Hi! My name is Cédric Bozzi, I make websites and iOS apps, and this is my blog about technology (mostly a Twitter archive, really).

16 November 2012

Kill the Password”

The only convincing case the author makes, actually, is: kill the motherfucking password reset systems. And yes, I realize you can’t have passwords without some kind of password reset, but the problem here lies with the implementation more than anything else:

Apple: Can you answer a question from the account? Name of your best friend?

Hacker: I think that is “Kevin” or “Austin” or “Max.”

Apple: None of those answers are correct. Do you think you may have entered last names with the answer?

Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?

Apple: The last four of the card are incorrect. Do you have another card?

Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”

Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?

Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.

Apple: You want to try the first and last name for the best friend question?

Hacker: Be right back. The chicken is burning, sorry. One second.

Apple: OK.

Hacker: Here, I’m back. I think the answer might be Chris?

He’s a good friend.

Apple: I am sorry, Brian, but that answer is incorrect.

Hacker: Christopher Aylsworth is the full name.

Another possibility is Raymond McAlister.

Apple: Both of those are incorrect as well.

Hacker: I’m just gonna list off some friends that might be haha. Brian Coca. Bryan Yount. Steven May.

Apple: How about this. Give me the name of one of your custom mail folders.

Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.

Apple: OK, “Apple” is correct. Can I have an alternate email address for you?

Hacker: The alternate email I used when I made the account?

Apple: I will need an email address to send you the password reset.

Hacker: Can you send it to “toe@aol.com”?

Apple: The email has been sent.

“Why, yes, this Apple e-mail account does have a folder named ‘Apple’. Nobody could have guessed that, and our conversation has given me every reason to think you are who you say you are.” Jesus.