Rory McCune <rorym@xxx.xxx.xxx> writes: > Andrew Aylett wrote: > >>Rory McCune <rorym@xxx.xxx.xxx> writes: >> >><sending new passwords by email> >>>* while it is pretty common practice, doesn't mean it is a good thing. >>>A better way is to use secondary questions/answers, set-up when you >>>create the account and then ask that if you forget your password...... >> >>I'd disagree with that -- it makes the account only as secure as the >>secondary questions, which is usually less secure than the primary >>password (if it was as secure, why wouldn't you just use it as the >>primay means of authentication if it was less likely to be forgotten?). >> > Why should the secondary questions be less secure than the password? > They are just an alternative means of authenticating to the service.... > Remember that not all lockouts occur because you've forgotton you're > password it is still reasonably common to see people lock themselves out > of website accounts through multiple typos. It's almost a given that the questions are less secure -- a password can be random. Unless the question is 'what is your password?' then it's probably something factual and supposed to be something that few people would know, but it's still a fact that could be found out by other people without resorting to asking you. > The reason I'm not fond of e-mail as an E-Commerce communications method > is that it is very easy to forge e-mail, as such I think e-commerce and > banking sites should be moving away from using it where possible so > people are less likely to trust e-mails that appear to be from their > bank (the phishing attacks that have happened recently are a good > example). That's why I think that signed and encrypted is the way to go -- we already do that with SSL enabled websites. > Also people change their e-mail addresses, and if they forget to update > the registered address on a site and then lock themselves out, they can > then have no easy way of getting back into the site... This is a fair point, and one that requires you to be careful with your email addresses... Personally, I would find it very, very difficult to change my email address (not that I would want to). I would say, though, that for most websites there wouldn't be that much of a problem in having to sign up again, especially if it was as infrequent as a change in email address. For those where it would be important it would be more difficult to have not updated your contact information and there would probably be off-line means to perform the update (that said, I have a reasonably low-digit slashdot ID somewhere with an old email address and a forgotten password that I wouldn't mind resurrecting. Oh well...). >>To my mind, unencrypted email is better than secondary questions but >>neither is particularly good. Better would be encrypted email, best >>would be client side SSL certificates. Unfortunately not many people >>use encrypted email and few keep SSL certificates around, especially not >>ones that are certified by a trusted CA. >> > Agreed, the major problem with client SSL certs is the management > headache for large user populations, and the risk of the certs themself > being stolen... Management would be the biggest headache. I guess the way I would do it would be to forget about the whole CA business and accept a self-signed public cert from users that wish to use one. Passphrase protection of the certificate should go some way towards mitigating the theft problem, all that remains is that encryption keys are normally stored only at one place, which makes it difficult to use the website from an alternative location. It's this reason that makes me really like XEmacs and Gnus as a mail client, as I can access it easily over SSH and so still have access to my keyring. >>As an intermediate measure, I quite like the way NatWest goes about >>things (from a setting up point of view) -- they require you to phone >>them and convince them that you are who you say you are before sending >>you your activation code, which comes in the post a few days later. You >>use this code to activate your account and set up your PIN and password. >>Should you forget either, you have to phone them again. This is >>probably a bit too much hassle for your average shopping site though... >> > Out of curiosity, what type of questions do they ask? is it factual > things about you and your account? On the phone they will ask me for the usual name, address, DOB. Nothing particularly secure, but all it's doing is getting them to send the secure information to you physically. To make use of the service you would have to then intercept two pieces of mail on two different days (actually two separate days, as the second won't be sent until you acknowledge reciept of the first, not like getting a new cash-card and PIN sometimes). Another option would be to use something like RSA's SecurID, but that costs good money :-(. What I'd really like is some way of being able to purchase a hardware token (preferably a PRNG generating token) and use it with open-source software, but I guess such a thing doesn't exist. OK, -- Andrew Aylett | www.aylett.co.uk | 1.79 x 10^12 furlongs per fortnight... andrew@xxx.xxx.xxx | answer==42 | -- it's not just a good idea, it's the law!
Attachment:
pgp09347.pgp
Description: PGP signature
|
This archive is kept by wibble@morpheux.org.DONTSPAMME | homepage |