Security by Absurdity


I am a complainer. I you have read my blog before you know I complain. A Lot. Not that I like. Not that I think it is unfounded (ha, who ever thinks that)


We do (did) not own a laptop in our household (I do have my working laptop, but I use it everyday for... you know... working).

My girlfriend needed a device that could do Office for a course she had to attend in August and I seem to be the official IT supporter of our household (and beyond).

Patching it

We do own an iPad Air (first gen), so I gleefully installed "Office" (Word, Excel and Powerpoint) for iOS for her to use alongside our Bluetooth Microsoft Wedge Keyboard.

I seem to recall that, once installed, one had to provide a Microsoft Live Account (it does not seem to be mandatory nowadays, it might not have been then either) to get things going.
She does not have one, so I created one for her thinking she might use OneDrive to get some of her data afterwards, so I created the account from the iPad, dutifully noting down the temporary password, alongside her newly created outlook email, using her usual Gmail account as an alternate address.

Fast Forward One Month

  1. Moving locations to another city.
  2. Another course with Office needs.
  3. A document previously created (and saved in One Drive) is needed.
    Trying to open it request the password of that Live Account that was add-hoc created by me at midnight one month ago and which credentials were stored in a piece of very secure paper.
  4. First try. Fail.
  5. Second try. Fail. Panic.
  6. All of a sudden someone else forgetting her password becomes an issue of mine. Helpful as I am, I tried my battery of usual stupid temporary passwords.
  7. None of them work and They think I am trying to hack the account so They challenge me with their Captcha (or whatever they name it) and succeed in the challenge part (I can only imagine how difficult it might be for a bot to guess those).
  8. “Sorry, dear, can't remember your password”. Of course that is long forgotten by both of us (and so is the ultra-secure post-it in which was written)

Fixing it. Not!

Alright, let’s recover your password and then we’ll have dinner.

Ha! How much fun would it be the post then? Some, surely. But not as much fun as the process.

They could not simply have a form in which you punch the id of the account which password you can recover, send an email to the alternate email address and reset it from there.
They could even be fancy and require a mobile phone to send a stupid code before being able to reset the damn password (an attacker would have to have gained access to the alternate email –possible– but also to the mobile phone –less likely–).

But no. They prompt you with a whole recovery form in which you have to punch in “as much info as you can” in order to “get back into your account”.

  1. First and Last Name. Yeah, I know that
  2. Birth Date. I better know that unless I want to be physically hurt.
  3. Country/region/postal code. Uhm, did I enter the country/region where she was born or the one in which we lived when I created it. It better be the latter as I sure don’t remember the postal code she was born in. Or maybe the one we have just moved to. Hell, I will try them all.

That’ll do. Double ha! That information is not enough for the for to be sent. They ask for more:

  1. Other passwords you've used for this account. Sorry can’t do that, it is the first and only password this account has ever had. Next
  2. Subjects of your recently sent emails. Sorry, can’t do that either. I have never sent an email with that account. I created it from the iPad app just to sneak a few GB of your cloudy hard disks.
  3. Names of any folders you've created, other than default folders like Junk, Drafts, or Sent. Nah, I did not even created folders in One Drive
  4. Email addresses of contacts you've recently sent emails to. Did I mention that the account was not created with email purposes in mind?
  5. Last five digits of your Xbox Live prepaid card number. Wat? I do not even know what that is and I doubt you can get them in Denmark.
  6. Name on credit card and Expiration date. I signed for a free service and sure as hell I did not enter any credit card information.

Desperate measures…

After being denied the recovery once (I was kind of expecting that, after inventing some of the data in order to be able to send the form) I felt like being inside one of those Sci-Fi movies in which Humans feel corralled by the definitely superior AI of the Machines but are desperate because a joke, a wink or casual flirting won’t soften their neural networks enough to open a possible exit of the loop-hole.
So I decided to phone the entity known as Microsoft Support.

It definitely has to be someone physical (and/or very paranoid) because no one is more careful with giving away their contact information than “Support”. Three or four levels of browsing won’t get you her number. But Search Engines know better and I could get some phone numbers. I was definitely onto something. Those fellow humans will surely understand and laugh with me at the silliness of their recovery system while handing me over some extra swag to keep my trust levels below average.

I only need to find a part of the world in which people would be enslaved working at 21:00 (images of my Spanish origins came back vividly at me) or… I can use my human brain to realize that clocks in Europe are way behind the reality of the North-American Multiverse. Microsoft Support USA I will call despite the long distance call costs.

…are taken by desperate people…

After the longest, most ridicule phone menu ever (that is clearly an over-exaggeration, I’ve seen much, much, much worse) I got to the point in which they are about to  connect me to a human that deals with account information just to remind me that no security or retrieval can be discussed due to security concerns. Sad smile

… just to become enraged.

Damn you to hell positronic brains! I won’t ever find a way to charm a human into giving access to an account I genuinely created.

Seriously now…

…and I mean it.

Someone at Microsoft has to do something to end that madness of recovery process.

It is seriously flawed (at least one user can’t recover her account but I doubt she is alone in this) and is preventing customers to retrieve files they own, punishing them for having human brains.