security questions

Apu Kapadia akapadia at
Wed Aug 6 16:56:04 EDT 2008

On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:

> For Web sites these days, I generate random strong passwords and keep
> them on a keychain on my Mac.  Actually, the keychain gets  
> synchronized
> automatically across all my Mac's using .mac/MobileMe (for all their
> flaws).  When I do this, I enter random values that I don't even
> record for the security questions.  Should something go wrong, I'm
> going to end up on the phone with a rep anyway, and they will have
> some other method for authenticating me (or, of course, a clever
> social-engineering attacker).

An except from my recent blog post:

Now, this topic is not new. Bruce Schneier wrote about it a few years  
ago [2]. Schneier says that he “type[s] a completely random answer,”  
but consider this anecdote: a colleague of mine uses the same  
technique. He called up customer service once, who then asked him,  
“what’s the answer to your security question?” He said, “some random  
numbers.” The response was “okay.” So picking random numbers might be  
less secure than picking a realistic answer? :-)


Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list