Here at LWN security headquarters, we have received hundreds of messages
from readers with one crucial security question on their minds: how was
Paris Hilton's T-Mobile account cracked?
Well...OK...maybe we haven't received quite that many messages. But we're
sure people will want to know. Turns out that OSDir
has the answer
. Apparently T-Mobile's site has a "secret
answer" mechanism for people who forget their passwords. Ms Hilton's
"secret answer" was her dog's name. Bitten again.
Wherever there is a potential security problem, there is inevitably a
Bruce Schneier column warning about it. In this case, Bruce notes:
Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is
just one manifestation of that fact.
Passwords may well be heading toward the end of their useful life, but
"secret answers" are not necessarily a demonstration of that fact. Many
web sites (or other interfaces requiring confirmation) go out of their way
to prevent the use of insecure passwords. Some site developers put
considerable effort into creating novel rules for passwords. Then they add a "secret
answer" mechanism which bypasses all of that.
The real issue here, perhaps, is that an authentication interface should
actually control access to the resources it protects. Back doors are never
good for the security of a system, and a "secret answer" scheme is really
just a form of back door. If you provide a way around your password
interface, you should not be surprised if attackers use it.
to post comments)