[etherealmachine]

Account recovery is always a nagging weak spot. At some point, a user will forgot their password or lose their TFA device, and now you need them to be able to prove their identity outside of the usual flow. And if you have enough users, this has to be automated, leaving even more room for exploitation.

[Alex3917]

> And if you have enough users, this has to be automated

Not really, they could just charge people $100 to retrieve a lost password and then do it manually.

[tetraodonpuffer]

I would love for services that I REALLY care about never ever ever being broken into (email, web hosting) there was ONLY the $100-and-speak-to-a-human option to change the password

I would even make it $100 + skype and show live on skype your passport.

[vilhelm_s]

"showing your passport on skype" seems insecure - I imagine it would not be very hard to paste a page with some computer-vision image registration barcodes on the photo page, and then hack up a video filter which pastes in an arbitrary bitmap.

[ocdtrekkie]

Charging $100 is pretty punitive, but I've often wondered why more online services sensitive to attack don't use token credit card charges as a way to limit account duplication, increase complexity in a malicious operation, etc.

Stealing credit cards is cheap, yes, but the additional cost to using such a card on a password reset would still be a deterrent.

[quanticle]

The problem with charging people for password resets is that by making the process of resetting a password more expensive, you've now encouraged people to reuse passwords. People know when they sign up for your service that resetting a password is going to be expensive, so they'll use a password that they're sure not to forget, i.e. the password they use for everything else.

I would posit that even with this social engineering exploit, Google's two-factor SMS authentication is still more secure than charging people for password recoveries (and thus encouraging password reuse).

[_delirium]

I seem to recall there were some services that charged a one-time small fee in the late-90s / early-2000s basically for that reason. But in the past 10 years most seem to have moved to requiring a mobile phone number as the hurdle instead. The idea is that it has some of the same deterrent effect for bad actors, since coming up with a steady stream of unused mobile numbers costs a nonzero amount, but produces less sign-up friction for legitimate users.

[bredman]

IMO it's not that bad, people are used to paying locksmiths that much when locked out of houses or vehicles.

[kbar13]

that doesn't mean it's a good thing

[Alex3917]

> Charging $100 is pretty punitive

Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager. You could even make it free for the first few hours after the account is created or the password is changed in case the user pastes it into their password manager incorrectly.

[copperx]

And how many "normal" people do you know that use a password manager? It's 0 for me. They don't even use post-it notes, which would be an improvement over "I'll just try to remember the password, and if I can't, I'll ask someone to help me ".

[lgas]

Assuming the "someone" is the forgot password feature and not a person, this seems like a sound approach. It's basically using the site itself as a slightly clunky password manager.

[EpicEng]

>Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager

Oh, so in other words; a tiny fraction of the internet using public?

[TrevorJ]

And in the real world, no one would use that service. You aren't wrong though, that would be the way to do it if you wanted it to be secure.

[marrone12]

That is a PR nightmare...