|
Poorly chosen password reminders expose B&Q store customers to unauthorized purchases
Incident Date: November 2003 Incident Location: United Kingdom B&Q, a home improvement store in the United Kingdom, designed its Web site (diy.com) to allow online purchases. Customers must first register to create an account and select a password. To aid customers who forget their passwords, B&Q also asks for a password reminder during account registration. However, anyone can view the password reminder by typing in an account name and an incorrect password. Matt Loney, author of an article exposing the problem, finds that many password reminders are too obvious. For example: Reminder "Not hot" refers to the password "Cold" Reminder "Day of the week" refers to the password "Monday" Reminder "The opposite of red" refers to the password "Der" The B&Q Web site also stores credit card information for registered customers. Therefore, a poorly chosen password reminder could result in unauthorized purchases by a person who is able to guess the customer's password from their password reminder. Story Sources Title: Human nature: Security's nemesis? Author: Matt Loney Date: 11/27/2003 Publication: ZDNet UK Publication Location: United Kingdom Publication URL: http://comment.zdnet.co.uk/mattloney/0,39020679,39118149,00.htm Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.
<-- Back to Authentication Story Index |