Password Recovery

Discussions on more advanced topics such as monolithic vs micro-kernels, transactional memory models, and paging vs segmentation should go here. Use this forum to expand and improve the wiki!
Post Reply
azblue
Member
Member
Posts: 147
Joined: Sat Feb 27, 2010 8:55 pm

Password Recovery

Post by azblue »

If a user on a single-user home computer forgets their password, how can it be recovered? One method is to have a series of security questions, the answers of which encrypt the password.

The problem with this approach is its reduced security: For all but the most inane passwords, the security answers are going to have much less entropy than the password. This is partially mitigated by the use of multiple security questions, but it can be greatly improved with the use of a pepper -- a random number created at the time the password/security question combo is initially created. After the user answers the security questions the computer will iterate through all possible pepper combinations, looking for the one that decrypts a password that yields the correct hash.

I thought this was kind of a clever idea I'd share with the group.
nullplan
Member
Member
Posts: 1801
Joined: Wed Aug 30, 2017 8:24 am

Re: Password Recovery

Post by nullplan »

Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.
Carpe diem!
azblue
Member
Member
Posts: 147
Joined: Sat Feb 27, 2010 8:55 pm

Re: Password Recovery

Post by azblue »

nullplan wrote:Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.
I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.
User avatar
iansjack
Member
Member
Posts: 4707
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: Password Recovery

Post by iansjack »

Booting with init=/bin/sh isn't going to help if the disk is encrypted.
linguofreak
Member
Member
Posts: 510
Joined: Wed Mar 09, 2011 3:55 am

Re: Password Recovery

Post by linguofreak »

azblue wrote:
nullplan wrote:Do you mean practically or theoretically? Because practically, I can boot with "init=/bin/sh" and reset the password that way. In most cases, password recovery is not feasible, only password reset. And that can only be done by the administrator through administrative means. In a single user computer, the user is the administrator.Of course, with a BIOS password and a password on the boot manager, it is possible to lock yourself out of the machine. But even then, you can usually reset the BIOS with a jumper on the mainboard (sucks for the laptop users, tho).

Security questions are usually only a thing for large multi-user systems.
I had been envisioning admin on a single user computer forgetting his password. But I hadn't thought of init=/bin/sh, that does make more sense.
Passwords are generally fed into one-way functions where it's much easier to find the solution given the input variable than to find the input variable given the solution. The solution is then what is stored on disk, and when the user enters his password, the same math is done on the password entered, and the solution is checked to see if it matches that stored on disk. So the computer doesn't actually know the password, it just knows what the password becomes when you do certain math to it. That's why password reset is generally the only option. But, if the disk isn't encrypted, tricks like init=/bin/sh are possible, so the general byword for these cases is "physical access is root access".

As iansjack mentioned, this is not the case if disk encryption is used: In that case, the password is used as an encryption key, and everything that's written to disk is scrambled with the password. If the user forgets his password, not only is it impossible to recover the password, it's also impossible to recover any of the encrypted data, unless the user used an easily guessable password (in which case he might as well not have used a password or encrypted his disk at all).
Post Reply