On email account recovery (how to make it not stupid)

This great article by John Timmer and a discussion with Aaron Toponce on Identica provoked this blog entry.

There’s been some talk about “security” questions and how they are used to allow access to your email account when you forget your password. Generally you have a few obvious options that anyone could dig up with a few minutes on the Internet. Gmail takes it a step further and lets you create your own question. I can confidently say these measures are worthless to the average user.

Instead, I’ll tell you how I sidestep the problem and keep your email account accessible to you and safe from snoopers who looked up what street you grew up on.

Pick a random file, preferably a big one that you have the only exact copy of. Run it through sha1sum (or any reasonable hash function). See where I’m going? Save that hash in a text file somewhere safe, on multiple computers or media is possible. That hash is your first/favorite pet’s name. Or your mother’s maiden name. Or your favorite color when you were 7.

You see what you did there? The answer to the security question is virtually unguessable now. I don’t care how savvy the social engineers are or how strong their Google-fu might be. No one is going to find that hash in Wikipedia. You have changed the security question from a second password (a “something you know” factor) to a token you have to posess (a “something you have” factor). Multi-factor authentication FOR THE WIN.

But let’s go a step further. Someone could gain access to wherever you stored the text file that holds the hash. You can’t email the file to yourself, because (1) you have to trust your email host to prevent unauthorized access to your email and (2) you need access to your email to get access to your email (Catch-22). You need to encrypt the file.

I use Gnu Privacy Guard for this step. Since I already have a key, I can just encrypt the file to myself. At this point I can store copies everywhere, even where others might have access!

If you’re using Gmail and want a reminder where you have your hash token, pick this for your question: “What’s in emailemergency.txt.gpg?” If you’re sneaky, put something like “Am I right-handed?”

Congrats. You have just taken a stupid insecure system and made it useful. I hope you like it.