Password Resets Suck
By Nick Langer, posted on Tuesday, November 12 at 11:43 PM

Computer security still sucks..

Computers sure are a lot more impressive than they used to be. Even security is getting better -- it's been 10 years since we last saw an OpenSSH remote root exploit. Oh sure, we still have Adobe's severe exploit of the week, but for the first time in forever, it almost seems that you can stay secure if you know what you're doing!

BUT one thing still makes us knowledgeable folks an easy target, and that's password resets -- they're everywhere, and they all suck. Well, most of them, anyway. A hacker who knows the last 4 digits of your credit card, or your mother's maiden name, or your social security number can call up just about any organization and convince them to reset your password and send it to a totally new email address in Latvia.

With any business decision, companies weigh the costs and benefits. Allow password resets, and a handful of high-profile tempting targets will get pwn3d. This will make them angry, since they didn't do anything wrong (such as using Adobe products) and they still got hacked. So, they'll write scathing articles about your company's security. You don't want that.

Deny password resets, and those smart and security-conscious people who only ever boot OpenBSD from their known-clean thumbdrives will stay perfectly safe. They'll love you. But what happens when one of your normal customers actually forgets their password? It'll be his own damned fault -- after all you warned him that you don't ever reset passwords -- but he'll still be pissed at you. You don't want that either, but since normal customers outnumber the "high profile tempting targets who run OpenBSD" at least 100,000 to 1, their convenience matters more.

..but not at ChunkHost!

Here at ChunkHost, we let you decide whether to have password resets!

For normal people, we have a sensible reset mechanism that doesn't involve verifying things that a private investigator could look up in 5 minutes. Instead, we ask you details about your ChunkHost account, and challenge you to prove that you have access to the chunks themselves. And all of this done by a very paranoid human, not a computer program or a support drone reading a script.

Or if you're truly paranoid, just contact us at support@chunkhost.com and request that password resets be disabled for your account! Then, it's up to you to keep your password and two factor authentication from getting lost, but you can bet that no one will break into your stuff through us!