OSDev.org

The Place to Start for Operating System Developers
It is currently Fri Jul 10, 2020 8:11 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Password Recovery
PostPosted: Fri Nov 22, 2019 6:13 pm 
Offline
Member
Member

Joined: Sat Feb 27, 2010 8:55 pm
Posts: 137
If a user on a single-user home computer forgets their password, how can it be recovered? One method is to have a series of security questions, the answers of which encrypt the password.

The problem with this approach is its reduced security: For all but the most inane passwords, the security answers are going to have much less entropy than the password. This is partially mitigated by the use of multiple security questions, but it can be greatly improved with the use of a pepper -- a random number created at the time the password/security question combo is initially created. After the user answers the security questions the computer will iterate through all possible pepper combinations, looking for the one that decrypts a password that yields the correct hash.

I thought this was kind of a clever idea I'd share with the group.


Top
 Profile  
 
 Post subject: Re: Password Recovery
PostPosted: Sat Nov 23, 2019 1:18 am 
Offline
Member
Member

Joined: Wed Aug 30, 2017 8:24 am
Posts: 505
Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.


Top
 Profile  
 
 Post subject: Re: Password Recovery
PostPosted: Sun Nov 24, 2019 7:17 am 
Offline
Member
Member

Joined: Sat Feb 27, 2010 8:55 pm
Posts: 137
nullplan wrote:
Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.


I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.


Top
 Profile  
 
 Post subject: Re: Password Recovery
PostPosted: Sun Nov 24, 2019 8:00 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 3845
Location: Chichester, UK
Booting with init=/bin/sh isn't going to help if the disk is encrypted.


Top
 Profile  
 
 Post subject: Re: Password Recovery
PostPosted: Tue Dec 10, 2019 11:55 am 
Offline
Member
Member

Joined: Wed Mar 09, 2011 3:55 am
Posts: 370
azblue wrote:
nullplan wrote:
Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.


I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.


Passwords are generally fed into one-way functions where it's much easier to find the solution given the input variable than to find the input variable given the solution. The solution is then what is stored on disk, and when the user enters his password, the same math is done on the password entered, and the solution is checked to see if it matches that stored on disk. So the computer doesn't actually know the password, it just knows what the password becomes when you do certain math to it. That's why password reset is generally the only option. But, if the disk isn't encrypted, tricks like init=/bin/sh are possible, so the general byword for these cases is "physical access is root access".

As iansjack mentioned, this is not the case if disk encryption is used: In that case, the password is used as an encryption key, and everything that's written to disk is scrambled with the password. If the user forgets his password, not only is it impossible to recover the password, it's also impossible to recover any of the encrypted data, unless the user used an easily guessable password (in which case he might as well not have used a password or encrypted his disk at all).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group