I asked that all methods of resetting my password be disabled, since I
am not going to forget it, and I view the various reset methods as being
highly insecure.

Here's their reply:

------------------------------------------------

Hi Miss Sylvia. This is XXXXX. Thank you for contacting us.

Due to security reason and for the safety of all our PayPal customers,
the option to disable all methods of password recovery can not be granted.

There are occasions in which hackers were able to get the passwords of
the customers. So our customers need to change their passwords to stop
hackers from accessing their accounts; to prevent their accounts from
being compromised.

I know that this may be annoying. But the safety and the security of our
PayPal customers are our top priority. which is why disabling the
password recovery method can never be removed (sic).

It's not the matter of memorising the password indefinitely but the high
probability of any stranger in accessing their passwords. No matter how
complicated the password is, there are some hackers who used advanced
methods that enable them to still figure the customer's passwords.

That's why a number of institutions and individuals change their
passwords from time-to-time and that kept their PayPal accounts safe and
secured for a very long time.

Hoping for your understanding. Thank you for contacting PayPal.
-----------------------------------------------

So sending a SMS code via a third party they don't control is secure?
Ditto an email?

I'm not aware of any computationally feasible way to get a matching
password for a salted SHA-256 representation of a reasonably long random
sequence of characters.

In any case, if a hacker manages to obtain a password by whatever means,
they are going to make use of it immediately, so changing passwords is
unhelpful.

Sylvia.

Sylvia Else <sylvia@email.invalid> writes:
> I asked that all methods of resetting my password be disabled, since I
> am not going to forget it, and I view the various reset methods as
> being highly insecure.

They are not going to change their authentication system for your niche
use case.

> I'm not aware of any computationally feasible way to get a matching
> password for a salted SHA-256 representation of a reasonably long
> random sequence of characters.

Depends how many rounds of SHA256 are used.

But there is plenty of residual risk even after adequately securing the
backend password storage. An attacker may install a keylogger on the
victim’s computer (or some other form of compromise). They may fool the
user into typing into attacker-controlled web page (i.e. by phishing).

--
https://www.greenend.org.uk/rjk/

Richard Kettlewell <invalid@invalid.invalid> writes:

> Sylvia Else <sylvia@email.invalid> writes:
>> I asked that all methods of resetting my password be disabled, since I
>> am not going to forget it, and I view the various reset methods as
>> being highly insecure.
>
> They are not going to change their authentication system for your niche
> use case.

Agree.

I doubt their software has the ability to create passwords that can't
change. The whole idea sounds like a mis-feature.

--
Dan Espen

On 12/05/2022 12:54, Sylvia Else wrote:
> I asked that all methods of resetting my password be disabled, since I
> am not going to forget it, and I view the various reset methods as being
> highly insecure.
>
> Here's their reply:
>
> ------------------------------------------------
>
> Hi Miss Sylvia. This is XXXXX. Thank you for contacting us.
>
> Due to security reason and for the safety of all our PayPal customers,
> the option to disable all methods of password recovery can not be granted.
>
> There are occasions in which hackers were able to get the passwords of
> the customers. So our customers need to change their passwords to stop
> hackers from accessing their accounts; to prevent their accounts from
> being compromised.
>
> I know that this may be annoying. But the safety and the security of our
> PayPal customers are our top priority. which is why disabling the
> password recovery method can never be removed (sic). >

Do you need to use PayPal then?

When setting up some accounts, for password recovery purposes other
entities allow you to download a set of codes that can be printed to be
securely kept sellotaped under the dog's feeding bowl.

These _only_ can be used to get back into the account.

However, print it out. Give it to the dog to eat, and then you'll have
your secure account.

--
Adrian C

On 12/05/2022 17:21, Adrian Caspersz wrote:

>
> These _only_ can be used to get back into the account.
>
> However, print it out. Give it to the dog to eat, and then you'll have
> your secure account.
>

Ah, I see Paypal are asking for answers for two previously chosen questions.

Be creative, don't have to be so truthful. Give them the name ya first
pet as 'Donald Trump' and ya first school as 'School of Life'.

Or use a long string of random characters in ya answers and give the
poor sod on the phone a hard time rekeying them.

--
Adrian C

Adrian Caspersz <email@here.invalid> wrote:
> On 12/05/2022 17:21, Adrian Caspersz wrote:
>
>>
>> These _only_ can be used to get back into the account.
>>
>> However, print it out. Give it to the dog to eat, and then you'll have
>> your secure account.
>>
>
> Ah, I see Paypal are asking for answers for two previously chosen questions.
>
> Be creative, don't have to be so truthful.

This is the part that trips many up with the "recovery questions".
They take the questions too literal.

> Give them the name ya first pet as 'Donald Trump' and ya first school
> as 'School of Life'.
>
> Or use a long string of random characters in ya answers and give the
> poor sod on the phone a hard time rekeying them.

I've seen reports (sorry, no longer remember what blog/site for
citations) that when calling and talking to customer service reps, that
attackers can get the service rep to "bypass" the "long string of random
characters" by telling the rep something like: "I just banged out a
bunch of random keys" and the service rep. accepts that as an answer.
So better to use a random assemblage of words, then at least you might
be protected from someone sweet-talking their way past a customer
service rep.

What I do for those questions, for sites that demand them, is this:

$ sort --random-sort --random-source=/dev/urandom /usr/dict/words | head -5 | tr $'\n' " " ; echo
cottonseed suction architect supplants highways

And then "cottonseed suction architect supplants highways" goes in the
field, and in the notes box in my password manager for the site's
entry, so later, if needed, I have a record of what was used. Adjust
size given to "head" for number of words desired.

Hopefully someone sweet-talking with "just mashed random keys" won't be
allowed past by the service rep. And hopefully by being real words,
the rep. will insist on the attacker repeating the actual words.

On Thu, 12 May 2022 19:06:08 +0000, Rich wrote:

> $ sort --random-sort --random-source=/dev/urandom /usr/dict/words | head
> -5 | tr $'\n' " " ; echo cottonseed suction architect supplants highways

I use dicewords (the improved list) and a set of casino dice.

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org