-
October 3rd, 2008, 05:19 PM
#31
Originally Posted by nihil
Not really flaws in the service IMO. This sort of thing has been going on for years.
The real flaw is in the users not realising that if they answer the questions truthfully then other people will also know the answers.
Just lie.................. it works every time
I agree. I use a few of the same BS answers on all of the security questions. My wife wouldn't even be able to reset my email account, because my mother's maiden name isn't really vader. [names changed to protect the innocent ]
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
October 4th, 2008, 12:08 AM
#32
If you search the archives here, odds are you'll see me saying the password reset trick was already old circa 2003?
Possibly one of my pseudonyms?
Why this sort of thing has been allowed to continue is mind blowing. Although anybody who suggests that people actually secure things themselves by using a "not easily found" answer that doesn't strictly relate to the question has obviously never met a real user. Users are idiots. THere is no nice way to put it. THe help desk at the federal facility I work had a user turn in a broken mouse, asking for a new one. They simply repackaged the "broken" mouse, gave it to the guy, told him it was a brand new one. They got a call about 15 minutes later from the guy, thanking them for their quick response and the great mouse. It gets worse. Y'all familiar with ToughBooks? Yeah, the nylon stylus the ToughBook tbalets use cannot break the screen, the stylus breaks far before the screen does. Of course, we get a shattered screen and a user saying they were just tapping it with the stylus.
Real security doesn't come with an installer.
-
October 4th, 2008, 06:05 AM
#33
Although anybody who suggests that people actually secure things themselves by using a "not easily found" answer that doesn't strictly relate to the question has obviously never met a real user.
On the contrary, I have met lots of them, several of whom have had their e-mail accounts hijacked.
I think that the service providers should give a clear warning of the potential dangers of providing correct information, although there is no real excuse for forgetting your password. Just write it down in the back of your bible or whatever flavour religious book you use................. nobody is going to look there
-
October 6th, 2008, 01:06 PM
#34
I was discussing this last week at lunch with some friends. Interestingly enough some of them use Yahoo mail and their response to forgotten password automated anything is this.
"Anytime I have to answer a predetermined "secret question" in order to gain access to a free service, the answer is always two or three jumps away".
WTF does 2 - 3 jumps mean (Guys a flippen dataminer for accounting firms - go figure). Anyway, If the question is where did you go to high school. the answer might be back alley - because the one thing I remember most about high school is Laura and my first kiss which was in the alley behind my house.
So much for guessing or social engineering that "secret question"
Anyway I just found that logic interesting. Me I'd just not use anything that allowed anyomus password changes.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
October 6th, 2008, 05:18 PM
#35
I think the whole idea of providing not-so-obvious answers to these secret questions is a good work around for the "Forgot-my-password" service flaw.
I think it's my Gmail account that provides the option to write my own question. I think that's a great idea simply because breaking the service is that much more difficult. So instead of the standard 5-10 questions handed on a silver platter to inquisitive malicious users, you could have thousands & thousands of different questions in all kinds of formats. Couple that with some oddball answers and this could really help shore up the "Forgot-My-Password" service security.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
October 7th, 2008, 01:53 PM
#36
Dinowuff - Great logic. Think I am going to use that from now on.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 8th, 2008, 03:37 PM
#37
Looks like he was indicted:
Kernell faces a maximum of five years in prison if convicted, along with a $250,000 fine and a three-year term of supervised release. The case is being investigated by the FBI's Anchorage and Knoxville field offices. No trial date is scheduled yet.
Full Story:
http://news.cnet.com/8301-13578_3-10060878-38.html
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
October 9th, 2008, 11:42 AM
#38
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 9th, 2008, 01:50 PM
#39
Originally Posted by Cider
Shame, poor guy.
yeah right...booo hooo hooo
The guys an Id 10 t
He hacks an american vice presidential candidates email using his own internet access through a proxy...then brags about it......
DUH
you dont think the feds were all over that ASAP
He could have at least used one the the kazillion open WAPs out there...
I have absolutley no sympathy for stupidity
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
October 9th, 2008, 03:32 PM
#40
SO if he used an opened WPA then it would be all good
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
Similar Threads
-
By ai0070 in forum Miscellaneous Security Discussions
Replies: 6
Last Post: October 18th, 2004, 11:21 PM
-
By ShagDevil in forum Other Tutorials Forum
Replies: 0
Last Post: June 13th, 2004, 05:46 PM
-
By uraloony in forum The Security Tutorials Forum
Replies: 6
Last Post: December 24th, 2003, 02:41 AM
-
By zigar in forum AntiOnline's General Chit Chat
Replies: 10
Last Post: February 22nd, 2002, 02:24 PM
-
By rajat in forum Roll Call
Replies: 0
Last Post: February 20th, 2002, 05:08 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|