Hi! My name is Cédric Bozzi, I make websites and iOS apps, and this is my blog about technology (mostly a Twitter archive, really).

16 November 2012

Kill the Password”

The only convincing case the author makes, actually, is: kill the motherfucking password reset systems. And yes, I realize you can’t have passwords without some kind of password reset, but the problem here lies with the implementation more than anything else:

Apple: Can you answer a question from the account? Name of your best friend?

Hacker: I think that is “Kevin” or “Austin” or “Max.”

Apple: None of those answers are correct. Do you think you may have entered last names with the answer?

Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?

Apple: The last four of the card are incorrect. Do you have another card?

Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”

Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?

Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.

Apple: You want to try the first and last name for the best friend question?

Hacker: Be right back. The chicken is burning, sorry. One second.

Apple: OK.

Hacker: Here, I’m back. I think the answer might be Chris?

He’s a good friend.

Apple: I am sorry, Brian, but that answer is incorrect.

Hacker: Christopher Aylsworth is the full name.

Another possibility is Raymond McAlister.

Apple: Both of those are incorrect as well.

Hacker: I’m just gonna list off some friends that might be haha. Brian Coca. Bryan Yount. Steven May.

Apple: How about this. Give me the name of one of your custom mail folders.

Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.

Apple: OK, “Apple” is correct. Can I have an alternate email address for you?

Hacker: The alternate email I used when I made the account?

Apple: I will need an email address to send you the password reset.

Hacker: Can you send it to “toe@aol.com”?

Apple: The email has been sent.

“Why, yes, this Apple e-mail account does have a folder named ‘Apple’. Nobody could have guessed that, and our conversation has given me every reason to think you are who you say you are.” Jesus.

Archives

2001 01 02 03 04 05 06 07 08 09 10 11 12

2002 01 02 03 04 05 06 07 08 09 10 11 12

2003 01 02 03 04 05 06 07 08 09 10 11 12

2004 01 02 03 04 05 06 07 08 09 10 11 12

2005 01 02 03 04 05 06 07 08 09 10 11 12

2006 01 02 03 04 05 06 07 08 09 10 11 12

2007 01 02 03 04 05 06 07 08 09 10 11 12

2008 01 02 03 04 05 06 07 08 09 10 11 12

2009 01 02 03 04 05 06 07 08 09 10 11 12

2010 01 02 03 04 05 06 07 08 09 10 11 12

2011 01 02 03 04 05 06 07 08 09 10 11 12

2012 01 02 03 04 05 06 07 08 09 10 11 12

2013 01 02 03 04 05 06 07 08 09 10 11 12

2014 01 02 03 04 05 06 07 08 09 10 11 12

2015 01 02 03 04 05 06 07 08 09 10 11 12

2016 01 02 03 04 05 06 07 08 09 10 11 12

2017 01 02 03 04 05 06 07 08 09 10 11 12

2018 01 02 03 04 05 06 07 08 09 10 11 12

2019 01 02 03 04 05 06 07 08 09 10 11 12