Comments on: Guarding against password reset attacks with pen and paper http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Aryeh Goretsky http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-916 Mon, 11 Jun 2012 20:18:29 +0000 http://blog.eset.com/?p=13114#comment-916 Hello,

Thanks for sharing your methodology, Richard. If we follow-up I will be sure to include this as well.

Regards,

Aryeh Goretsky

]]>
By: Aryeh Goretsky http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-915 Mon, 11 Jun 2012 20:16:39 +0000 http://blog.eset.com/?p=13114#comment-915 Hello,

Good to hear from you, Randy, and thank you for sharing this!

Regards,

Aryeh Goretsky

]]>
By: Richard S http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-914 Mon, 11 Jun 2012 05:22:41 +0000 http://blog.eset.com/?p=13114#comment-914 I've been using this methodology for while; my system is a bit different; i write down the password(s) because that's what i usually forget. The name of the site goes in on column and the password goes in the othe column; a note about my passwords is that they aren't "words" but consist of different alphanumeric characters and are never shorter than 10 characters. All i know have to remember is the username (and passwords until i forget them) and should i forget them i refer back to my a5 black book.
David F's idea about using outlandish answers is imo the best answer to this type of problem; yes, write things down, nothing beats pen and paper in terms of security when it's locked away or stored in a place unknown, but if you don't go with predictable answers or fall into a pattern of using "familiar" information to secure accounts then you are making sure your link in the security chain isn't the weakest one.

]]>
By: Aryeh Goretsky http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-913 Fri, 08 Jun 2012 22:54:59 +0000 http://blog.eset.com/?p=13114#comment-913 Dear Lori,

It’s good to hear from you! As always, thank you for your feedback. Good idea about handling password information and other sensitive data. Definitely something we will take into consideration for a future blog post.

Regards,

Aryeh Goretsky

]]>
By: Lori W http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-912 Fri, 08 Jun 2012 22:46:12 +0000 http://blog.eset.com/?p=13114#comment-912 Aryeh, have you been stealing my ideas? I've kept a tiny much written in notebook for many years now with just this type of info. It truly does come in handy for me all the time, since I have to constantly change passwords for many websites that I utilize in my business. I carry the notebook in my briefcase so that i have access to it whenever I may need it, as I work from many different locations. Another good reason for keeping such a notebook is that if (when) I die, or otherwise become incapacitated, the ones following in my footsteps will not be lost without access to the information that I keep. Perhaps another blog post in your future? "What to do when your loved one dies and you have no way of knowing what their passwords may have been"……Thanks!

]]>
By: Randy Abrams http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-911 Fri, 08 Jun 2012 04:03:22 +0000 http://blog.eset.com/?p=13114#comment-911 Generally a password management program has a field for notes. This is a potential “hiding place” for the answers to the reset questions.

]]>
By: David F http://www.welivesecurity.com/2012/06/07/guarding-against-password-reset-attacks-with-pen-and-paper/#comment-910 Thu, 07 Jun 2012 23:57:25 +0000 http://blog.eset.com/?p=13114#comment-910 One technique I use for the answers to those questions is to have outlandish answers.  E.g. What was your mother's maiden name?  Answer: Captain Kirk.  I remember because that's the way my mind works.  I figure it may not get around a brute force attack but there should be defenses for that like timeouts and limited attempts.

]]>