Poorly chosen password reminders expose B&Q store customers to unauthorized purchases
Incident Date: November 2003
Incident Location: United Kingdom
B&Q, a home improvement store in the United Kingdom, designed its Web site (diy.com) to allow online purchases. Customers must first register to create an account and select a password. To aid customers who forget their passwords, B&Q also asks for a password reminder during account registration.
However, anyone can view the password reminder by typing in an account name and an incorrect password. Matt Loney, author of an article exposing the problem, finds that many password reminders are too obvious. For example:
Reminder "Not hot" refers to the password "Cold"
Reminder "Day of the week" refers to the password "Monday"
Reminder "The opposite of red" refers to the password "Der"
The B&Q Web site also stores credit card information for registered customers. Therefore, a poorly chosen password reminder could result in unauthorized purchases by a person who is able to guess the customer's password from their password reminder.
Title: Human nature: Security's nemesis?
Author: Matt Loney
Publication: ZDNet UK
Publication Location: United Kingdom
Publication URL: http://comment.zdnet.co.uk/mattloney/0,39020679,39118149,00.htm
Do you have additional information to contribute regarding this story? If so, please email firstname.lastname@example.org with the details and source.