security questions
Apu Kapadia
akapadia at cs.dartmouth.edu
Wed Aug 6 16:56:04 EDT 2008
On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:
> For Web sites these days, I generate random strong passwords and keep
> them on a keychain on my Mac. Actually, the keychain gets
> synchronized
> automatically across all my Mac's using .mac/MobileMe (for all their
> flaws). When I do this, I enter random values that I don't even
> record for the security questions. Should something go wrong, I'm
> going to end up on the phone with a rep anyway, and they will have
> some other method for authenticating me (or, of course, a clever
> social-engineering attacker).
An except from my recent blog post:
Now, this topic is not new. Bruce Schneier wrote about it a few years
ago [2]. Schneier says that he “type[s] a completely random answer,”
but consider this anecdote: a colleague of mine uses the same
technique. He called up customer service once, who then asked him,
“what’s the answer to your security question?” He said, “some random
numbers.” The response was “okay.” So picking random numbers might be
less secure than picking a realistic answer? :-)
[2] http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html
--
Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA
http://www.cs.dartmouth.edu/~akapadia/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list