password security

[darkoshi]

All it takes is answering my 3 security questions correctly, and my bank lets me reset my password online? It doesn't even involve anything via email? I know that email isn't secure, but really? Isn't it a lot easier for someone to guess the answers to your security questions, than for them to guess your password, if it is a good password? Hopefully if someone enters the security questions wrong more than a few times, the system would lock them out and make the person provide other proof of their identity.

This page makes a very good point about security questions:

Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.

That's it.

The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.

The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.

The answers don't have to make sense.

They just have to match.

Comments

[fayanora.livejournal.com]

This is where being creative helps. Consider for a moment my love of reading and writing science fiction. Consider my multiple constructed languages. Consider my fascination with codes and ciphers. And then consider the weird random way my brain works. If I get to write my own security questions, they may be in code, or one of my constructed languages, or both. Even if English, I can ask questions that make most people go "What the fuck?" Even normal looking questions may have an answer impossible to guess because the answer isn't in normal English. I obviously can't cite any real examples, but let's assume for a moment that my mother's maiden name is Blue-Green (it isn't). So even if I get the boring "What is your mother's maiden name?", instead of writing "Blue-Green," I could write in TPNN "Gwehriz-Krahbaag" or encode "Comvof-Hosoffoo" or encode "Coxfisja-Losbicobboh."

For simpler, yet sufficiently strange enough to flummox people, answers, say the question is "What was the name of your first pet?" And one could think of it in terms of a BDSM kind of human pet, and thus put something like "Gillian Anderson" or "Robert Redfield" instead of "Rover" or "Fluffy."

I also have a constructed language called Jibberesh which makes for some bizarre answers. For example, "I love you" in Jibberesh is "Oing hashbladder boing."

So, as we see, even boring questions easy to guess can be made to flummox baddies. Just make sure you can remember the answers, or write them down somewhere, preferably in an encrypted vault made with TrueCrypt, or at least in code, if you write it on paper.

One of my favorite things to do in codewriting is write a sentence in three or four different languages first, and THEN put it through a cipher. It's clever because substitution ciphers can be cracked by... I forget the proper term, but it's where they assume it's English, and look for the most common letters in the code and compare it to the most common letters in English, thus giving them a way to break it. But if you're writing in a bunch of different languages first, you'll render that method useless. Example:

Sentence to encode: "Most of us know asbestos as 'that puffy stuff it cost a fortune to take out of the walls of public schools.'"

First, with TPNN conlang bits: "Vahzii seh grehn saber asbestos ehg 'dass puffy maik it kosten un vermogen to Nehmen Sie von heraus la falak seh preifat ysgolion.'"

Then: Encode it with a substitution cipher.

I used a few more languages in there than I usually do. I usually only use Spanish, English, and TPNN, maybe some German. In this example I used some Dutch, Welsch, and Hungarian as well. It's best to remember which languages you use.

And of course, all of that and more can be done to think of passwords to begin with.

[fayanora.livejournal.com]

And I should have read the whole entry before replying. But oh well. Still relevant.

[darkoshi]

Reading your comments gave me an idea of how to make my security question answers harder to guess, while still not being overly hard for me to remember.

I'm not familiar with TrueCrypt. Does it let you encrypt individual files, or only whole disks? If its the latter, do you know of any programs to encrypt individual files or groups of files, that you would recommend?

[fayanora.livejournal.com]

Reading your comments gave me an idea of how to make my security question answers harder to guess, while still not being overly hard for me to remember.

Aww, not gonna share, even with a made-up example?

I'm not familiar with TrueCrypt. Does it let you encrypt individual files, or only whole disks? If its the latter, do you know of any programs to encrypt individual files or groups of files, that you would recommend?

TrueCrypt lets you make any size vault you want, from 1 meg to... well, I don't know if there's even an upper limit. I had a 9 gig vault once. I suppose I could encrypt my entire 2TB external drive if I wanted to.

TrueCrypt even has a way of putting a hidden vault inside of another vault, so if someone sees the non-hidden vault and forces the password out of you, they open up and there's some dummy files but no sign of the other vault. Because when you do the secret vault thing, you basically have two passwords for the same vault file. One gets you into the dummy vault, and the other gets you into the hidden vault. (Hidden vault has to be smaller, by necessity, than the vault it's hiding in.)

Best of all, TrueCrypt is open source, so it's completely free with no restrictions on its use.

And for extra security, get OpenOffice (if you don't already have it), another free program; a word processor that can save/read Word format and other formats. Save an OpenOffice file (.odt ending) with a password and nobody can read the file without the password. Stick the password-protected file in a TrueCrypt vault, and it's added security.

So it's entirely possible to stick such a password protected OpenOffice file inside a vault which is hidden in another vault.

Best part: you can disguise the vault files. Add different endings to them to disguise them. That 9 gig vault I had once was disguised as a movie file (AVI, I think). Of course, it won't function like an ordinary whatever file, which gives it away, but if you put the vault file disguised as an OpenOffice file in with a bunch of other OpenOffice files, it'll be harder for some baddy to find which one is the vault. Unless the size is ridiculous for the file type, which is why I disguised the 9 gig vault as a movie file; it was plausible that a video file could be that big. And even if it's opened as whatever file type and doesn't play, there's always the possibility your attacker might think it was a corrupted file and ignore it.

[darkoshi]

> Aww, not gonna share, even with a made-up example?

I'd like to, but doing so would give away my secret to anyone who read this page, thereby defeating its purpose. I'll email you.


TrueCrypt sounds awesome. I will have to try it out. I've been using password-protected zip files for some things, but from what I've heard, they are very easy to crack.