After some years, it finally happened.
But lets start from the beginning:
Last week, on the 21st of june, I got a ticket with a “lost password” topic.
I proved the rightful owner by asking him for 5 contacts out of his list and some details he put in when the account was created.
Sadly there wasn’t an email connected to this account.
I reset the password and wrote the new password to the ticket. – BAD MISTAKE.
I don’t know how, but the guy which requested the password was NOT the rightful owner. The real owner contacted me just a few hours later.
And he COULD authenticate and proove it was his account due earlier tickets he created. He names me the right email address and so on.
I could give him his account back and learned a good thing. But now I am in a twist.
I don’t want your personal information. IAF uses the principle of “as less data as possible, as much data as needed”.
You can use IAF.org completely anonymized, with TOR and so on.
But I need some information to validate your rightful ownership in cases like this.
So heres a semi good Idea:
Add a valid email address to your profile. Use a spamming adress. One you don’t need everyday. One which can float around on the net.
If you need a password reset, or something, I will write to THIS address, attached to your Jabber Account.
If someone tries to steal your account, and can trick me into believing its his account, not yours, you might can’t login. But then you can be sure your new password is in YOUR mailbox and your account is still safe from others.
Nobody is perfect. I have a lot of security, but in the end I’m human. And if someone can answere all security questions, and fool me into reset a password, there is still this last step.
Hope you can understand what I try to say.
- Use different passwords for different services!
- Use a Password generator if you can’t find good passwords!
- Suggestion: Keepass2
Related: How secure is IAF.org