Educause Security Discussion mailing list archives
Re: Passowrd - User Self Service Resets?
From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Tue, 15 Mar 2005 13:09:53 -0500
"Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU> writes:
In the meantime, we've developed a set of questions which sidesteps the issue.
Let's guess, roughly, the amount of entropy in the typical answers to these questions. Note that an informed user can protect himself by choosing answers such as uL7fArcDwQF3pd1W or GBa4eygRyHknaL08. (Which is what I would do if I were offered a system such as this.)
1. What is your favorite color?
~3 bits.
2. What is your favorite food?
~5 bits.
3. What is your favorite animal?
~1 bit.
4. What is your favorite book?
~8 bits. (Let's be very generous here. When I asked this question a class of students I got maybe half-a-dozen different answers.)
5. Where would you go on your dream vacation?
~3 bits.
6. What is your favorite place to visit?
~3 bits.
7. What is your favorite holiday?
~2 bits.
After the new system is implemented, all users must answer the questions at their first login. When a user needs to do a self service password reset, they will be asked to answer three of the seven questions correctly - the questions are randomly selected.
Are retries allowed? On average, we have ~3.5 bits of entropy per question, so the probability of resetting a user's password with a single try would be roughly 1/2000. So, if you have a population of 2000 users and not a single retry is allowed, an attacker could, on average, get one account by going over all accounts in parallel. If unlimited retries are allowed, then getting passwords for all accounts should be a piece of cake. If retries are limited, locking all users' accounts would be an effective denial-of-service attack (maybe during the finals or before an important external deadline, such as application for funding). -- Stanislav Shalunov http://www.internet2.edu/~shalunov/ "The power of accurate observation is commonly called cynicism by those who have not got it." -- G. B. Shaw ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Passowrd - User Self Service Resets?, (continued)
- Re: Passowrd - User Self Service Resets? Rob Tanner (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Rich Graves (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? clementz.7 (Mar 14)
- Re: Passowrd - User Self Service Resets? Vicky Walker (Mar 14)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Gary Dobbins (Mar 15)
- Re: Passowrd - User Self Service Resets? Hart, Lee Anne (Mar 15)
- Re: Passowrd - User Self Service Resets? stanislav shalunov (Mar 15)
- Re: Passowrd - User Self Service Resets? Bill Frazier (Mar 15)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)