Password Recovery Questions
Ceola Roefaro
Multi-factor authentication (MFA), on the other hand, is a context-aware approach to authentication. You can implement a mix of authentication factors to suit the needs of your organization, and analyze risk signals from user login attempts to determine which authentication methods are the most appropriate. With this setup, you have the flexibility to use security questions and passwords as one of many authentication options, deploying them for additional assurance in low-risk contexts or forgoing them altogether.
Swaroop Sham is a Senior Product Marketing Manager for Security at Okta. His main focus areas include Multi-factor Authentication, Adaptive Authentication, and Security Integrations. He recently joined Okta, bringing with him over 10 years of experience in cybersecurity. He previously worked at Sift Science, Proofpoint, FireEye and F5 Networks. Swaroop has a Master's and Bachelor's degree in Computer Science.
By default the first user's account is an administrative account, so if the UI is prompting you for a password it's probably that person's user password. If the user doesn't remember their password you need to reset it. To do this you need to boot into recovery mode (see also offical docs: RecoveryMode).
Boot up the machine, and after the BIOS screen, hold down the left Shift key (note that for UEFI BIOS you might need press ESC instead). You will then be prompted by a menu that looks something like this:
There is concern about this being a security vulnerability. It is not. You need to have physical access to the machine to do this. If someone has physical access to your PC, they could do far worse than change a password. When it comes to physical access, the battle for security is lost. Be wary of who you let on your PC.
Even setting a root password will not be successful, as one can simply boot with init being /bin/sh and have full root access. Again, given physical access, anyone with computer knowledge can do ANYTHING to your computer.
If you have a dual-boot (Ubuntu is installed next to Windows, another Linux operating system, or Mac OS X; and you choose at boot time which operating system to boot into), the boot menu should appear without the need to hold down the shift key.
After you select recovery mode and wait for all the boot-up processes to finish, you'll be presented with a few options. In this case, you want the Drop to root shell prompt option so press the ᛎ Down arrow to get to that option, and then press Enter to select it.
You'll then be prompted for a new password. When you type the password you will get no visual response acknowledging your typing. Your password is still being accepted. Just type the password and hit Enter when you're done. You'll be prompted to retype the password. Do so and hit Enter again.
If recovery mode is disabled, the method I would use is booting to a Live CD or USB. It could be the media you installed from or just another Ubuntu ISO you've downloaded and burnt. The process is fairly simple.
If you have a single-boot (Ubuntu is the only operating system on your computer), to get the boot menu to show, you have to hold down the Shift key during bootup. From the boot menu, select recovery mode, which is usually the second boot option. After you select recovery mode and wait for all the boot-up processes to finish, you'll be presented with a few options. In this case, you want the Drop to root shell prompt option so press the Down arrow to get to that option, and then press Enter to select it.
Then I got the Recovery Menu - but when I chose Drop to Root Shell Prompt (bottom item) I was root but couldn't reset the password - because the disks were Read Only. Type exitand get back to the Recovery Menu
Then again to Drop to Root Shell Prompt and I'm root and can write - sopasswd usernamehad me enter the desired password twice - then exit to go back to Recovery MenuResume normal bootand everything worked fine with my new password! I'm the only account on this box, and my password works with sudo so I apparently have Administrative Privileges.
I was having the same problem with my password and I tried everyone's suggestions but none worked for me. So I tried some of my own and this is what worked for me... "Keep in mind I can NOT explain why it worked, all I know is it worked...
Note: (Here is the part I can't explain. After trying everything, and nothing working, I finally just started trying all the options here one at a time. When I tried the "grub Update grub boot loader" and then followed the rest of the steps all was well and password was reset.)
The password is the second group of characters after YOUR_USERNAME, between the two colons. You can replace this with a other password, for example, you could replace the existing password string (truncated for clarity):
If you do that however and happened to have used an encrypted /home directory for that username you are likely not to gain access to the files in your /home directory (and if you do then Ubuntu should be uninstalled...)
For me, on Ubuntu 16.04 VM installed in VirtualBox, when I boot into (with shift held before booting the VM) the root prompt, I always get Give root password for maintenance (or type Control-D to continue), finally I hit e at the GRUB menu with the newest recovery kernel selected in Advanced Options for Ubuntu
I'm trying to recover the password for my R6400 router and I know the answers to the security questions but they're not working. I'm wondering if I'm entering them incorrectly. Does anyone know if the answers are case sensitive? Also, are spaces allowed? If not, is there a character that might be automatically substituted if I had used a space (like a period or hyphen)?
If you are curious, please have a look at this study by Microsoft Research in 2009 and this study performed at Google in 2015. The accompanying Security blog update includes an infographic on the issues identified with security questions.
Please Note: While there are no acceptable uses of security questions in secure software, this cheat sheet provides guidance on how to choose strong security questions for legacy purposes.
Security questions fall into two main types. With user defined security questions, the user must choose a question from a list, and provide an answer to the question. Common examples are "What is your favourite colour?" or "What was your first car?"
These are easy for applications to implement, as the additional information required is provided by the user when they first create their account. However, users will often choose weak or easily discovered answers to these questions.
System defined security questions are based on information that is already known about the user. This approach avoids having to ask the user to provide specific security questions and answers, and also prevents them from being able to choose weak details. However it relies on sufficient information already being stored about the user, and on this information being hard for an attacker to obtain.
Additionally, the context of the application must be considered when deciding whether questions are good or bad. For example, a question such as "What was your maths teacher's surname in your 8th year of school?" would be very easy to guess if it was using in a virtual learning environment for your school (as other students probably know this information), but would be much stronger for an online gaming website.
Many good security questions are not applicable to all users, so the best approach is to give the user a list of security questions that they can choose from. This allows you to have more specific questions (with more secure answers), while still providing every user with questions that they can answer.
Much like passwords, there is a risk that users will re-use recovery questions between different sites, which could expose the users if the other site is compromised. As such, there are benefits to having unique security questions that are unlikely to be shared between sites. An easy way to achieve this is to create more targeted questions based on the type of application. For example, on a share dealing platform, financial related questions such as "What is the first company you owned shares in?" could be used.
Allowing users to write their own security questions can result in them choosing very strong and unique questions that would be very hard for an attacker to guess. However, there is also a significant risk that users will choose weak questions. In some cases, users might even set a recovery question to a reminder of what their password is - allowing anyone guessing their email address to compromise their account.
Enforcing a minimum length for answers can prevent users from entering strings such as "a" or "123" for their answers. However, depending on the questions asked, it could also prevent users from being able to correctly answer the question. For example, asking for a first name or surname could result in a two letter answer such as "Li", and a colour-based question could be four letters such as "blue".
If the security questions are not used as part of the main authentication process, then consider periodically prompting the user to review their security questions and verify that they still know the answers. This should give them a chance to update any answers that may have changed (although ideally this shouldn't happen with good questions), and increases the likelihood that they will remember them if they ever need to recover their account.
System defined security questions are based on information that is already known about the user. The users' personal details are often used, including the full name, address and date of birth. However these can easily be obtained by an attacker from social media, and as such provide a very weak level of authentication.