Password Recovery

[azblue]

If a user on a single-user home computer forgets their password, how can it be recovered? One method is to have a series of security questions, the answers of which encrypt the password.

The problem with this approach is its reduced security: For all but the most inane passwords, the security answers are going to have much less entropy than the password. This is partially mitigated by the use of multiple security questions, but it can be greatly improved with the use of a pepper -- a random number created at the time the password/security question combo is initially created. After the user answers the security questions the computer will iterate through all possible pepper combinations, looking for the one that decrypts a password that yields the correct hash.

I thought this was kind of a clever idea I'd share with the group.

[nullplan]

Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.

[azblue]

Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.

I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.

[iansjack]

Booting with init=/bin/sh isn't going to help if the disk is encrypted.

[linguofreak]

Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.

I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.

Passwords are generally fed into one-way functions where it's much easier to find the solution given the input variable than to find the input variable given the solution. The solution is then what is stored on disk, and when the user enters his password, the same math is done on the password entered, and the solution is checked to see if it matches that stored on disk. So the computer doesn't actually know the password, it just knows what the password becomes when you do certain math to it. That's why password reset is generally the only option. But, if the disk isn't encrypted, tricks like init=/bin/sh are possible, so the general byword for these cases is "physical access is root access".

As iansjack mentioned, this is not the case if disk encryption is used: In that case, the password is used as an encryption key, and everything that's written to disk is scrambled with the password. If the user forgets his password, not only is it impossible to recover the password, it's also impossible to recover any of the encrypted data, unless the user used an easily guessable password (in which case he might as well not have used a password or encrypted his disk at all).