Password Management

A recent thread on the Editors List started with surprise that our work made it to the New York Times attached to a juicy bit of celebrity gossip, then, as usual, morphed into a discussion of practical uses of technology. Here's an idea for making your personal secrets more secret and less personal.

Dale Dougherty:

You don't see O'Reilly Network mentioned in the New York Times often but in an article about Paris Hilton....

Sunday NYT's This Week in Review had an article Some Sympathy for Paris Hilton regarding the hacking of her Sidekick and the subsequent publishing of her personal data.

At the end of the article, it mentions an article on O'Reilly Network by Brian McWilliams, called How Paris Got Hacked that we published recently, which chides Paris for using her dog's name as her password.

Jonathan Gennick:

I just took a brief look at our article. I don't know about T-Mobile's site, but many sites present you with only a fixed list of so-called "secret questions", and often none of the choices are any good. For example, I was recently presented with a list like this:

1. What is your dog's name?
2. What is your mother's maiden name?
3. In what city were you born?

I basically had to choose one of these, and I mean that I had to choose. I couldn't choose not to have a secret question, nor could I enter my own question. It would be no trouble at all for someone else to dig up the answer to these questions. #2 and #3 are easy. Finding out my dog's name (I used my previous dog, now dead) might be more of a challenge, but, were I a celeb, I'm sure it wouldn't be too difficult.

Password management is a horrible problem for online users.

Daniel Steinberg:

There is nothing that requires the password you set to actually be an answer to that question. It's not like they're going to say--hey he wasn't born in Brookline or 7xs3Kt can't be his mother's maiden name.

Steve Mallett:

How'd you know my mother's maiden name was 7xs3Kt?

Jonathan Gennick:

True enough, which is why I used my long-dead dog's name. However, if you use a password that's not the answer to the question, then that defeats the whole purpose of the question, because what then do you do when you forget that password.

David Brickner:

Simple. You use the same answer for all secret questions.

• What is your favorite color? sqlrox
• What is your quest? sqlrox
• What is the relative air speed velocity of an unladened swallow? sqlrox

Bruce Epstein:

European or African?

Jonathan Gennick:

Hey, that's a really good idea. I like it. I think I'm going to start doing that.

Bruce Stewart:

I think the real problem with T-Mobile's implementation was that they allowed direct access to her web-based inbox to anyone that could answer the secret question, rather than sending an email to some other previously entered address that then triggers the user to reset their T-Mobile password (the way most secret question systems work).

FWIW, I thought long and hard about whether to publish that article at all. It was a bit of a departure from our normal ORN fare (and even involved a conversation with legal counsel about what we could show in the screenshot that Brian had taken from her account that morning). But it was a home run traffic-wise.

Return to: From the Editors List