darkoshi: (Default)
Darkoshi ([personal profile] darkoshi) wrote2011-08-27 12:04 am
  • Add Memory
  • Share This Entry
Entry tags:

password security

All it takes is answering my 3 security questions correctly, and my bank lets me reset my password online? It doesn't even involve anything via email? I know that email isn't secure, but really? Isn't it a lot easier for someone to guess the answers to your security questions, than for them to guess your password, if it is a good password? Hopefully if someone enters the security questions wrong more than a few times, the system would lock them out and make the person provide other proof of their identity.

This page makes a very good point about security questions:

Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.

That's it.

The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.

The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.

The answers don't have to make sense.

They just have to match.
Threaded | Flat

[identity profile] fayanora.livejournal.com 2011-08-27 05:10 am (UTC)(link)
This is where being creative helps. Consider for a moment my love of reading and writing science fiction. Consider my multiple constructed languages. Consider my fascination with codes and ciphers. And then consider the weird random way my brain works. If I get to write my own security questions, they may be in code, or one of my constructed languages, or both. Even if English, I can ask questions that make most people go "What the fuck?" Even normal looking questions may have an answer impossible to guess because the answer isn't in normal English. I obviously can't cite any real examples, but let's assume for a moment that my mother's maiden name is Blue-Green (it isn't). So even if I get the boring "What is your mother's maiden name?", instead of writing "Blue-Green," I could write in TPNN "Gwehriz-Krahbaag" or encode "Comvof-Hosoffoo" or encode "Coxfisja-Losbicobboh."

For simpler, yet sufficiently strange enough to flummox people, answers, say the question is "What was the name of your first pet?" And one could think of it in terms of a BDSM kind of human pet, and thus put something like "Gillian Anderson" or "Robert Redfield" instead of "Rover" or "Fluffy."

I also have a constructed language called Jibberesh which makes for some bizarre answers. For example, "I love you" in Jibberesh is "Oing hashbladder boing."

So, as we see, even boring questions easy to guess can be made to flummox baddies. Just make sure you can remember the answers, or write them down somewhere, preferably in an encrypted vault made with TrueCrypt, or at least in code, if you write it on paper.

One of my favorite things to do in codewriting is write a sentence in three or four different languages first, and THEN put it through a cipher. It's clever because substitution ciphers can be cracked by... I forget the proper term, but it's where they assume it's English, and look for the most common letters in the code and compare it to the most common letters in English, thus giving them a way to break it. But if you're writing in a bunch of different languages first, you'll render that method useless. Example:

Sentence to encode: "Most of us know asbestos as 'that puffy stuff it cost a fortune to take out of the walls of public schools.'"

First, with TPNN conlang bits: "Vahzii seh grehn saber asbestos ehg 'dass puffy maik it kosten un vermogen to Nehmen Sie von heraus la falak seh preifat ysgolion.'"

Then: Encode it with a substitution cipher.

I used a few more languages in there than I usually do. I usually only use Spanish, English, and TPNN, maybe some German. In this example I used some Dutch, Welsch, and Hungarian as well. It's best to remember which languages you use.

And of course, all of that and more can be done to think of passwords to begin with.
Threaded | Flat