lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Mar 16 20:45:52 2006
From: mis at seiden.com (mis@...den.com)
Subject: Yahoo recommends you write down account
	information

[previous commentary on the wisdom of printing out 
account recovery details deleted]


On Thu, Mar 16, 2006 at 12:20:07AM -0500, Valdis.Kletnieks@...edu wrote:
> On Wed, 15 Mar 2006 21:02:17 PST, bigdaddyzeroday@...h.ai said:
> > So break into house steal print out then reset password?  Go take 
> > school kid.
> 
> Well... that's basically what the FBI did to Scarfo.  Although it was
> quite a bit more complicated black-bag job than system_outage is talking about.
> 
> http://www.epic.org/crypto/scarfo.html

not exactly.  but after all that trouble what did they find out was the wiseguy's
pgp passphrase?

his father's federal prison number.   not exactly a secret either.

if the govt wanted the contents of your yahoo account, they have to
produce the right piece of paper, but it isn't this one.

because this piece of paper is not equivalent to KNOWING the password,
as it only gives you the power to access the account by CHANGING the
password (and the zipcode).

which definitely clues in the true account owner that
they can no longer use (and possibly recover) their account.

(with the actual password, you can use the account without the true
account owner's knowledge).

the real reason they suggest printing it is for people's
convenience, not to deliberately reduce their security.

a certain number of people lie about their birthdate and zipcode, or
they forget just what they lied about, or move from place to
place and forgot where they lived when they registered, 
and they don't have a working alternate email address.

so when they finally forget their password, they can't recover their
account (easily anyway).  

another problem is people who get phished (or their accounts
brute-forced) thinking "oh, i must have lied about something when i
registered".  that piece of paper actually helps them realize they
must have had their account taken over.

so maybe the advice on the registration acknowledgement should say:

	"many ordinary people may find it convenient to print this screen
	to help you remember what you told us in case you lose your password
	or someone takes over your account.

	particularly if you lied about anything shown here!

	but depending on 
	- how much you think people are out to get you
	- what you think the value of your yahoo-resident information will be some
	indefinite time in the future 
	- if you live in a sod hut in the north of england or a paper-walled
	house in kyoto,
	- whether you'll be able to find the piece of paper in the distant future

	you might take additional precautions like 
	- locking this piece of paper in a bank vault or 
	- printing it to pdf and pgp encrypting it 

	or 
	- not printing it in the first place."

of course, n3td3v is certain he KNOWS what the right level of security
is for ALL of the hundreds of millions of yahoo users because printing
stuff on paper is ALWAYS bad.  (unless you're a librarian, of course).

sigh.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ