Blog article
See all stories »

Reset your password or the cat gets it

Today we gained further confirmation of details around the Sony Playstation network breach; millions of account names and personal details have been lost and potentially payment card details including the payment card number and Expiry dates too, but excluding the security code.


The types of data rumoured to be lost include: names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to the old password reset classic: What is the name of your pet?


So should we be concerned?


If I was one of the potential victims of this theft I certainly would be. Why? Because the amount of personal data which has been supposedly taken is more than enough to allow a fraudster to begin the process of taking over my identity. Much of the rumoured stolen data can be used to authenticate and validate a user for example, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.


These problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to their ability to validate and interact with us. They are also aware that an authentication failure could lead to a lost sale or provision of a service. However they know that we remember personal details more successfully, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also means this personal information becomes far more valuable to a hacker as well.


Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, part of the card authentication process included being taken to a 3D Secure card authentication screen where she suddenly found she couldn’t remember her secure password.


Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, permission to reset the password was granted.


Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which just happens to sound familiar. The problem is that much of this data can’t be changed -  it’s easy to change a compromised password, but how do you change a compromised date of birth?


So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which share similar account names and passwords, change my email address and give serious thought to killing the cat, or at the very least renaming her!


Comments: (1)

Keith Appleyard
Keith Appleyard - available for hire - Bromley 02 May, 2011, 15:08Be the first to give this comment the thumbs up 0 likes

Date of Birth & Mothers Maiden Name are so readily available than many years ago I stopped using them, when I realised that no-one was going to be going elsewhere to actually validate them, it didn't matter what values I gave.

So now I use a selection of Dates of Birth that are not really mine, and Mothers Maiden Names of my maiden Aunts; this gives me a few values of each to select from, but doesn't enable anyone to actually impersonate me with serious financial services such as Banking.

Blog group founder

Member since




More from member

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring