Author Topic: Forgotten Password Retrievable from Cookies?  (Read 435 times)

Forgotten Password Retrievable from Cookies?
« on: February 14, 2020, 01:51:10 pm »
I have a colleague whose forgotten a password.  Is it possible to retrieve a password from the relevant cookie?

Re: Forgotten Password Retrievable from Cookies?
« Reply #1 on: February 14, 2020, 02:02:32 pm »
No (unless the website is amazingly badly designed), cookies and passwords are completely different things.
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Forgotten Password Retrievable from Cookies?
« Reply #2 on: February 14, 2020, 02:07:21 pm »
There is usually a link on web sites for when a password has been forgotten.

ian

  • fatuously disingenuous
    • The Suburban Survival Guide
Re: Forgotten Password Retrievable from Cookies?
« Reply #3 on: February 14, 2020, 02:50:12 pm »
Most browsers also feature a password manager that can be queried (if, of course, you use it to save passwords).
!nataS pihsroW

Re: Forgotten Password Retrievable from Cookies?
« Reply #4 on: February 14, 2020, 03:00:15 pm »
It's apparently for a Gmail email account.

I guess she'll just have to renew the password.

Re: Forgotten Password Retrievable from Cookies?
« Reply #5 on: February 14, 2020, 09:21:32 pm »
There is usually a link on web sites for when a password has been forgotten.

Unfortunately, this is a home-brew website and the designer of it has disappeared.
Fortunately, said colleague has found the lost password.
Quote from: tiermat
that's not science, it's semantics.

Re: Forgotten Password Retrievable from Cookies?
« Reply #6 on: February 14, 2020, 09:24:36 pm »
Thanks, PO, for your help!

Re: Forgotten Password Retrievable from Cookies?
« Reply #7 on: February 15, 2020, 10:03:48 am »
Design for this in advance.

For Web site management and similar, ideally have two administrator accounts held by different people. Or, if unavoidable, have two different people hold the administrator password. These people should be unrelated and unlikely to leave at the same time.

For personal accounts, set up the recovery addresses and other measures in case of lost passwords. Choose recovery email addresses that are unlikely to change (as far as feasible).

Obviously, passwords in a password manager, and make sure that its file is stored somewhere secure.

Cookies generally hold no information of interest, as said up-thread. They don't need to. All they need hold is a unique identifier of you, or of your session on the service, that is otherwise meaningless. The real information is stored on the service's computers; the code in the cookie is just used to look it up. Even the service won't have your password though, unless it's really badly designed. Your password isn't stored anywhere. Instead, your password is encrypted, and the result is stored. When you sign in, the password that you submit is also encrypted, and the result is compared with the stored one. So, even breaking into the system, an attacker should not be able to get your password, unless that attacker can reverse the encryption.

Re: Forgotten Password Retrievable from Cookies?
« Reply #8 on: February 15, 2020, 11:32:40 am »
... two different people hold the administrator password.

That is good advice. It reminds me of similar but not web-based situation when I was doing IT support for a high tech. company that was very security conscious; everything had passwords. The engineering department had a contractor who applied for a permanent post that came up - the one they had been filling for the last 18 months. Everyone liked the contractor and expected her to get the job but the boss had someone else in mind so she didn't. On the Monday after she finished no one could open up the spreadsheet that contained all her work because no one knew the password. When telephoned she said she could not remember it either, so the company lost 18 months' work - all because only one person knew the password.

Re: Forgotten Password Retrievable from Cookies?
« Reply #9 on: February 15, 2020, 11:49:41 am »
And I bet she did remember the password but was in a sod you mood at the time. But also a good example if a company that didn’t have a succession plan for when staff move on.
If you don’t make time for exercise now, sooner or later you’ll need to make time for ill health.

Kim

  • Timelord
Re: Forgotten Password Retrievable from Cookies?
« Reply #10 on: February 15, 2020, 04:02:02 pm »
... two different people hold the administrator password.

That is good advice. It reminds me of similar but not web-based situation when I was doing IT support for a high tech. company that was very security conscious; everything had passwords. The engineering department had a contractor who applied for a permanent post that came up - the one they had been filling for the last 18 months. Everyone liked the contractor and expected her to get the job but the boss had someone else in mind so she didn't. On the Monday after she finished no one could open up the spreadsheet that contained all her work because no one knew the password. When telephoned she said she could not remember it either, so the company lost 18 months' work - all because only one person knew the password.

And somewhat less dramatically, in every grassroots non-profit organisation ever, you tend to end up with The Person Who Knows Computers sorting out all the webby stuff.  All is well, until they then suffer from an outbreak of real life commitments; illness; flounce; get run over by a bus; or vanish into an autistic failure-to-communicate black hole.  Bonus points for things being tied to people's personal email etc. accounts.
Careful, Kim. Your sarcasm's showing...

Kim

  • Timelord
Re: Forgotten Password Retrievable from Cookies?
« Reply #11 on: February 15, 2020, 04:05:18 pm »
And I bet she did remember the password but was in a sod you mood at the time.

Forgetting a password, unlike actively deleting data, isn't an offence under the Computer Misuse Act.  (Let's not go into RIPA.)
Careful, Kim. Your sarcasm's showing...

Re: Forgotten Password Retrievable from Cookies?
« Reply #12 on: February 15, 2020, 05:35:38 pm »
And somewhat less dramatically, in every grassroots non-profit organisation ever, you tend to end up with The Person Who Knows Computers sorting out all the webby stuff.  All is well, until they then suffer from an outbreak of real life commitments; illness; flounce; get run over by a bus; or vanish into an autistic failure-to-communicate black hole.  Bonus points for things being tied to people's personal email etc. accounts.
My last two roles have involved, as a minor side-line, sorting out what happens when volunteers move on from local branches of national organisations, and no-one knows as a result how to get access. Sometimes, the former volunteer will own both the domain registration and the Web provider account...

T42

  • Tea tank
Re: Forgotten Password Retrievable from Cookies?
« Reply #13 on: February 16, 2020, 10:22:02 am »
Maybe a fortune cookie?

IGMC
I've dusted all those old bottles and set them up straight.