Steve Gibson and Leo Laporte talked in detail about what happened to Mat on their Security Now podcast last week. It was a perfect storm of failure by Amazon, Apple, and Mat. Worth a listen if you're curious what happened.

Earlier this year they also reviewed some password managers for iOS but some of them have Mac/PC/Android versions as well. Sadly they didn't really talk about 1Password. He did mention an episode or two later that he looked into 1PW and after exchanging emails with the devs was pretty impressed.

What would you use to authenticate? And what would you do if you lose or forget that?

The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password).

It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure.

I agree with your premise that designing good password reset or recovery systems that strike the balance between ease of use and security is tough. I also agree that with a good salting mechanism, designing a password hashing function that mounts some reasonable defense against modern brute force attacks with GPU-based password crackers isn't *that* conceptually difficult, but for whatever reason, lots of systems fail to do so or do so badly.

I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name.

The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here:

http://xkcd.com/936/

Creating an email address specifically for password resets is one of the better ideas. It's floating out there generally, but doesn't get the attention it deserves. A separate email for each password would be ideal, but is not very practicable.

A few words strung together makes a great password. It should be impervious to a dictionary or brute force attack and is relatively easy to remember. There is the issue of using a unique password for each site, which cuts down on memorability, although you can use a general password with a unique portion for each site, such as MyLongPasswordForFT, MyLongPasswordForCiti, MyLongPasswordForTwitter.

xkcd is a high point of current western civilization.

i think great difficultly can be added to crack a password by adding caps, numbers, characters, and characters that are not on a keyboard. we now would have some 250 characters to use. not hard to use ***, as it is on the num pad. not hard to use €�� as they can be done with an alt key on a MS keyboard. with a mac, one can easily add ➤✺‡ which makes cracking with a machine algorithm really difficult, and take a really long time.

i would presume if one just uses letters, a program could crack a 9 letter code in a matter of minutes.

https://www.grc.com/haystack.htm calculates how long a brute force attack might take. Go from 9 to 15 letters and it would take a long time to crack.

no...not really...but if they did and I catch them...i have the option of big lawsuit...no such thing with small operators...

Shows a lot of faith in your ability to police large corporations.

You could sue a small company just the same...and probably more easily, since a small company wouldn't be able to throw ten attorneys at you.

http://arstechnica.com/security/2012...under-assault/

good article ..

-David

Thanks! Good read. And scary too.

I wanted to look at my cable internet e-mail last night. I have not used it in over a year, and forgot the password. I hit the "forgot password" link, and it let me pick a new one by answering one challenge question - where was I born. This seems insanely easy to figure out for a hacker.

I have set up two factor authentication on my Gmail account, and am also playing with LastPass. It is probably worth the $12 a year. I have been switching everything to strong passwords and using special characters when possible, but not all sites allow it and it is becoming unmanageable. Add in a new job that has added another dozen or so passwords to my life and it is worth the $1/month.