of my business on my laptop. I do have an account that family members can get on with the laptop too though with the same restrictions I have put on my desktop. If you are in a household that always has people over it is only common sense to lock the screen if you have to step away lest they snoop somewhere they shouldn't. If your brother in law cannot control himself with your personal property I recommend you stop allowing him into your house or putting yourself in a position that would gain him access to your equipment. If you cannot avoid that it is only common sense to lock the screen as it only takes a moment to lock it and another moment to get yourself back in and you don't have to worry about your information being compromised.

http://www.marciesgifts.com
PM for manual CMS(drupal,joomla,etc)/Blog(WP,MT,etc
)/forum(phpbb,smf,etc) install/transfer $75.
$25 Off w/promo code SPRINKLES
Visit this user's website Find all posts by this user
Quote this message in a reply
05-06-2011, 06:49 PM
Post: #13
RE: password recovery: is anyone happy?
Passwords should never be sent via unsecured email (or even revealed on the screen) - period.

Correct procedure should always be to email an expiring link to reset password.
that link should ask security question and on positive identification should prompt for new password.

it's no more difficult for a novice user than the current highly INSECURE system being used.
Find all posts by this user
Quote this message in a reply
05-07-2011, 02:47 AM
Post: #14
RE: password recovery: is anyone happy?
(05-06-2011 04:25 PM)Ryo-ohki Wrote:  You think the password protocol should be harder just because YOU don't want to take your own precautions and the fact that you put up your relative's outrageous behavior instead of beating the fear of god into him with a crowbar.

That is wrong. I don't even have such a relative. Please can you try to address the argument ... which is that the dreamhost protocol defies recommended practice, for no good reason.

Unless anyone can think of a good reason for it. Which no one has, yet.

~Tom
Find all posts by this user
Quote this message in a reply
05-08-2011, 05:34 AM
Post: #15
RE: password recovery: is anyone happy?
No response? I guess people aren't taking the prankster brother-in-law scenario very seriously. Let me try another.

There may well be flaws in the following (actually, I hope there are!) and I hope someone will point them out.

Numerous articles in reputable magazines explain how it is possible for malfeasants to snoop unencrypted internet traffic; for example, http://www.wired.com/threatlevel/2008/08...ed-the-in/

Quote:Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

Two posters in this thread have explained how it is good practice to keep one's dreamhost account email address effectively secret; however, this address is likely to be used also for receiving dreamhost monthly newsletters and (if dreamhost is also one's domain name registrar) annual ICANN-mandated whois reminders.

So,

(1) Malfeasant (M) snoops internet traffic looking for text which occurs in dreamhost newsletters or in whois reminders sent by dreamhost, and thereby harvests email addresses used for dreamhost accounts;

(2) M triggers the sending of the password recovery email to such addresses;

(3) M catches some of those emails and reads the passwords.

Please can someone explain why that wouldn't work?

~Tom
Find all posts by this user
Quote this message in a reply
05-08-2011, 08:45 AM
Post: #16
RE: password recovery: is anyone happy?
Quote:Numerous articles in reputable magazines explain how it is possible for malfeasants to snoop unencrypted internet traffic;

Gmail gives the option to always use https for a reason. It doesn't do you any good if you don't use it. Also there are steps you can take for your own machine to make sure any data you transmit is encrypted. If people would take more responsibility for their own security instead of being so lax about it they wouldn't be bothered with the concerns you seem to be having.

I doubt anyone would go to such lengths just to compromise someone's web hosting account in any case. Even if they did it to upload malicious code or deface your website that would just be a minor event. DH has backups you could use to restore your account (or if you kept your own backup of recent changes you could restore it manually). As for the end user they should have certain security measures in place to make sure their systems aren't compromised by running across a website with malicious code.

Would you prefer DH to have no password recovery procedure at all? Even if they had a tougher password recovery option you would still have the same concerns. It is more likely that someone who has it in for you personally would try to use a brute force attack on your specific account than it would for some random data sniffer to use any information they gained to get into some random person's account. Using an expiring link would have the same issues even if you had to answer security questions once you clicked on it. That would be even worse for someone if they can't even remember what their password was. You may think that is unlikely for someone to forget both but that's wrong. I took numerous calls from people who not only forgot their online passwords (for their cellphone accounts), they forgot the security questions too and the password on their billing accounts.

Snoopers want to get information that would benefit them in some way. Also they want to gather data quickly with very little manual intervention on their part. They may want your credit card details if possible or to sell e-mail addresses. Wanting DH to change their password recovery procedure for either of the scenarios you have is just not warranted because it is just common sense for people to be taking their own security measures to make sure their information isn't compromised. If you kept an encrypted file on your computer with a list of your accounts and passwords you would never need to even use the password recovery mechanism. Switching on the https connection for gmail (or whatever other email service you use hopefully would have the same options) is only good practice as well as encrypting any information you have to be transmitting from your machine. It seems that you are just unwilling to take measures into your own hands at all like the rest of the more security conscious denizens of the intarwebs.

http://www.marciesgifts.com
PM for manual CMS(drupal,joomla,etc)/Blog(WP,MT,etc
)/forum(phpbb,smf,etc) install/transfer $75.
$25 Off w/promo code SPRINKLES
Visit this user's website Find all posts by this user
Quote this message in a reply
05-08-2011, 09:27 AM
Post: #17
RE: password recovery: is anyone happy?
Hello again Ryo-okhi, several things I don't understand in your reply.

First, how does https help in this context? The problem is that the emails which dreamhost sends to the customer's email address are not encrypted. How can a customer make sure that those emails are encrypted? As far as I can see, https doesn't have any relevance here.

Second, I do appreciate that when you say "you" it is probably a generic "you", but it might help if I make it clear that I have no concerns about my own security practices. Also, I have never forgotten a password and never needed to use any organization's password recovery mechanism. I do, however, use such mechanisms in order to check the security of their methods.

Also, I have no signficant concern that malfeasants might particularly want to corrupt my websites especially. The majority of your post seems to be addressing that non-concern. (Also, please understand that I have no prankster brother-in-law. My previous scenario was entirely based on the fact that many people do.)

The scenario I have outlined is where M gains a random selection of dreamhost passwords in order to inflict random mayhem. Not to me personally, nor to you personally, just random. That is what hackers quite often like to do.

This discussion would be much more useful if you could try to keep personalities out of it!

Third, the improved password recovery mechanism which I outlined in the opening post would entirely defeat the attack I have described. And the even better mechanism requested by patricktan would defeat even more attacks. So why do you say, "Even if they had a tougher password recovery option you would still have the same concerns"?

Thanks
~Tom
Find all posts by this user
Quote this message in a reply
05-08-2011, 11:35 AM (This post was last modified: 05-08-2011 11:36 AM by Ryo-ohki.)
Post: #18
RE: password recovery: is anyone happy?
the https was in reference not to the dh e-mail being sent to you but you checking your gmail account but it doesn't matter. let's say that dh was using the method that patricktan suggested and only allow you to reset the password. while it would make it more of a hassle for an actual person to follow these steps, a hacker wouldn't mind doing it vs someone who is just snooping for as much data and account information as possible at random for whatever nefarious purpose they have in mind. it is far better from a security prospective for people to use unique passwords for their accounts instead of using the same password everywhere when they also tend to use the same or similar usernames as well. this way if one account is compromised you don't have to worry about other accounts elsewhere that have the same username, e-mail, and password associated with it. also if dh sets up the system that way how are you going to get your password if you forgot the security question as I have mentioned before? DH doesn't operate by phone unless you pay for it so you cannot call in to have it reset. just having an expiring link wouldn't work either if we are under the assumption that whoever is grabbing your information is going to act upon it immediately. you are just adding more steps they have to take to gain access into your account, not making it impossible. the effort it would take to change the system is just not worth it on dh's end and the hassle it would create for customers who simply want to know what their password was and not have to pick something else that they would end up forgetting (since they obviously don't save their passwords somewhere themselves) and having to reset it again. i will restate that it is still more likely someone will use a brute force attack on accounts than it would be for someone to use a bgp attack to monitor dh traffic or to be sniffing local traffic over insecure wifi connections. the greater majority of people use words that can be found in the dictionary for their passwords instead of a combination of letters, numbers and special characters so it would be a lot more productive to go that route.

http://www.marciesgifts.com
PM for manual CMS(drupal,joomla,etc)/Blog(WP,MT,etc
)/forum(phpbb,smf,etc) install/transfer $75.
$25 Off w/promo code SPRINKLES
Visit this user's website Find all posts by this user
Quote this message in a reply
05-08-2011, 01:04 PM
Post: #19
RE: password recovery: is anyone happy?
Hi again, we can surely rule out brute force attacks against dreamhost passwords. There are absolutely standard mechanisms for making those totally infeasible (for example, by slowing down repeated login attempts) and it would be unbelievably shocking if some such were not in place for dreamhost.

(Of course, I'm not going to test that, for obvious reasons. I hope someone knowledgeable can confirm it!)

I have to confess that as far as I can see, the rest of your remarks, though interesting, really don't bear on the problem in hand. If you could explain more clearly, that would be great. In particular, please consider the following:

(1) the security question mechanism (placed in between receipt of the email and the password revelation or re-set) defeats any automated attack, and if the user has chosen well, it also defeats any feasible human attack (in exactly the same way that a password does)

(2) forgetting the answer to the security question is obviously much rarer than forgetting a password ... after all, the whole point of the security question mechanism is that the question reminds the user of the answer ... so in those very few cases where a user has forgotten both their password and the answer to their security question, it is quite reasonable that they would have to resort to messaging directly with dreamhost support in order to re-establish their credentials (and this can be done through messaging, it does not need expensive phone support)

So unless I've missed something vital, or misunderstood something, my argument is unaltered

~Tom
Find all posts by this user
Quote this message in a reply
05-08-2011, 05:37 PM
Post: #20
RE: password recovery: is anyone happy?
(05-06-2011 08:04 AM)tomtavoy Wrote:  Hello netdcon. Your post is quite illogical.

I'll resist the urge to make a StarTrek-infused comment for the moment.

Quote:Molly-coddling "them that can't be arsed to remember their own administrative passwords" is exactly what dreamhost is doing now, by having a password recovery mechanism geared for maximum convenience and minimum security.

*You* may have minimal security but I can assure you, mine is quite adequate to the task.

Security is *my* responsibility, not DH's.

Quote:The point I am trying to make is that the customers who are most at risk due to the current insecure mechanism are the ones who are least knowledgeable in how to protect themselves through good practice, so if dreamhost wishes to attract novices users (which, as I suggested, benefits everyone by keeping costs down) they really ought to re-think the password recovery mechanism.

I don't know what level of user DH "wishes" to attract. Here's what I do know:
1) My understanding was that DH provides a "DIY" environment, as opposed to novice-level environment.
2) I've been doing systems and network administration for over 22 years now and I can tell you with some semblance expertise that *none* of the features at DH loan themselves to novitiate web administration.
3) DH does not provide 24/7 voice phone support. This alone precludes the sort of hand-holding that novice web administration would require.

Just for giggles, I searched the DH web pages for the word "novice". I suggest you try it yourself.
As for novice users keeping costs down - meh. Novice users require more staff, more resources, more-bloated control panel options (such as the one you suggest), and can represent more trouble that they're worth.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: