tags:

views:

391

answers:

8
+3  Q: 

Preventing the Password Hint From Giving the Password Right Away

I'm implementing a password + password hint code I and want to prevent the user from making the password hint reveal the actual password right away.

Here are the scenario that I want to prevent:

Lets say that the password is: foobar123

Then the password hint can't be:

  • "foobar123"
  • "The password is: foobar123"
  • "f-o-o-b-a-r-1-2-3" (or any other x len separator)
  • "f00bar123" (replace o with zeros)

several questions:

  1. Am I going overboard with this? Should I just let users pay the price for being security unaware?
  2. Am I missing an obvious scenario that I need to prevent also?
  3. Can each scenario be evaluated using regex? This is the most extendable method of adding future checks that I can think of.
+6  A: 

I would simply give the user a fixed set of questions to choose from, to which they supply the answer. In this way you are never exposing user input values, only the user's selected value from your pre-canned list of choices. This would avoid your problem entirely.

Alternatively, if you have the user's email address, you could simply have a password reset that sends a link with an encoded key that allows a one-time password change. This way you need not provide a hint, simply a means of changing the password in response to one of these single-use tickets.

tvanfosson  2009-09-30 21:30:41
Ugh, I *hate* it when sites give a set of pre-canned choices. They're inevitably questions like "what high school did you attend" or "what's your pet's name", questions which could be answered with two minutes of googling.
John Millikin  2009-09-30 21:31:45
An intriguing dilemma! Can't tell you how many "unimportant" sites I deliberately use "The password is bob123". That, and I don't like handing a complete stranger a piece of my personal life. That stranger could easily take said list of hints and crack dozens of bank accounts.
Bob Kaufman  2009-09-30 21:37:26
@John - so be more creative in coming up with questions.
tvanfosson  2009-09-30 21:43:27
@John and bob - I usually answer with something that is NOT true as far as my real life, yet is very easy to remember, e.g. something out of life of a fictional character. E.g. "what high school did you attend" - "Hogwartz High School" (mangled a bit so dictionary attacks won't work). "what's your pet's name" - "Hedwigz".As long as you mangle the answers, you're clean. Even better if you pick asnwers from less known/popular domain, I mostly did these for the sake of universal recognition as opposed to usability in answers :)
DVK  2009-10-01 02:32:44
@tvanfosson: +1 for comment
DVK  2009-10-01 02:34:13
+1  A: 

Does it need to be a hinting model?

The way I've done this in the past is to:

A- Have a security question.
B- Have a captcha.
C- Provide a new temporary password to an email on file only that must be changed on first use.

Jacob G  2009-09-30 21:31:16
I forgot to mention, its a desktop application that is not connected.
Shay Erlichmen  2009-09-30 21:34:31
Is this going to generally be one user per installation on a given machine? e.g. Bob logs into his work computer and then signs into this app? Or, 100 different people access the app through a kiosk/shared machine?
Jacob G  2009-09-30 21:40:30
The former (Bob with his machine).
Shay Erlichmen  2009-09-30 22:25:33
Do you have means to authenticate them just the first time? Then, you could grab the credentials to which they are logged into the machine, encrypt and save. Then, every subsequent time the app is run, you just ensure that the person that is currently logged in to the machine has the same credentials as those that were previously stored.. If they do, let them in, otherwise kill the app.
Jacob G  2009-10-01 00:32:44
+2  A: 

  1. Personally, I say you are probably going overboard. But it somewhat depends on both the severity of compromised data (e.g. is this a web site to vote for Ms. High School or is it a web site for high-end auction house or is it a web access form for CIA?), the amount of users, and the likelihood that anyone would sue you for negligence in design after using bad hint and having their access compromised.

  2. You can do the regex for the most dumb ones (e.g. take 6-character sub-strings of the password and do a match of those sub-strings in the hint), as well as character count for the smart ones. E.g. if the hint uses 60 to 80% of the characters in password (by count), reject it. An even more nuanced solution is to count with position, e.g. count "o" only if it comes after "f". but this is probably overboard too.

  3. Also consider non-hint solutions (multiple choices, non-verbal hints, e-mailable password change requests)

DVK  2009-09-30 21:32:37
+1  A: 

You can't prevent users from doing something dumb. No matter what protections you put in place, they will find a way to get around them. For example:

  • "321raboof backwards"
  • "foo and bar123"
  • "foobar (124 - 1)"
John Millikin  2009-09-30 21:33:07
I think that if the user is that sophisticated, then he won't put a silly hint. I'm justing trying to solve the simple cases.
Shay Erlichmen  2009-09-30 21:37:39
+1  A: 

I don't believe there's a deterministic way to generate a hint, unless you're limiting passwords to something like birthdays or given names.

But they wouldn't be strong passwords would they?

Let the user suggest a hint - and pay the price for an obvious one.

Give plenty of advice that the hint shouldn't be obvious, but I think it must be up to the user to decide.

pavium  2009-09-30 21:37:36
A: 

It's not your problem if they compromise the security of their account. Save on unnecessary coding and testing, and just don't worry about this feature!

Peter  2009-09-30 21:41:30
That depends. In the cace of credit card fraud, the site owner often loses.
sheldonh  2009-09-30 22:04:07
+2  A: 

If your threat model makes password hints acceptable, I think you're going overboard with your meticulous password exposure prevention.

However, if your threat model doesn't make them acceptable, but you're being pressured into offering the feature, then be as fascist as you can.

Finally, don't limit people to canned password hints. They're extremely annoying. They imply that you know what is and isn't public knowledge in my life. Most of the sites I notice canned-only password hints on, offer hints that are all a matter of public record.

Good luck!

sheldonh  2009-09-30 22:02:51
A: 

I am about to change our password hint model to one with canned choices. To those who said it's the users own problem if they put a stupid question and answer I would mention that it become the problem of those who work for our help desk tech support. That's what we'e trying to avoid.

Kevin  2010-05-24 19:38:54

related questions

How do I find the Excel column name that corresponds to a given integer?
Calculating a cutting list with the least amount of off cut waste.
Red-Black Trees
How to maintain a recursive invariant in a MySQL database?
RFC calculation in Java need help with algorithm
Best word wrap algorithm?
How do you separate game logic from display?
Most effective way for float and double comparison
Choosing a multiplier for a (string) hash function
Optimizing a search algorithm in C
Find the best combination from a given set of multiple sets
What "already invented" algorithm did you invent?
Designing a Calendar system like Google Calendar
How to overload std::swap()
Looking for algorithm that reverses the sprintf() function output
Merge Sort a Linked List
Puzzle: Find largest rectangle (maximal rectangle problem)
graph serialization
Peak detection of measured signal
Big O, how do you calculate/approximate it?
What problems can be solved, or tackled more easily, using graphs and trees?
Followup: "Sorting" colors by distinctiveness
Efficiently get sorted sums of a sorted list
Function for creating color wheels
Fastest way to get value of pi