Foibles of user "security" questions

Ian Farquhar (ifarquha) ifarquha at cisco.com
Mon Jan 7 18:43:58 EST 2008 

I've been having this problem for years (my mother's maiden name is,
indeed, four characters long).  It's often rejected as too short, yet
I'm forced to enter it.  I do the workaround of entering it twice, but
then have to remember which sites I applied this hack for.

It's a typical dumb programmer mistake.  Data (password) vs. information
(mother's maiden name).  Character length contributes entropy to one,
but not to the other.  But on an even more fundamental level, it also
indicates a lack of attention to the input data, which could highlight
vulnerabilities in other areas too.

<rant>

I'm probably preaching to the choir here, and maybe it's a sign of
"grumpy old guy syndrome", but the average programmer seems to me to be
getting dumber every year.  I personally blame University courses who've
so divorced software development from any understanding of the
underlying OS, hardware or information theory, that we've got a bunch of
people who think everyone programs in Java or C#, Microsoft is the only
OS vendor there is, and if your program runs slowly, you just needs more
memory.

</rant>

Ian.

-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Leichter, Jerry
Sent: Tuesday, 8 January 2008 4:14 AM
To: cryptography at metzdowd.com
Subject: Foibles of user "security" questions

Reported on Computerworld recently:  To "improve security", a system was
modified to ask one of a set of fixed-form questions after the password
was entered.  Users had to provide the answers up front to enroll.  One
question:  Mother's maiden name.  User provides the 4-character answer.
System refuses to accept it:  Answer must have at least 6 characters.

I can just see the day when someone's fingerprint is rejected as
"insufficiently complex".
 							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list