Path: csiph.com!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Dan Purgert Newsgroups: comp.misc Subject: Re: Using SMS for password reset. Date: Thu, 1 Feb 2024 15:48:43 -0000 (UTC) Organization: A noiseless patient Spider Lines: 66 Message-ID: References: Injection-Date: Thu, 1 Feb 2024 15:48:43 -0000 (UTC) Injection-Info: dont-email.me; posting-host="a7a2037e3773f14749fe4ec2cced6908"; logging-data="2247430"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/uJ6ref9OWdtNO15Im2/l8ZuSbAnR8Aqc=" User-Agent: slrn/1.0.3 (Linux) Cancel-Lock: sha1:HJjeWUCPlGRtK1R4xEmWigTaRXE= Xref: csiph.com comp.misc:23896 On 2024-01-31, Spiros Bousbouras wrote: > On Wed, 31 Jan 2024 11:10:34 -0000 (UTC) > Dan Purgert wrote: >> On 2024-01-30, Spiros Bousbouras wrote: >> > On Tue, 30 Jan 2024 10:39:28 -0000 (UTC) >> > Dan Purgert wrote: >> >> On 2024-01-30, Sylvia Else wrote: >> >> > This is really a rant - venting to release some of the frustration. >> >> > >> >> > I'm in the process of selling my house, and I need somewhere secure to >> >> > hold the proceeds. I decided I'd create a account with a bank I don't >> >> > otherwise bank with, and interact online with it using a live-DVD on a >> >> > system that has no storage. So no risk of key loggers or other hacks. >> >> > I'd remember the strong password, and not have it written down anywhere. >> >> >> >> Until you don't remember it, then what? >> >> >> >> Because let's face it, eventually we all forget the password. >> > >> > That's a very presumptuous thing to say. I have my own ways of storing and >> > retrieving passwords (which may include just my memory) and I'm confident >> > they are secure and reliable enough. So don't include me in your "we". >> >> So if I was to sit you down at any freshly installed PC of your choice, >> you could log-in to *any* random service to which you have a >> username/password combination *from memory* ? > > No. I will note in passing that even a yes answer would not necessarily > be unrealistic. It depends on how many online accounts one has. Someone > may only have an email online account and nothing more so would only > need to remember one password. > >> Because if there is even a single service to which the truthful answer >> (which, admittedly I will never know; because this is Usenet, and you >> can vehemently deny it to your last post) is "well, actually, I'd >> have to use [password-tool-of-choice] for that site"; then you are >> solidly in the group of "people who have forgotten the password". > > No , I am in the group of people who never memorised the password. > [...] > In any case , I see now that I read in your post more than what you > intended. You said "then what?" and I interpreted that as suggesting > that we all need help from the website in retrieving passwords and > that's what I found especially presumptuous. I actually figured you were taking issue with the second line; since it's the more explicit/direct statement that "everyone forgets the password". For a bank or other "very public institution that is generally very easy to access", I can completely agree that "look, if/when you forget your web-access password, come to the nearest branch" is (probably) a better solution than a "forgot password" link and answering a couple of questions about my dog. But then, what about services that aren't "very public institutions that are generally very easy to access" (Netflix / Amazon / Google / CC Company / etc.)? What would a viable "general" solution be? Call them? Email? Too bad, create a new account? -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860