Foibles of user "security" questions
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Mon Jan 7 23:09:04 EST 2008
On Tue, Jan 08, 2008 at 07:43:58AM +0800, Ian Farquhar (ifarquha) wrote:
> I've been having this problem for years (my mother's maiden name is,
> indeed, four characters long). It's often rejected as too short, yet
> I'm forced to enter it. I do the workaround of entering it twice, but
> then have to remember which sites I applied this hack for.
>
Why enter your mother's actual maiden name when prompted for it? A
security savvy user will recognize this as a second password, that
multiple sites seem to want to share, and enter something unique and
unmemorable (stored on a "keychain" or just discarded if the primary
password is similarly safely stored).
When asked to provide answers for security questions, mine are always
either the output of "openssl rand -base64 N" (with N = 6, 9 or 12),
or more memorable non-sequiturs when that is more appropriate. Here's
a new reasonably memorable variant.
Q: Mother's Maiden Name:
A: Winston-Delano-Stalin
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list