![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
password security
All it takes is answering my 3 security questions correctly, and my bank lets me reset my password online? It doesn't even involve anything via email? I know that email isn't secure, but really? Isn't it a lot easier for someone to guess the answers to your security questions, than for them to guess your password, if it is a good password? Hopefully if someone enters the security questions wrong more than a few times, the system would lock them out and make the person provide other proof of their identity.
This page makes a very good point about security questions:
Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.
That's it.
The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.
The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.
The answers don't have to make sense.
They just have to match.
This page makes a very good point about security questions:
Even if you can't make up your own question, there's nothing that says your answer has to make sense. The only things that matter are that a) only you know the answer and b) you will always know the answer.
That's it.
The system isn't checking to see if your answers "make sense", what they're checking is that when they ask you the question the answer you give is the same as whatever you gave when you set it up.
The computer behind it all doesn't know that "Jack Sparrow" isn't a possible mother's maiden name, or that it's a rare high school that has "Toilet Bowl" as its mascot. And as long as no one else knows those are the answers you give and you always remember them then it doesn't matter in the least that they make no sense.
The answers don't have to make sense.
They just have to match.
no subject
Aww, not gonna share, even with a made-up example?
I'm not familiar with TrueCrypt. Does it let you encrypt individual files, or only whole disks? If its the latter, do you know of any programs to encrypt individual files or groups of files, that you would recommend?
TrueCrypt lets you make any size vault you want, from 1 meg to... well, I don't know if there's even an upper limit. I had a 9 gig vault once. I suppose I could encrypt my entire 2TB external drive if I wanted to.
TrueCrypt even has a way of putting a hidden vault inside of another vault, so if someone sees the non-hidden vault and forces the password out of you, they open up and there's some dummy files but no sign of the other vault. Because when you do the secret vault thing, you basically have two passwords for the same vault file. One gets you into the dummy vault, and the other gets you into the hidden vault. (Hidden vault has to be smaller, by necessity, than the vault it's hiding in.)
Best of all, TrueCrypt is open source, so it's completely free with no restrictions on its use.
And for extra security, get OpenOffice (if you don't already have it), another free program; a word processor that can save/read Word format and other formats. Save an OpenOffice file (.odt ending) with a password and nobody can read the file without the password. Stick the password-protected file in a TrueCrypt vault, and it's added security.
So it's entirely possible to stick such a password protected OpenOffice file inside a vault which is hidden in another vault.
Best part: you can disguise the vault files. Add different endings to them to disguise them. That 9 gig vault I had once was disguised as a movie file (AVI, I think). Of course, it won't function like an ordinary whatever file, which gives it away, but if you put the vault file disguised as an OpenOffice file in with a bunch of other OpenOffice files, it'll be harder for some baddy to find which one is the vault. Unless the size is ridiculous for the file type, which is why I disguised the 9 gig vault as a movie file; it was plausible that a video file could be that big. And even if it's opened as whatever file type and doesn't play, there's always the possibility your attacker might think it was a corrupted file and ignore it.
no subject
I'd like to, but doing so would give away my secret to anyone who read this page, thereby defeating its purpose. I'll email you.
TrueCrypt sounds awesome. I will have to try it out. I've been using password-protected zip files for some things, but from what I've heard, they are very easy to crack.