Foibles of user "security" questions

Victor Duchovni Victor.Duchovni at MorganStanley.com
Mon Jan 7 23:09:04 EST 2008


On Tue, Jan 08, 2008 at 07:43:58AM +0800, Ian Farquhar (ifarquha) wrote:

> I've been having this problem for years (my mother's maiden name is,
> indeed, four characters long).  It's often rejected as too short, yet
> I'm forced to enter it.  I do the workaround of entering it twice, but
> then have to remember which sites I applied this hack for.
> 

Why enter your mother's actual maiden name when prompted for it? A
security savvy user will recognize this as a second password, that
multiple sites seem to want to share, and enter something unique and
unmemorable (stored on a "keychain" or just discarded if the primary
password is similarly safely stored).

When asked to provide answers for security questions, mine are always
either the output of "openssl rand -base64 N" (with N = 6, 9 or 12),
or more memorable non-sequiturs when that is more appropriate. Here's
a new reasonably memorable variant.

    Q: Mother's Maiden Name:
    A: Winston-Delano-Stalin

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list