Note: This journal entry was posted in 2014. It represents a departure from my modern writing habits. It’s less horrible than my grief free gameserver essay, though.
How many times does someone have to be hacked before someone solves the ‘lost password’ dilemma?
Mat Honan was arguably one of the first and most prominent individuals affected, and now N has fallen victim to a very similar attack, again relying on social engineering to compromise an account. Not a man-in-the-middle attack, not a bad password, just a human at a computer. Again.
While it would be possible to identify partial solutions for each company (for instance, Twitter should not allow names to be taken immediately after an account is deleted), it is fruitless to assign the blame to one single party. The commonality between these two events is the willingness of customer services representatives to reset passwords or add information to accounts without solid proof that someone is who they say they are. Proof is given based on not necessarily public information, but information that could be gained by in depth research into a target. The solution is not to create more complicated questions, but instead to stop the problem at the source. There should be a checkbox in every account settings page: “Never reset my password.”
While 1Password and LastPass most assuredly aren’t in use by every day consumers, the targets of these attacks are often people who should know better than to re-use passwords already. Adding a password manager to the mix means that it becomes feasible to use 96 character randomly generated passwords across the internet, but more importantly, that the idea of a “forgotten password” is quickly thrown by the wayside. LastPass offers a history mode for any password changed, and adding two step verification to the mix means that only the person with the master password is going to be accessing those passwords.
If every password is randomly generated and cryptographically secure, there is no reason to reset a password. Leaving a mechanism that allows someone to call support, or reset with trivial information via a web form, is yet another security flaw that needs to be fixed. An option to shut that attack vector down permanently would greatly improve account security, with little other side effects.
The worst that could happen at that point is someone getting locked out of an account on account of a bad password manager or a lost master password. While it is definitely something that should not be enabled lightly (and perhaps ought to be hidden from view on a support page), for high value targets, it is the most obvious solution with the lowest barrier to entry to implement.