Nobody Asked Me But: Coping with lost passwords needs guile
What is/was your mother’s maiden name? Name of your first pet? Your favourite subject in school? If these questions seem vaguely familiar to you, then you’ve probably had to go through the annoying and usually frustrating experience of retrieving or resetting your computer password.
Why would anyone want to inflict this kind of mental cruelty on themselves? Let’s face it; going through the often futile exercise of getting back a lost or forgotten secret identification code ranks high in favourite activities (NOT) (somewhere between pushing bamboo slivers under your fingernails and soaking your feet in hydrochloric acid).
The only reason you even contemplate the process of password reset is because, if you didn’t, your life as you know it would lose all meaning and your very existence would come to a complete standstill. It’s painful to admit it, but we have become so dependent on our digital devices that the loss of a tried and true password pretty much slams the portal gate shut on 99 per cent of the activities that give us organization, livelihood or satisfy our entertainment cravings.
Usually, in the process of replacing a forgotten password, there are a number of bizarre hoops through which you must jump. The one that really gets to me is when you are asked to click a checkmark into the dialogue box declaring “I am not a robot.” What are you supposed to do if you indeed are a robot? Leave it blank and go on to the next question?
Another weird method used to authenticate your identity and make your password request more secure is the appearance of a few squiggly numerals and letters of the alphabet that look as if they are reflections in those warped mirrors you find in the House of Horrors at the circus. You’re supposed to recognize these mutated symbols for the numbers and letters they are and retype them using your keyboard. Half the time I’m wrong, mistaking a “7” for a “W” and leaving myself wondering if perhaps I truly am a robot.
Another trick in the bag for securing password resets is coming up with one or more questions to which only you will know the answer. When it comes to choosing quality questions in order to authenticate that you are actually you, there are five principles you need to guide your choice. Your questions must have answers that are safe, stable, memorable, simple and have many possible answers with which to confuse a potential hacker.
How can your question be unsafe? Consider your mother’s maiden name. You may correctly assume that there are very few people (outside of your immediate family) who would be party to this information, but what you are forgetting (besides your password which got you into this predicament in the first place) is the fact that the answer is almost certainly on public record and can easily be researched by any hacker worthy of his criminal stripes. You might as well ask “Who is buried in Grant’s tomb?” for all the difficulty it would take to research the correct answer.
The second guideline on which to judge the merits of a retrieval question is stability. Will the answer to your question stay the same over time or is it likely to change from year to year or moment to moment. You can see why “Who won the Stanley Cup last year?” would not pass the stability test because the answer could change with each successive hockey season. On the other hand, “Will the Vancouver Canucks ever win the Stanley Cup?” would pass with flying colours since we all know that some things never change.
Is the correct response to your question memorable or will you forget it as quickly as you’ve forgotten the password itself? Using the name of your first dog as a question will not be much use to you if you can’t really remember whether it was a dog or a pet chinchilla you had as a child (or was it just a potted philodendron because your mother didn’t want any animals shedding all over the upholstery).
Another criteria for a good question is that the answer must be simple, precise and consistent. The value of pi to 23 decimal places is precise and consistent, but not exactly simple. On the other hand, Trudeau’s policy on fossil fuels and climate change can be viewed as low on the consistency scale (although it scores high in simplism).
A question such as “When did you get married?” would also fail because of the variety of ways you can write a date. Nov. 30, 1957 can be written 30/11/57 or 11/30/57 or 1957-11-30 and dozens of other permutations of the same letters and digits. It also doesn’t take into account the fact that you may have had multiple marriages over the years.
In order for an authentication question to be useful and powerful, there have to be many answers possible but only one can be correct. This makes it extremely difficult and virtually impossible to guess the right response. “What year was your father born?” may seem, at first blush, to be a good question, but closer inspection reveals there are a limited number of possibilities and the answer could be guessed in less than 20 attempts. If you want to use a query involving birthdates, try “What number do you get if you multiply the year of your father’s birth by the year of your mother’s birth and then subtract your own year of birth?” Any depraved hacker who is willing to spend the time and energy guessing the correct solution probably deserves to break into your account and watch Netflix movies on your nickel.
Nobody asked me, but there must be a better system for maintaining security in this digital universe we have created. How many more times am I destined to waste precious hours of my life resetting passwords I already know I will forget the next time I need to use them?
And why is it that when I finally do get my reset password and type the characters into the proper dialogue box, I inevitably get a return message telling me that although I have now entered my correct password, I no longer can supply them with the proper User ID and therefore am banned from the login procedure. When it comes to choosing the best authentication security question to help me retrieve my password, maybe mine ought to be “What is your favourite lost password?”