1 Finish Profile

Security/password reset questions

Locked

I was going to put this in Network Security, but it applies to standalones, also. I’ve noticed an increasing amount of questions for password resets and bypassing security measures lately.

I read these and get a little leary about answering them. I definitely pass up the ones that read like, “i cannot get security passed into machein cannot password remember plese help”. Geez, instead of trying to hack into machines, go to school.

I was wondering what the other members think of this. I am sure a certain few are legitimate requests, but certainly not all of them. I would feel bad if I knew I was giving out info on how to crack someone else’s box, other than the requestor’s.

I have seen a couple of members ask for a legitimate reason, but anyone can come up with a lie. Maybe I’m old-fashioned, but I think if someone is having problems with security, they should seek help from someone they can be accountable to, someone tangible. Seeking password/security help online is way too easy. Feedback/comments?

Topic

Its not too hard

In reply to Security/password reset questions

Its not too hard to tell the diference between a user thats forgotten the admin p/w on their xp box and some wanna be l33t h4ckz0rz.

Questions that include ‘I took the hard drive out..’ or ‘I reformatted the hhd…’ implicitly tell you that the question asker has a level of access to the pc in question that is not normaly true of a hacking attempt.

On the other hand reprobates asking how to hack yahoo mail accounts or how to crack a windows screensaver password without restarting the pc as he’d get caught out get short shrift.

If in doubt, dont answer I guess.

The wanna-bees really do stand out

In reply to Its not too hard

If they have physical access, it usually is fairly safe. Everyone knows the first rule of security is to secure the computer room.

And depending on what they are trying to get into will fit with the why they are trying to get into it. If you say to yourself, “I could see that happening to me” then ok. Many of the recent BIOS recoverys sounded more like someone with a stolen system than someone who just bought used system or they would just go back to the people they bought the system from. Rocket Science at it’s best.

If they don’t find it here….

In reply to Security/password reset questions

they can certainly find it somewhere else.

Although I do agree that we should not spread this type of information easliy. I’ll usually only provide three answers:

1. Ask your system admin
2. Remove the CMOS battery
3. Boot to a CD

Password Resets

In reply to Security/password reset questions

While I understand the social engineering aspects, there are systems configured to use a series of reset questions as part of the ‘onboard’ security.

I am currently building and administering a new system. My supervisor came up with somewhat obscure password reset questions. It amazed me how many users have bristled at these questions.

My system is not tied into any of the existing reset mechanisms, so we needed another method by which to validate a user. We did NOT use any of the questions typically used by other systems or other parties such as mother’s maiden name, etc – which are just ripe for social engineering attacks.

I have obtuse users who argued that nothing is good enough. The best thing I have going for me is that I am on telecons with these folks so often, I can recognize their voices in some cases or use callerID which is provided on my phone service. Neither is infallible, but it is the best I can do with the resources available.

Personally, I like PhoneFactor and a couple of other similar services – but that is not in my budget. It is also a bit like a elephant gun for a flea as my system has company confidential, non-financial information. I am not hosting PII, PCI, HIPAA, or SOX items or I would be doing something different.

I must mention though, that my company has outsourced (offshore) the help desk. They can grant access and resets to PII, PCI, HIPAA, and SOX systems and they do NOT know the users well. It is all about saving money. (However, I cannot see any valid savings as many things are rerouted to the existing onshore staff in addition to their revised workload.)

[Author]

Replies