Password reset



  • So, back story is, I signed up for a Prosper account way back in 2008, linked and verified my e-mail address and bank account, and never really used it. Fast forward to this week, when I thought I'd like to log in (they still send me e-mails occasionally).

    Needless to say, I don't remember what password I used in 2008. I'm sure the password was probably saved in Firefox, but it never made it into my password vault, and I'm pretty sure that computer died a fiery death. I (apparently) had the foresight to not use the password I used back then on most of my dontcare accounts, so I figured no big deal, just click that "forgot password" link and I'm sure it will be a painless process.

    ...looks promising enough, right?

    ...well isn't that dandy. No, I never honestly answer those questions, and no, I have no idea what I put in when I registered.

    Well, I guess it's time to find the Contact link and try sending them an e-mail...

    At this point I'm trying really hard not to facepalm, but I backtrack and try their toll-free number and... "All representatives are currently busy, please wait and your call will be answered in the order it was received" blah blah blah.

    hold music ... hold music ... advertisement blurb ... more hold music ... more advertisement blurbs

    ...finally, after about 5 minutes on hold: "All representatives are busy. Please leave your name and number and we'll call you back."

    ...I did leave a message, and no, they didn't call me back (3 days later).



  • I think that place is a scam. They somehow got ahold of my email and send me junk emails and when I try to unsub they don't seem to honor it.

    I'm more interested in why you don't remember your first boyfriend's first name. Were you both so out of you heads on amyl that you never bothered learning it? Or was he a dom and so you only ever addressed him by his last name ("Yes, Mr. Belvedere, I'm a dirty sub who isn't worth to lick your penny loafers..")

    Inquiring minds want to know.



  • @morbiuswilters said:

    I think that place is a scam. They somehow got ahold of my email and send me junk emails and when I try to unsub they don't seem to honor it.

    I'm more interested in why you don't remember your first boyfriend's first name. Were you both so out of you heads on amyl that you never bothered learning it? Or was he a dom and so you only ever addressed him by his last name ("Yes, Mr. Belvedere, I'm a dirty sub who isn't worth to lick your penny loafers..")

    Inquiring minds want to know.

    I never said I didn't remember the correct answer to that question. I said I don't remember the string of random characters that I entered in the password field entitled "What was your first boyfriend/girlfriend's first name".



  • update: I was able to get ahold of a real live person this time and give them enough identifying information to convince them that I owned the account so they'd read me my security question answer. Apparently I thought it'd be funny to answer that with one of my least favourite flavours of ice cream.



  • @anotherusername said:

    update: I was able to get ahold of a real live person this time and give them enough identifying information to convince them that I owned the account so they'd read me my security question answer. Apparently I thought it'd be funny to answer that with one of my least favourite flavours of ice cream.

    Semen?



  • @Ben L. said:

    @anotherusername said:
    update: I was able to get ahold of a real live person this time and give them enough identifying information to convince them that I owned the account so they'd read me my security question answer. Apparently I thought it'd be funny to answer that with one of my least favourite flavours of ice cream.

    Semen?

    No no, check where he ranked that flavor again.



  • @Ben L. said:

    @anotherusername said:
    update: I was able to get ahold of a real live person this time and give them enough identifying information to convince them that I owned the account so they'd read me my security question answer. Apparently I thought it'd be funny to answer that with one of my least favourite flavours of ice cream.

    Semen?

    I'm pretty sure the support lady would have hung up on me if that had been the answer.



  • I was already out of her good graces for asking her to re-mumble her "hiandthankyouforcallingprospermynameismumblehowcaniassistyoutoday".



  • @anotherusername said:

    I was already out of her good graces for asking her to re-mumble her "hiandthankyouforcallingprospermynameismumblehowcaniassistyoutoday".

    This gives me an idea.. Now that you have access to your account, you should call back. When the support person answers, quickly update your profile to change your security answer to: "Hi, $SUPPORT_PERSON, it's great to make your acquaintance!" Then when they go to read it to you over the phone, their minds will be blown.



  • @anotherusername said:

    Needless to say, I don't remember what password I used in 2008. I'm sure the password was probably saved in Firefox, but it never made it into my password vault, and I'm pretty sure that computer died a fiery death. I (apparently) had the foresight to not use the password I used back then on most of my dontcare accounts, so I figured no big deal, just click that "forgot password" link and I'm sure it will be a painless process.
    You're just getting started.  Imagine that in addition to the above:

    1. You're no longer using the ISP that you had when you originally opened the account, so the e-mail they send you with the reset link goes to a dead mailbox, or
    2. You're still using the same e-mail address after all these years, but somewhere along the way Prosper changed their software so that they no longer consider that address valid.  They'll still return a screen telling you the update was mailed, but you'll never actually get it.
    I had that second one happen just last week with Geico.  The talking lizard had no trouble sending me ads and update notices until about six months ago, when suddenly all their communiques started falling on the floor.  As luck would have it, I've seen this sort of thing before when I first applied for a lot of my online access accounts.  For whatever reason, Discover Card considers my e-mail address--the same one that every scammer in Bulgaria has no problem getting to--invalid.  For them alone, I set up a gmail account that does nothing but forward to the real address.  In the interim, a few other companies have "seen the light" of doing things Discover's way, and I'll occasionally get a piece of snail mail saying "we were unable to reach you by e-mail" from some newly clueless corporation.

    Never got one of those from Geico, though.


  • @da Doctah said:

    @anotherusername said:

    Needless to say, I don't remember what password I used in 2008. I'm sure the password was probably saved in Firefox, but it never made it into my password vault, and I'm pretty sure that computer died a fiery death. I (apparently) had the foresight to not use the password I used back then on most of my dontcare accounts, so I figured no big deal, just click that "forgot password" link and I'm sure it will be a painless process.
    You're just getting started.  Imagine that in addition to the above:

    1. You're no longer using the ISP that you had when you originally opened the account, so the e-mail they send you with the reset link goes to a dead mailbox, or
    2. You're still using the same e-mail address after all these years, but somewhere along the way Prosper changed their software so that they no longer consider that address valid.  They'll still return a screen telling you the update was mailed, but you'll never actually get it.
    I had that second one happen just last week with Geico.  The talking lizard had no trouble sending me ads and update notices until about six months ago, when suddenly all their communiques started falling on the floor.  As luck would have it, I've seen this sort of thing before when I first applied for a lot of my online access accounts.  For whatever reason, Discover Card considers my e-mail address--the same one that every scammer in Bulgaria has no problem getting to--invalid.  For them alone, I set up a gmail account that does nothing but forward to the real address.  In the interim, a few other companies have "seen the light" of doing things Discover's way, and I'll occasionally get a piece of snail mail saying "we were unable to reach you by e-mail" from some newly clueless corporation.

    Never got one of those from Geico, though.

    What's so special about your email address?


  • Considered Harmful

    @anotherusername said:

    I was already out of her good graces for asking her to re-mumble her "hiandthankyouforcallingprospermynameismumblehowcaniassistyoutoday".
    Guys, I found the problem.



  • @Ben L. said:

    What's so special about your email address?
    Haven't figured that out yet.  Maybe it's the word "spam" in the domain that's throwing them.



  • @Ben L. said:

    What's so special about your email address?

    Back in the 90s, I bet a friend $10 I could get the White House to mail him back if he sent them an email. We had the same ISP and this was back in the day when mail servers were just ultra-insecure garbage. So I was able to set up an alias rule for my account that received mail for "bclinton@whitehouse.gov". To send the reply, I just needed to forge the envelope sender. His mind was blown.

    Oh, I should add, who knew it was me the whole time. He was just amazed that could pull it off.



  •  You lost your password. You gave a nonsense answer you also don't remember to one of your security questions whose sole purpose is to ensure your password can be securely recovered. Look in the mirror for TRWTF.



  • @joelkatz said:

     You lost your password. You gave a nonsense answer you also don't remember to one of your security questions whose sole purpose is to ensure your password can be recovered by anyone who happens to know the answer to a well-known personal question. Look in the mirror for TRWTF.

    Fixed that for you. You expected me to give my first boyfriend/girlfriend access to reset my Prosper password. Not to mention anyone else who happens to know who that would be.

    You should need the security question OR the e-mail address to reset your password (not both). You might forget your security question answer or lose your old e-mail address. Having two ways to reset your password gives you a backup. If you need both of them, you're fucked. Anyone who's smart already knows that a security question is just another password and shouldn't be something guessable.



  • @anotherusername said:

    @joelkatz said:

     You lost your password. You gave a nonsense answer you also don't remember to one of your security questions whose sole purpose is to ensure your password can be recovered by anyone who happens to know the answer to a well-known personal question. Look in the mirror for TRWTF.

    Fixed that for you. You expected me to give my first boyfriend/girlfriend access to reset my Prosper password. Not to mention anyone else who happens to know who that would be.

    You should need the security question OR the e-mail address to reset your password (not both). You might forget your security question answer or lose your old e-mail address. Having two ways to reset your password gives you a backup. If you need both of them, you're fucked. Anyone who's smart already knows that a security question is just another password and shouldn't be something guessable.

    Wrong. For a financial site, I'd definitely want a security question and an email to reset a password. I don't want to lose a bunch of money or get screwed if someone manages to get ahold of my email account.

    That said, you're right about not using something guessable. All my security answers are randomly-generated strings (i.e. passwords) that I keep in my password database, right next to my real passwords. Just entering a random string and forgetting it is kind of dumb. (Yeah, yeah, I know: if you have the security answer and password together, then you won't really need the security answer because you'll have the password. But then again, I've never lost the password to a real account. Because, you know, I keep backups of all of my passwords..)



  • @morbiuswilters said:

    Wrong. For a financial site, I'd definitely want a security question and an email to reset a password. I don't want to lose a bunch of money or get screwed if someone manages to get ahold of my email account.

    Whoever gained access to your e-mail address can also look through your old e-mails and likely as not guess your zip code and who your first boyfriend/girlfriend was, if you gave the correct answer to it originally. (I seem to remember some tech writer getting his e-mail account hacked and all sorts of shit went down. The safest bet is to hope to god your e-mail never gets compromised, because once someone has access to your e-mail they can reset your password for just about everything else, not to mention gather enough personal information to call tech support and claim to be you if they run into an account that they can't crack open. For this reason, it's really not a bad idea to use a different e-mail address linked to your financial accounts than the e-mail address you use for everyday correspondence.)

    @morbiuswilters said:
    That said, you're right about not using something guessable. All my security answers are randomly-generated strings (i.e. passwords) that I keep in my password database, right next to my real passwords. Just entering a random string and forgetting it is kind of dumb. (Yeah, yeah, I know: if you have the security answer and password together, then you won't really need the security answer because you'll have the password. But then again, I've never lost the password to a real account. Because, you know, I keep backups of all of my passwords..)

    So do I, now, but obviously I didn't back in 2008. I would've had the answer saved somewhere, but I've gone through ... 3 computers since then, I think, and I'm now on my 4th...



  • @anotherusername said:

    So do I, now, but obviously I didn't back in 2008. I would've had the answer saved somewhere, but I've gone through ... 3 computers since then, I think, and I'm now on my 4th...
    And this is why password management is best done with KeePass or a similar package that does it all locally so you don't have to worry about a cloud provider going tits up or getting heartbled, with the authoritative version of your password database file kept on Dropbox or some similar service that gives you a synced local copy on every device you use without you having to think much about it, plus a reasonably frequent backup kept on a micro SD card attached to your car keys. Because it doesn't matter how good your passwords are if the answers to your security questions are not also long machine-generated random strings, and it doesn't matter how annoying a lost-password procedure is if you never have to use it.

    Then the only thing you need to worry about is fucktards who let themselves get socially engineered into resetting your passwords whenever some bozo calls them up with a plausible story about ice cream. It would be good if more places let you flag your account with "do not fuck with this unless I turn up in person carrying 100 points of ID."



  • @anotherusername said:

    Whoever gained access to your e-mail address can also look through your old e-mails
    Really? How are they doing that?  I'm sure I would notice them sitting at my computer.



  • @anotherusername said:

    Whoever gained access to your e-mail address can also look through your old e-mails and likely as not guess your zip code and who your first boyfriend/girlfriend was, if you gave the correct answer to it originally. (I seem to remember some tech writer getting his e-mail account hacked and all sorts of shit went down. The safest bet is to hope to god your e-mail never gets compromised, because once someone has access to your e-mail they can reset your password for just about everything else, not to mention gather enough personal information to call tech support and claim to be you if they run into an account that they can't crack open. For this reason, it's really not a bad idea to use a different e-mail address linked to your financial accounts than the e-mail address you use for everyday correspondence.)

    Thanks for replying without even reading my whole response.

    @anotherusername said:

    So do I, now, but obviously I didn't back in 2008. I would've had the answer saved somewhere, but I've gone through ... 3 computers since then, I think, and I'm now on my 4th...

    Oh, I guess I'm guilty of that, too.



  • @flabdablet said:

    Then the only thing you need to worry about is fucktards who let themselves get socially engineered into resetting your passwords 
    Which is pretty much . . . . . everyone. And most of the time you don't even have to mention ice cream.



  • @El_Heffe said:

    @flabdablet said:

    Then the only thing you need to worry about is fucktards who let themselves get socially engineered into resetting your passwords 
    Which is pretty much . . . . . everyone. And most of the time you don't even have to mention ice cream.

    I know a guy who has been conned out of his credit card number several times. Nice guy, but if someone gets him on the phone and gets him excited, he can be played like a fiddle and he'll hand over his personal info without thinking twice.


  • Discourse touched me in a no-no place

    @El_Heffe said:

    Which is pretty much . . . . . everyone.
    Not unless you count getting married and then divorced.



  • @morbiuswilters said:

    I know a guy who has been conned out of his credit card number several times. Nice guy, but if someone gets him on the phone and gets him excited, he can be played like a fiddle and he'll hand over his personal info without thinking twice.
    Sounds like an absolutely ideal IT help desk candidate!



  • @flabdablet said:

    Filed under: I am the finance minister of Nigeria and I forgot your er my password
    Has been done already.

    A couple of years ago Anonymoose broke into a government contractor by sending email to a sysadmin and pretending to be a top exectutive of the company. After asking for a password reset they still couldn't get in because they didn't know his exact username, which was then provided to them by the helpful "Security Specialist".



  • @anotherusername said:

    You should need the security question OR the e-mail address to reset your password (not both). You might forget your security question answer or lose your old e-mail address. Having two ways to reset your password gives you a backup. If you need both of them, you're fucked. Anyone who's smart already knows that a security question is just another password and shouldn't be something guessable.
    You believe that you should need either. They believe that you should need both. Certainly reasonable people can disagree on this. But that doesn't change the fact that TRWTF is that you assumed the site would work the way you personally thought it should and lied to the site based on those unfounded assumptions and then blamed the site when it behaved the way a secure financial site should.

    It should not be easy to recover a lost password to a site that relates in any way to financial information, particularly if you don't have the password recovery information configured on the account.

     

     


Log in to reply