Beefy Boxes and Bandwidth Generously Provided by pair Networks httptech
Don't ask to ask, just ask
 
PerlMonks  

Email security for monks?

by DigitalKitty (Parson)
on Oct 03, 2004 at 21:53 UTC ( #396065=monkdiscuss: print w/ replies, xml ) Need Help??

Hi all.

In the event that an account is compromised (password sniffed, etc.), it would be relatively trivial for the interloper to click on 'Edit your user settings' (home node) and modify the email address the monastery uses to send a reminder. This would, in effect, lock you out of your own account. How could you prove you were <insert monk name here>? I propose the email address not be visible by default. Yahoo mail stores bithdays in a DB and simply states 'Info on file'. Perhaps a small text box could be provided that allowed each monk to verify his/her current address by entering the value currently stored in a table?

Thanks,
~Katie.

Comment on Email security for monks?
Re: Email security for monks?
by skx (Parson) on Oct 03, 2004 at 22:32 UTC

    Whilst I love the Perl Monks as much as the next person, if my email account were compromised access to this site would be the least of my worries.

    As it is the email address of monks is not visible to visitors to their home nodes, so I'm not sure I understand what would be gained from adding another test to the edit user page. Sure it raises the bar slightly, but not enough to make it possible to prove your identity.

    After all if the email address 'foo@bar.com' corresponding to a Monk were compromised surely they would just enter 'foo@bar.com' into the field anyway? This would only gain a user security if they used one specific email address which was non-public for this site, and nothing else.

    Steve
    ---
    steve.org.uk
      To explain a bit so you 'get' what she was referring to. Two problems present themselves with a public site such as PM. First, you have to login to the site from somewhere "out there." From a public PC or even your own, the password and/or cookie value might get 'sniffed' on the wire. Second, as Petruchio so visibly reminds, this is a public site and while clicking around your cookie value might get sniffed.

      So it is not your email account that is worried about in DigitalKittys question. It is your PM identity, which could be cracked, co-opted, the email address changed and then how do you get it back to being accessible only by you? So, back to the original question...

Re: Email security for monks?
by davido (Archbishop) on Oct 04, 2004 at 02:37 UTC

    I understand the point you're making, but there is a problem that is difficult to circumvent here. First, we like to give people the ability to receive an email reminder when they forget their account password. Second, we like to let people update their info when they change email accounts.

    How do we go about satisfying both criteria, while making it impossible, for someone who has gained unauthorized access to a PM account, to update the email address and password? We can strengthen password security by forcing password aging, trickier passwords, and other such strategies (each of which make the site more difficult to use, and introduce the potential for increased user error), but ultimately, if we want to let people update their own user info, I don't see how we could prevent anyone who gains access to the account from doing the same.

    Hiding email info from a user won't prevent that user from updating his email address. And if he can update his email address, so can anyone else who knows his password.

    Protect your passwords, and if you should happen to believe your account has been comprimised, pray to the gods that they might help you get it sorted out. At least we have some nice people here who may help out.


    Dave

      The proposal was to not allow you to change your e-mail address unless you can enter your old (current) e-mail correctly; making your e-mail address a bit like a second password.

      A problem with this is that it needs to address the unlikely situation of someone not remembering what their old e-mail address was. Or, more likely, when someone enters their e-mail address incorrectly and doesn't notice and so can never change their e-mail address again.

      This is the same reason why I haven't made it so you have to enter your old password in order to change your password.

      Perhaps you should be required to enter at least two of your password, e-mail address, and "real name" in order to be able to change (or see) any of them?

      And it'd be nice if we had a solution for the "I forgot my password and I no longer have that e-mail address" problem.

      At least we no longer output the password in the HTML when you edit your home node.

      - tye        

        I would like to see an option for users to upload their public PGP/GPG key. It's the sort of situation that public key crypto was designed for - I can give every site my public key, and it can't be 'stolen'.

        Fair enough that moves the problem from "I forgot my password" to "I lost my private key", but people tend to take more care of their private key.

        (I'm sure you know this, I'm just going for a bit of an expository ramble here :)

        e.g. I really wish I had of uploaded my public key to perlmonk.org since I've changed my password and forgot to note it down in my top secret "net passwords" file. Now I've gotta do exactly what the top poster said - convince jcwren that I'm not some yahoo trying to hijack an account.

        And as for the forgetting the email address problem - it does happen. I've been on the web long enough that I have accounts on servers where the email address is now invalid due to me moving ISPs - perlmonks is one of those (I'd better go fix it now).

        ___________________
        Jeremy
        I didn't believe in evil until I dated it.

Re: Email security for monks?
by Golo (Friar) on Oct 04, 2004 at 17:04 UTC
    How about sending a confirmation email to the old address when someone changes his/her mailaddress?

    In the described case you get notified that your account was hijacked and you have "proof" (the confirmation mail) that you are the rightful owner.
      Which "old" address? The original one (which might be invalid now) or simply the previous one? If you go for the last option: what stops an intruder from changing your e-mail address twice, so he still gets the confirmation mail and he can prove he is the "real" you?

      CountZero

      "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

        what stops an intruder from changing your e-mail address twice (...)
        Nothing, but you would still receive the notification for the first change. If the old (previous or original) address is invalid, the mail gets bounced - bad luck (or doesn't matter in the more likely case you wanted to change the address because of that).

        I know it's a weak proof, thats why I put it in quotes, but I think the notification might be a good feature.
Re: Email security for monks?
by CountZero (Chancellor) on Oct 04, 2004 at 19:04 UTC
    Indeed, this is a real concern.

    However, no system which relies on a password scheme to limit entry is safe once the password is compromised. Once you have passed all password-controls, you are essentially free to do as you please (or the system allows you to do within the privileges granted to you by your current access-level). Simply (or naively) adding additional passwords (or public keys, ...) only transfers the problem one level further: What happens if this password, ... also gets compromised, lost, forgotten, invalidated, ...?

    Your posting however begs another question: have any PM-accounts been compromised or stolen from their rightful owners?

    CountZero

    "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

    This is my 777th post!
Re: Email security for monks?
by TedPride (Priest) on Oct 04, 2004 at 21:49 UTC
    Well, one way would be to have the "registration completed" email give a link that lets you reset your login info. Sniffers might be able to intercept your password, but they won't have access to your email, and you can use the link at any time to change your login and lock out the person who's hacked your account.
      That is a nice idea!

      Although someone will manage to crash his harddisk, forgot to make a backup or generally has his "registration email" misfiled or by switching to another mail reader cannot access it anymore and he will still have to petition the gods to get his account back.

      CountZero

      "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Re: Email security for monks?
by DigitalKitty (Parson) on Oct 06, 2004 at 02:27 UTC
    Hi all.

    Thanks for the array of responses. I was particularly impressed with an idea davido had. We could each select a keyword / phrase then that pair (login + keyword for example) could be made accessible only by the gods.

    Thanks,
    ~Katie
      This sounds like a good idea at first, but it turns out that it is equivalent to simply having another login. To use this system right now:

      *Create yourself a second login.

      *On your DigitalKitty page, add the sentence "DigitalKitty also logs on as <OtherAccountName>".

      Voila! Instant keyword/phrase implementation of your idea, without someone having to code it up. If you forget your DigitalKitty login, just login under your second account and ask someone to change the DigitalKitty password. When they challenge you, point them to your homenode.

      Backup passwords/accounts tend to be worse than useless, because if you're going to forget your primary password, you'll forget your backup as well because it is used even less.

      davido's suggestion adds a layer of complexity while still being vulnerable to the original problem. And if your solution to the forgetting problem is to make the keyword your mother's name, or your favourite band, you might as well just use that as your password.

      ___________________
      Jeremy
      I didn't believe in evil until I dated it.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://396065]
Approved by Old_Gray_Bear
Front-paged by Old_Gray_Bear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (4)
As of 2014-04-21 03:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (490 votes), past polls