I wonder if he thinks the beer caps are too complicated too???

that's why we have twist tops

Those are too complicated, they should just pop right off when touched...

plop plop plop

Do you work for an ISP? A lot of your posts sounds like stuff my friend, who works for a local ISP, has to deal with.

I work for a web company. Password issues are our top call drivers, and emails are a close second.

Speaking of password issues... I am getting tired of the main theatre company in Canada's site resetting my password every week. I pointed it out to them and they claimed that it was fixed... that was like 5 months ago at least. Its a horribly stupid idea to make the password automatically reset when you fail it so many times, because if someone keeps failing it and you get used to seeing the reset emails then its easy for someone to send a fake email that looks real and trick people into giving their login info.

Right? forcing people to reset their password all the time doesnt make it more secure. at my place we have to change it every 60 or 90 days for employee tools. ugh.

That I can understand, but this is letting someone else reset the password. They don't get to choose what the password is, but by failing like 3 times in a row even if I put in the right password it wont work unless I reset it.

That's awful. That's not any more secure than if you didn't do it that way. In fact, it makes it easy to force a PW reset on an account that you don't have access to. And with all of the password resets that it might force someone to do it makes it more likely for someone to just increment their PW which in turn makes it less secure. What moron came up with this practice?

Exactly, and as I pointed out, if this keeps happening as often as it does for me, its easy for someone to force the reset on someone else several times, then send them a fake email and get the person to enter their password, which as you have said, they are most likely to just increment the number on. Then they have access to the account.

I told this to the company and they just said "Its not a fake email, its because you requested a password reset."

Uhh 1: I didn't request a password reset. And 2: I didn't say this was a fake one, I said someone COULD fake it.

Sixty or ninety is standard practice. We do the same where I'm at.

Someone has never heard the term "denial of service". A website password is not like your bank card PIN.

I have no idea what your point is here. The site that I am talking about DOES automatically reset your password whenever its failed 3 times. It's not a DOS attack, its someone repeatedly entering the wrong password so it forces a reset. It's a stupid system, at best it should suggest you change your password, not force you to change it.

I'm using the term "denial of service" somewhat differently.

It's not a distributed denial of service attack that blocks a huge swath of people from interacting with the service at all. Rather, an attacker who wants to target someone can enter wrong passwords on purpose, locking the authorized user out of their account, thereby denying them the service in a targeted attack, even though they can still communicate with the server.

In the ATM case, such an attack requires two factors - in addition to the PIN, the attacker needs to have the physical card (or, if the authentication is remotely, able to duplicate the physical card). On a website connected to the Internet, the account name is enough, and it's often public information.

(I managed to lock myself out of my Presto card account because it's very easy to click the submit button after a failed prompt ugh)

Yeah but my point is that no normal site should automatically reset your password when you fail to login. At best it should lock you out for a while or send an email to warn you. It shouldn't force you to change your password unless an unauthorized person actually gains access.

As I mentioned, by forcing a reset like that all someone has to do is repeatedly fail the password so that it gets reset and the email gets sent out, then once the victim is used to seeing the emails the person just has to send a fake that looks like the real thing and the victim will most likely be fooled into thinking its real and putting their password into a fake site. Most people if they have to change their password will just add numbers to the end of it, typically starting with 1 like "password1" then going "password2" and "password3" and so on. So it would be easy for the hacker to guess what their normal password would be. Plus if the last email was fake then it means their password would still be set so the hacker could then just test the previous numbers to get access to the account.

You never want an automated reset system, you want people to have to click a reset button so that your email can say "Hey we are sending you this reset notice, if you didn't request a reset then please ignore this email." So people will know if they sent it or not, with an automated system like that it means they cant tell if they accidentally did it or if someone else did. Too much room for error.