Educause Security Discussion mailing list archives

Re: Passowrd - User Self Service Resets?

From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Tue, 15 Mar 2005 13:09:53 -0500

"Hart, Lee Anne" <LeeAnne.Hart () MONTGOMERYCOLLEGE EDU> writes:

In the meantime, we've developed a set of questions which sidesteps the
issue.


Let's guess, roughly, the amount of entropy in the typical answers to
these questions.  Note that an informed user can protect himself by
choosing answers such as uL7fArcDwQF3pd1W or GBa4eygRyHknaL08.  (Which
is what I would do if I were offered a system such as this.)

1. What is your favorite color?


~3 bits.

2. What is your favorite food?


~5 bits.

3. What is your favorite animal?


~1 bit.

4. What is your favorite book?


~8 bits.  (Let's be very generous here.  When I asked this question a
class of students I got maybe half-a-dozen different answers.)

5. Where would you go on your dream vacation?


~3 bits.

6. What is your favorite place to visit?


~3 bits.

7. What is your favorite holiday?


~2 bits.

After the new system is implemented, all users must answer the questions
at their first login. When a user needs to do a self service password
reset, they will be asked to answer three of the seven questions
correctly - the questions are randomly selected.


Are retries allowed?  On average, we have ~3.5 bits of entropy per
question, so the probability of resetting a user's password with a
single try would be roughly 1/2000.  So, if you have a population of
2000 users and not a single retry is allowed, an attacker could, on
average, get one account by going over all accounts in parallel.  If
unlimited retries are allowed, then getting passwords for all accounts
should be a piece of cake.  If retries are limited, locking all users'
accounts would be an effective denial-of-service attack (maybe during
the finals or before an important external deadline, such as
application for funding).

--
Stanislav Shalunov              http://www.internet2.edu/~shalunov/

"The power of accurate observation is commonly called cynicism by
those who have not got it."                     -- G. B. Shaw

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Passowrd - User Self Service Resets?, (continued)
- Re: Passowrd - User Self Service Resets? Rob Tanner (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Rich Graves (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? clementz.7 (Mar 14)
- Re: Passowrd - User Self Service Resets? Vicky Walker (Mar 14)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 14)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 14)
- Re: Passowrd - User Self Service Resets? Gary Dobbins (Mar 15)
- Re: Passowrd - User Self Service Resets? Hart, Lee Anne (Mar 15)
- Re: Passowrd - User Self Service Resets? stanislav shalunov (Mar 15)
- Re: Passowrd - User Self Service Resets? Bill Frazier (Mar 15)
- Re: Passowrd - User Self Service Resets? Chris Boniforti - Lynn University (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)
- Re: Passowrd - User Self Service Resets? Lucas, Bryan (Mar 17)