dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1355
share rss forum feed


anon user

@frontiernet.net

What is the risk of this?

I can't change the password to my account on a site with out clicking on Forgot user name and password, and then answering the security questions - even while I know the correct user name and password.

What is the security risk of that?

Thanks


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

The main risk is that a site that fails to provide a way to change your password directly is incompetent, and probably has other problems too.

The lesser risk depends on how the forgot-my-password mechanism is arranged. If they give you a new password right there in exchange for questions of the mothers-maiden-name variety, it's not particularly secure: such data can be found out. If they mail you a link to reset the password, it's a little better: someone needs to intercept your mail as well.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

pizza
pizza
pizza
bronx, ny



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

2 recommendations

reply to anon user

said by anon user :

What is the security risk of that?

On the other side of that...
It adds a layer of authentication, as in a 2 factor challenge if it's in addition to just using a registered email address to send a password token.

Using a hijacked email account to get access to different password protected sites is a daily occurrence.
This policy would eliminate or at least slow down an account hijacking depending on the strength of the security challenge Q & A's.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to AVD

Your mother's maiden name was 'pizza' ?
You went to school at pizza high?
Your first pet was pizza?



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
reply to AVD

What would you hear if you asked The Teenage Mutant Ninja Turtles what is their favorite food?


Laura_cyber

join:2012-11-28
USA 94102

1 recommendation

reply to anon user

The main risk includes is that, your account can be hacked easily with little efforts.
Try to switch on other secured options available on the web, it would be more convenient for you then.



anon user

@verizon.net
reply to dave

said by dave:

The lesser risk depends on how the forgot-my-password mechanism is arranged. If they give you a new password right there in exchange for questions of the mothers-maiden-name variety, it's not particularly secure: such data can be found out.

That is what they do, but they only ask for:
Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)

So, how safe/risky is it - what they are doing?

Thanks

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

They want your social security number - what could possibly go wrong with that?

I now suspect this might be a troll. Apologies if I'm accusing you unjustly - but really, do you have to ask about using your social security number as identification? (Unless, perhaps, this is some financial web site where they have that data anyway; but you're not giving a lot of detail, which helps me suspect trolling).



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by dave:

I now suspect this might be a troll.

The OP could post the site address to prove otherwise but I'm doubting the site exists.


anon user

@verizon.net

said by Snowy:

said by dave:

I now suspect this might be a troll.

The OP could post the site address to prove otherwise but I'm doubting the site exists.

It is at »ws1.aholdusa.com/jgpromos/homeac···dex.html

I can not for security reasons tell you the answers to the security questions OR give to you my account info so that you can verify, once logged in you can not change the password.


Snowy_One

@clearwire-wmx.net

My apologies for doubting you.
As dave See Profile mentioned earlier if the challenge question answers consist of data the site already has then it's not the huge issue it would normally be seen as.

However, exchanging a password for only the challenge question answers is not too sharp, actually it's piss poor security, IMO.

Snowy-not-logged-in



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to dave

said by dave:

Your mother's maiden name was 'pizza' ?
You went to school at pizza high?
Your first pet was pizza?

that's the whole point isn't it?
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to anon user

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by Blackbird:

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?

My company used the full 9 digit SSN to validate initial signups to an internet based benefits portal. I think saner heads prevailed.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to AVD

said by AVD:

pizza
pizza
pizza
bronx, ny

All fine until you get to the sites that require six characters in your answers and won't allow any two to be the same.

Back to the OP, the security risk is that someone who knows you well may know the answers to your security questions. This is the issue I have with this method of password resets. What is stopping your soon to be ex from hijacking your accounts and making your life a little more miserable? Forget the fact that most of these questions can be answered by using someone's Facebook page.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by Kilroy:

said by AVD:

pizza
pizza
pizza
bronx, ny

All fine until you get to the sites that require six characters in your answers and won't allow any two to be the same.

Back to the OP, the security risk is that someone who knows you well may know the answers to your security questions. This is the issue I have with this method of password resets. What is stopping your soon to be ex from hijacking your accounts and making your life a little more miserable? Forget the fact that most of these questions can be answered by using someone's Facebook page.

and you miss my point. The trick is to answer those questions in an non obvious way.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to AVD

said by AVD:

said by Blackbird:

said by anon user :

...That is what they do, but they only ask for: Social Security Number, Birth Date as MMDD and Last Name Including Suffix (Example Smith Jr)
So, how safe/risky is it - what they are doing?

Are you an employee of the organization? That is, is this an access portal into the company network?

My company used the full 9 digit SSN to validate initial signups to an internet based benefits portal. I think saner heads prevailed.

An organization I once was part of used SSNs for their employee ID numbers... and then put those numbers on the face of the badges. Ditto for this state using the SSN for your driver's license ID number. It wasn't until there was movement in Congress to assert the privacy of SSNs that such practices faded away. But until Congress moved, no amount of rhetoric could persuade the organization or the state to change their practices. Using a SSN for ID over the Internet is just plain wrong.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to AVD

said by AVD:

and you miss my point. The trick is to answer those questions in an non obvious way.

That's ok if you often use the same unobvious way. But I find if I get too creative, it's harder to remember my lies than it is to remember the actual password, thus rendering it pointless.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to Blackbird

said by Blackbird:

It wasn't until there was movement in Congress to assert the privacy of SSNs that such practices faded away. But until Congress moved, no amount of rhetoric could persuade the organization or the state to change their practices.

it sorta happened overnight, except for the example I cited which happened about 3 years ago.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to anon user

said by anon user :

I can't change the password to my account on a site with out clicking on Forgot user name and password, and then answering the security questions - even while I know the correct user name and password.

What is the security risk of that?

It's less risk than being able to change the password without having to provide the answers.

said by Snowy:

What would you hear if you asked The Teenage Mutant Ninja Turtles what is their favorite food?

Turtle soup.

--
Buckle Up. It makes it harder for the aliens to suck you out of your car.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

reply to AVD

said by AVD:

said by Blackbird:

It wasn't until there was movement in Congress to assert the privacy of SSNs that such practices faded away. But until Congress moved, no amount of rhetoric could persuade the organization or the state to change their practices.

it sorta happened overnight, except for the example I cited which happened about 3 years ago.

I can make a calculated guess @ what you were eating that day.
I'd even say how many slices you had but with much less certainty.