Last month, John Dvorak, long-time PCMag columnist and self-proclaimed "cranky geek," penned a diatribe about the password reset process. I was seriously occupied covering the RSA Conference in San Francisco, so I didn't pay it much attention. Now that I've had a look, I can state that John's position is completely and utterly wrong. To borrow a phrase from "Game of Thrones," you know nothing, John Dvorak!
Dvorak said, "Whatever happened to the idea of sending someone the password rather than a reset link? I liked the old password." He went on to scoff at the use of a reset link instead, saying "None of this protects me or anyone else from anything. It's a charade. How does that protect anything?" Well, John, I'll tell you.
They Don't Have It
The biggest reason that a secure website won't send you a forgotten password is very simple: they don't have it. They don't store it anywhere. And that's a good thing. If they don't store your password, then the password can't be stolen by hackers, or posted on Pastebin by a disgruntled employee. Really for true, a website that actually stores your password is endangering your privacy.
So, if they don't store your password, how can they know you've entered the right one? The answer lies in a concept called hashing. Hashing is a lot like encryption, but it's a one-way process. The same input to a hashing algorithm always yields the same output, but there's no way to take that output and rediscover the original.
Say you sign up for a new online account using your favorite password, which happens to be "password." The site puts what you entered through a hashing algorithm and gets back some gibberish like 991CEFz&Nw36, which it stores. When you log in, the site runs the password you entered through the same algorithm. If the result matches, you're in.
They Shouldn't Send It
Even if a secure site did have your actual password stored, they shouldn't send it to you via email. Email is inherently insecure. Your messages bounce around from server to server on the way to your inbox. Unless you've used some kind of email encryption, your password just isn't safe during its travels.
Dvorak argues that a password reset link is just as vulnerable. He's wrong. For one thing, reset links are typically short-lived. A little while after you request the link, it becomes invalid. Once you've used the link, again, it becomes invalid. Also, using the link sets up a secure SSL connection between your browser and the site's servers. You enter your new password, the site hashes it and stores the result, and you're back in business.
But I Can't Remember!
Dvorak brings up the problem of his Dropbox account, which he only uses a few times a year. Naturally when he's forced to use it, he can't remember the password. In fact, a password that you can remember easily is very likely one that someone else could guess. What he really needs to do is start using a password manager, and change all his existing passwords to new, strong, unique ones.
Yes, there's a certain amount of work involved in switching to strong passwords, but it's well worth the effort. Our own Jill Duffy explains how she did it over a period of five weeks. And it needn't be expensive. Some of the available free password managers do an excellent job.
"But I still have to remember that strong master password," I can almost hear John say. Indeed you do. But it's just one password, and there are ways to make it memorable. In addition, you'll be using it every day, not once a year. So, John, consider this your wake-up call; it's time to join the modern world and get a password manager.