[112735] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Foibles of user "security" questions

daemon@ATHENA.MIT.EDU (Victor Duchovni)
Tue Jan 8 21:28:15 2008

Date: Mon, 7 Jan 2008 23:09:04 -0500
From: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <AAADD16A25EB4B44B7E8B3FB8626FAEB036DB34F@xmb-hkg-414.apac.cisco.com>

On Tue, Jan 08, 2008 at 07:43:58AM +0800, Ian Farquhar (ifarquha) wrote:

> I've been having this problem for years (my mother's maiden name is,
> indeed, four characters long).  It's often rejected as too short, yet
> I'm forced to enter it.  I do the workaround of entering it twice, but
> then have to remember which sites I applied this hack for.
> 

Why enter your mother's actual maiden name when prompted for it? A
security savvy user will recognize this as a second password, that
multiple sites seem to want to share, and enter something unique and
unmemorable (stored on a "keychain" or just discarded if the primary
password is similarly safely stored).

When asked to provide answers for security questions, mine are always
either the output of "openssl rand -base64 N" (with N = 6, 9 or 12),
or more memorable non-sequiturs when that is more appropriate. Here's
a new reasonably memorable variant.

    Q: Mother's Maiden Name:
    A: Winston-Delano-Stalin

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post