Isn’t this the whole point of brainstorming? ie to see a problem from different angles and discuss different (even controversial) ways to solve it?
Well, imho a common issue is that users often don’t describe the real problem but a possible solution instead.
As I see it the real problem here is “users can’t remember their arbitrary passwords” and not “there should be a way for a user to reset their password (without the involvement of a 3rd party and without requiring any technical skills)”. Apparently there are various solutions to the problem “users can’t remember their arbitrary passwords” and one of this solutions is “the ability to reset their password”.
The point is that no solution, apart from secret questions, has been given to the problem of “when a user has forgotten his password” (arbitrary or not arbitrary, whatever that means).
The systems I saw so fat using 3 secret questions, has a set of predefined questions, something like:
In what city were you born?
What is your mother’s maiden name?
What was the name of your first pet?
What is the name of your elementary school?
What was the license plate of your first car?
What was your childhood nickname?
What was the first name of your best friend in elementary school?
…
That kind of questions allow almost no room for error, besides, as far as I have been able to see, in the case of Microsoft at least, it converts all the text to upper case, I assume that when they are saved it also saves them in upper case. It perhaps trims all blank spaces or something like that to reduce even more the probability of failure (the license plate of your first car could be “B 1234” but you can write it months or years later as “b1234”, for example)
I don’t think it is necessary to use an AI to evaluate the answers or anything complex. The user can make a mistake, the world is not over, just try again. The system can, of course, block for a few minutes the password reset if for example it fails several times in a row. And this blocking time can be increased if it continues to fail.
For example, of the three questions, I fail to get one right. The system doesn’t tell me that I have failed only one, but it knows it, so it gives me a break and I keep trying a few more times, let’s say that at the tenth time it tells me that I have tried too many times and it blocks me for 2 minutes. If I keep failing that one for another 8 attempts, it blocks me this time for 5 minutes. If I then keep failing that one answer 6 times, it blocks me for 20 minutes. If I keep failing that one answer 4 times, it blocks me for an hour. And the next time, if I fail 2 times, it blocks me for 3 hours.
That’s if I get 2 out of 3 right. If I don’t get one right, it can get stricter and block me earlier and for much longer. In this way, the password reset process can be secured.
Well, that one’s easy: People caught in a large fire entirely unprepared and without someone nearby to help will typically die. And with my history in civil protection, I’m not one to tell them to (still go there and) try clicking their heels three times or somesuch.
True, unlike a fire, computers can offer a user 1. a reasonably secure access control to their data and 2. a recovery method suitable for users who aren’t quite up to #1. But the truth of the matter is that that results in their data being only as secure as #2. Or, in other words, the only serious security for their data - both on the computer, and the backups, if they do any in the first place - is to lock their house and do their best to not lose that key. The truthful representation of the security their computer adds to that being to allow no-password logins from square one.
(By the way, “what if I lose the keys to my house?” is a good analogy, too. The four practical answers are a) don’t lock your house in a manner that’s actually secure, b) leave spare keys - and, thus, access to your house - with some third party, c) have someone you really trust stay at and guard the house whenever you leave, or d) pay an expert (locksmith) his (usually outrageous) on-site emergency services fee. No ruby slippers there, either.)
(For the records, in my case, only three of these questions even have a well-defined answer. And yes, I have ran into that exact problem with similar real-world systems I had to use before. Well, “problem” - that was when I still trusted the wisdom of people building such “security” and tried to register actual answers, rather than just copying a couple more random-generated strings out of my password safe.)
Those are typical bad security questions. Let me explain them one by one for my case as a Chinese person.
In what city were you born?
It is well-known among my friends/coworkers in real life. Our definition of “city” is more like a large metropolitan area, not the finest suburbs. So it is very easy to guess if you know the person.
What is your mother’s maiden name?
We don’t change surnames after marriage.
What was the name of your first pet?
I never had a pet.
What is the name of your elementary school?
It’s pretty boring and easy to guess as it is named as <city name> first elementary school.
What was the license plate of your first car?
I don’t have a car. I commute by public transit.
What was your childhood nickname?
I didn’t have a fixed nickname to “go by”.
What was the first name of your best friend in elementary school?
It’s in a very distant past and I can’t really tell which one was “the best” among a bunch of friends.
I had problems with these kinds of prompts - you don’t have to answer truthfully, but you can also write down the answers.
In which case, the benefit isn’t going to be very apparent - most of us have a short enough password that we could write it down somewhere - send it to your own email and archive it, anything like that.
So what? Are you inviting them to your home, and let them alone with your computer? Remember, this is NOT an online password reset feature, it’s a local computer reset. SDDM is not published into the internet. But, ok, let’s expect your son/wife/roommates can guess this question, I agree is not the most secure question.
Not here, but people has two surnames, so, this is translated into “What’s your mother second surname?” And that cannot be deduce by knowing your own surnames, because you have the first surname of your father and the first of your mother, and in Spain, the first surname can be your mother’ first surname, it’s not mandatory anymore to use your father’ surname first.
Not me, that doesn’t prevent to use that question and use it as a trap question. In fact, I always used that question just because of that.
Lol, pretty boring indeed the naming of schools where do you live. Here there are A LOT of schools, I could easily reach 5 or 6 primary schools just walking 5 minutes. So, this question is almost impossible to answer in my case.
You don’t, but there are plenty of people who have or had. Those questions are not intended just for you, but for a wider population. You can always suggest some questions.
Me neither, but I remember a lot of kids having one. Again, you are not the only person in the world.
In general, I can deduce for your comment, you don’t like the proposal. Which is fine. I can deduce, as well, you think/know this won’t be of any use for you. Which is also fine (I surely wouldn’t use that feature either).
What I try to do is to empathize with other users who can find it useful, not the 3 secret question, but an easy password reset method, and I think many of the people participating in this discussion tackles the issue as it was intended for them, I think that is why we are seeing so much evasion and reluctance to the point in question, reset the password, and what is being offered are alternatives so that the password is not forgotten.
Perhaps you don’t know anyone, but I can tell you normal users forgets their password when they return from holidays, or heck, sometimes in a long weekend. Thousand of millions of people uses computers in the world. Linux users are just a niche, we usually have an IT professional background, or at least, linux users like to rummage with computers and technology. But average user forgets the password, average user, won’t use a password manager, average user won’t reset the password through a liveCD, chrooting the installed environment and changing it via CLI, average user won’t know about 3rd party tools to change the password, and that’s why this kind of solution, even which is not perfect, does it offer a solution to a problem for millions of people every day, a solution Linux doesn’t provide.
I think all of you are very smart, so I don’t understand why you don’t understand this is not a published service, so the risk to being “hacked” is the attacker has physical access to your computer (and if the attacker has access, it would be easier to use a liveCD rather than trying to answer the secret questions). I don’t understand either why some of you don’t understand the title “reset forgotten password in the login screen”, and no “what to do when a password is forgotten”, or “how to avoid forgetting the password”, so all the stuff about writing the password elsewhere, or send it to the email, write it on a paper, use password managers… all those just doesn’t fit the conversation, we are talking about just have an option in the login screen to let the user restore the password when it has been forgotten.
We can discuss about the restoration method, as I said, 3-question answering perhaps is not the best, but it’s far better than not having anything at all. And again, if you find useless or unsecure, nobody would force you to use that, you can stick with your own methods, but remember there are many kind of users, many of them not so clever and intelligent than you, who may find this feature extremely useful
The idea is to answer something you won’t forget never. So, answering truthfully is one way to do it. As I said on my previous post, I never had a pet, but I always put this question when I find this method, and I always put the same answer, an answer I won’t forget because when I see the question, immediately think “I never had a pet… oh wait, I need to put …” it’s like a mnemonic.
But being sincere, average user will use real answers, if they are the kind of user who forgets the password, better not to use any other mnemonic.
You seem to ignore the point that if you forget your passwords, how would you “remember” other questions?
You also seem to be against using a 3rd party service like have been suggested.
So that leaves that something should be in the display manager, in this case SDDM, or being handled by plasma somehow, and then we are back to “physical access”.
And there are a lot of laptop users, so all of them would have to manually disable the feature for security.
I can agree to that there could be a “easy” way for letting the user implement a third party to deal with this (just like you would in real life, with the house key analogy) if the user does not trust themselves to write something on a note for safekeeping. Ie, install something that lightens up the default security (give an extra key to someone they know).
Agree.
But security should never come before comfort imho. That is why at least I insist on this being something the user actively has to enable to access. And therefore I think it should be something that has to be installed, not a setting.
Well, many, if not most, home users who has a laptop, never left it out of their home. But again, if the attacker has physical access to your computer, it can boot a liveCD and crack your password. Heck, he can steal it and install whatever OS he wants. As I said, if the attacker has physical access to your computer, the 3-questions security would be the lesser of your problems here.
Because it is far less improvable to forget in which city did you were born or what’s the surname of your mother than a password. Or not?
EDITED: Oh, I’ve just re-read what you say. You don’t need to remember the questions, just the answer to the questions, the questions must be stored somewhere. And the answers are what I said above, it’s quite impossible to forget where did you were born or your mom’s second surname.
I wouldn’t be against anything if it can reset the password in the login screen, which I didn’t read anything about that, yet. But, I would personally not rely on commercial or internet 3rd party, the first because they can be hacked themselves (or close the service, or sell the information, etc), and second, because you need internet, and perhaps you’re in a place where do you don’t have any connection until reach the desktop.
At last we are finally coming to an understanding! Yes, I was talking about the ability to SDDM to reset the user’s password!!!
Again, we need to think about users, not about ourselves. Laptops are more expensive than desk computers, so there are quite more computers than laptops out there. Second, many many many home users bought a laptop not to go outside with it, but for space, or because they are more comfortable seat on the couch, rather than be sitting on a desk. And third, obviously, you may decide not to enable that feature, but it will be nice for other people can find it useful.
I think this feature shouldn’t be enforced, as Windows does. The user should enable it at will, then fill the questions, and once done, SDDM should show an option to reset the password. I would rather prefer if plasma and SDDM devs do it themselves, for the sake of integration and maintenance, besides the confidence.
Heard of encryption? You know, click one thing while installing and add a password?
But that requires a password, and the imagined user you talk about wont be able to remember the password so I guess we just cherry pick what we want now not facts?
Probably, and something anyone with access to google will know the answer for, again SECURITY!
Are you asking for a sed line to to put in a script that removes the correct text in /etc/shadow like suggested earlier?
That is not hard at all. But IMHO that is recklessly insecure way to do things!
Why? To put the responsibility on KDE to make the OS more insecure?
Then why are you not asking SDDM this?
This is a brainstorm thread though. Don’t get me wrong, I enjoy reading the different opinions.
And you base this on what? Your imagination? xD
I think it is the other way around to be honest, the second hand market for f.ex G1 to G4 HP laptops. They grow on trees, cost close to nothing and runs perfectly with a linux installation in 2024!
But that does not matter to me. I think of the FREEDOM for the user to choose!
And the CHOICE here should be to make the system more insecure on the request of the user.
And the simple answer how to easiest do that is to install a 3:rd party app, could be a KDE app (if you can get someone to develop it as such), but IMHO this should be an external thing, not a setting.
You keep mentioning “all users” but then in the same sentence say, “but we have to focus on THESE specific user primarily”.
… he said, after spending the first ⅔ of the post explaining how he would creatively reinterpret questions that would be all the more confusing to a user who runs into such a scheme for the first time …
That is a) untrue (none of the proposed methods to give the distraught user momentary root rights and set a new password aim at retaining or resurrecting the old one), and would nonetheless b) be in said user’s best interest, as that would be a solution that he can still use when he later runs into the exact same problem with online accounts, be they with the IRS, DMV, the GP’s office, or Netflix. (Yes, “e-government” and “doctor appointment management as an online service” are a thing over here.)
I repeatedly suggested that a user who continues to forget his password could, with little difference to actual security, set up his account not to use one in the first place. If you work on the assumption that “physical access” equals “game over”, too, what is your objection against that proposal?
… I would sincerely hope that when the user has never registered answers to whatever predefined questions, the system will not allow anyone to log into the account by just hitting ENTER three times … !
That’s untrue as well, we were pondering the possibility of implementing the “security questions” scheme in a PAM module and changing SDDM (to a that much lesser extent) to use that in the beginning of this thread.
Another reason why the job of offering and administrating auth schemes should remain PAM’s, with SDDM merely implementing the changes in the user interface.
Unless the user proceeds to telling his family that he used that info for his security questions and that they should henceforth never tell anyone else, I don’t think that Google is likely to get involved. They give search histories to the police when the cops ask for them in the course of an investigation later on.
sorry, I don’t understand almost anything you say. I try to answer what I can understand.
Because the title of this discussion is “Reset forgotten password on login screen”. I have lost count of the number of times I have repeated the same thing. We are not talking about avoiding a user can forgot the password, but how can that forgotten password can be reset on the login screen.
And I would like to discuss that possibility, but it seems pretty difficult to stay focused and ontopic here.
I don’t know what’s your point. What it is even related to reset the password on the login screen?
Meh, I dare you to obtain my mother second surname.
No, I’m asking for a graphical mechanism to let the home users to reset their password in the login screen.
No, because KDE and SDDM are trustworthy developers. I do not know who is behind the 3rd party you’re talking about.
I’m also asking SDDM, as I wrote in my very first post.
No, my common sense. Tell me what could a home user do with a computer in the street. See netflix? Browse any social network?
Everyone here says that offering resting password in SDDM would make the system unsecure, but no one says why it would be more unsecure. SDDM is not exposed nor published, so I don’t get why it would be more unsecure.
I hope not. We agree to disagree in most of the stuff we’re saying, but there are some pieces of useful discussion here. We are being respectful with each other and I think we can offer some feedback to developers, if they see this one day.
I think there is an icon to unsubscribe from the discussion, though, if you feel this is pointless for you.
It’s related because you brought up the point with assuming “almost everyone is using only desktops” and then "if a hacker has access to your computer it’s game over anyway.
So a graphical wrapper that runs a script then?
I’m pretty sure that if it was a good idea, it would already have been done, but maybe you are on to something and a developer will pick up the idea.
Again, what do you base that on?
Why are they “safer” than for example google or bitwarden?
SDDM is not a KDE project is what I mean…
But I do NOT mean you can not ask here, just making sure you understand that SDDM is completely unrelated to KDE.
Are… Are you asking what people who prefers laptops over desktops, what they do on their computers? I… Eh… The same things everybody else does I suppose…?
So yeah, both of your examples.
To me it’s unsecure because if you give SDDM (or something else) the ability to do things as root beyond just selecting and starting the correct desktop after making sure the credentials are correct, it becomes a weakpoint on your system.
Doing that stuff is something IMHO SHOULD require human interaction, a password check is usually the way to go, but in this case, that is obv something you seem to want to bypass.
That is how I see it.
Yes, yes, we do understand that your ideal solution is that every “access denied” would come with an “override” button like in a Hollywood movie. You might want to note that the person shown using that on the silver screen is usually not a legitimate user of the system.
I suggest that the user can be allowed to log in without a password and you accuse me of trying to avoid the situation where he forgot that (nonexistent) password. (And then continue to ask for a means to “reset” it, which effectively also allows him to get access without “a” (the old) password.)
I dare you to provide us with the information that the hypothetical attacker has (if he can try answering security questions on the computer in your home, he will most probably know your real name and address) and let us try then.
After walking into a Starbucks, sitting down with a nice cup, and connecting to their Wifi, sure. (Well, they probably do block video streaming from Netflix, but.) Matter of fact, when you ride on a FlixBus long-distance trip, you’re expected to connect to the buses’ Wifi so that you’ll receive the e-mails their central servers send when your bus runs late and they suggest a different next-hop connection to you.
OK, history lesson time. Do you know how and why the “security questions” scheme was invented?
Surprise
They were first deployed for online accounts to stop the forgetful users from calling the support hotline all the time, so that the service could downsize the support staff, knowing full well that offering a backdoor every luser can open leaves the accounts less secure than if their owners had to convince an actual human of their plight.
I’m not cynical enough to tell such a user “I’m here to help you” to his face when in reality, the implication is “go away and see whether some con artist finds it worth his while to pluck you after I stripped you of an actual security measure”.
Graphical login screens these days have buttons to shut down or suspend the computer. What do you think these do?
(And back when I started working with computers, when a GUI was only started after you completed a text mode login, there were predefined users named “shutdown” and “sync” and such to do the equivalent - sometimes they were, by default, installed so that you wouldn’t even need a password to use them. Matter of fact, I still see these two in my /etc/passwd on a current Linux.)
