Password validation security issue

[MRAB]

On 2014-03-03 13:55, Chris Angelico wrote:
> On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith <roy at panix.com> wrote:
>> I used to work at <big company> which had a typical big company IT
>> department which enforced all sorts of annoying pseudo-security rules.
>> As far as I could figure out, however, all you needed to get them to
>> reset anybody's password and tell you the new one was to know their
>> employee ID number (visible on the front of their ID badge), and to make
>> the call from their desk phone.
>
> Technically, that's a separate vulnerability. If you figure out
> someone else's password, you can log in as that person and nobody is
> any the wiser (bar detailed logs eg of IP addresses). Getting a
> password reset will at least alert the person on their next login.
> That may or may not be safe, of course. Doing a password reset at
> 4:30pm the day before someone goes away for two months might give you
> free reign for that time *and* might not even arouse suspicions ("I
> can't remember my password after the break, can you reset it
> please?").
>
> But it's an attack vector that MUST be considered, which is why I
> never tell the truth in any "secret question / secret answer" boxes.
> Why some sites think "mother's maiden name" is at all safe is beyond
> my comprehension. And that's not counting the ones that I can't answer
> because I can't find the "NaN" key on my keyboard, like "Surname of
> first girlfriend". *twiddle thumbs*
>
I don't think you're obliged to answer such questions truthfully.

Q: Surname of first girlfriend?
A: Luxury Yacht