[129957] in cryptography@c2.net mail archive
Re: security questions
daemon@ATHENA.MIT.EDU (Apu Kapadia)
Wed Aug 6 16:59:35 2008
From: Apu Kapadia <akapadia@cs.dartmouth.edu>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <Pine.SOL.4.61.0808061208480.5498@mental>
Date: Wed, 6 Aug 2008 16:56:04 -0400
On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:
> For Web sites these days, I generate random strong passwords and keep
> them on a keychain on my Mac. Actually, the keychain gets =20
> synchronized
> automatically across all my Mac's using .mac/MobileMe (for all their
> flaws). When I do this, I enter random values that I don't even
> record for the security questions. Should something go wrong, I'm
> going to end up on the phone with a rep anyway, and they will have
> some other method for authenticating me (or, of course, a clever
> social-engineering attacker).
An except from my recent blog post:
Now, this topic is not new. Bruce Schneier wrote about it a few years =20=
ago [2]. Schneier says that he =93type[s] a completely random answer,=94 =
=20
but consider this anecdote: a colleague of mine uses the same =20
technique. He called up customer service once, who then asked him, =20
=93what=92s the answer to your security question?=94 He said, =93some =
random =20
numbers.=94 The response was =93okay.=94 So picking random numbers might =
be =20
less secure than picking a realistic answer? :-)
[2] =
http://www.computerworld.com/securitytopics/security/story/0,,99628,00.htm=
l
--=20
Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA
http://www.cs.dartmouth.edu/~akapadia/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
