[112820] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Foibles of user "security" questions

daemon@ATHENA.MIT.EDU (mtd)
Wed Jan 9 17:37:34 2008

Date: Wed, 09 Jan 2008 11:33:08 +0100
From: mtd <mtd@centrum.cz>
To:  cryptography@metzdowd.com

Victor Duchovni wrote:
 > A
 > security savvy user will recognize this as a second password, that
 > multiple sites seem to want to share, and enter something unique and
 > unmemorable (stored on a "keychain" or just discarded if the primary
 > password is similarly safely stored).

In fact, I see security questions as a security weakness.

My typical answer is random garbage, such as output of pwgen -s -y 48 1. 
This can be discarded then. Or, at least, gpw 1 60 (gpw output is less 
secure, but can be stored, remembered, and even written in on simplified 
keyboards)

Leichter, Jerry wrote:
 > I can just see the day when someone's fingerprint is rejected as
 > "insufficiently complex".

:-) Or iris scan, or body dimensions. I call it security through 
stupidity. :-)

But never mind, these people will be picked up by by government 
datamining as un-normal (terrorist suspects) and imprisoned. Problem solved.

-- 
Martin Tomasek

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post