[geeks] Secret codes, was US Post Office Website broken again

Shannon Hendrix shannon at widomaker.com
Mon Jul 20 16:14:17 CDT 2009 

On Jul 20, 2009, at 15:20 , gsm at mendelson.com wrote:

> On Mon, Jul 20, 2009 at 03:09:06PM -0400, Shannon Hendrix wrote:
>> The website asks for my mother's maiden name.  I enter that and  
>> they  reject it.  I always capitalize that entry.  All lowercase  
>> works.  I've tried to get this changed several times, but it always  
>> ends up all lowercase.
>
> I never use my mother's maiden name. I think it is listed on too many
> social network sites, etc to be of any use. I always us inappropriate
> responses, but an automated system has no way of knowing that.

I don't necessarily use it either.  The point was that the site says  
it is case sensitive, but it doesn't properly store what I entered for  
the secret.

Nevermind that the whole idea is stupid and doesn't help security,  
especially since they implemented it incorrectly.

> For example, if you ask where I went to high school, I answer  
> strawberry.
> Or my mother's maiden name, I answer baseball. I also never use the  
> same
> answer on different sites.

That's why I use a program for all of this.  I use different data too,  
and could never possibly remember all of it.

> Remember when someone hacked Sarah Palin's email because they looked  
> up her
> maiden name where she went to high school? Don't laugh about her  
> using Yahoo
> for her official email, my wife's employer just moved over to gmail.

In your case, they would just use a dictionary attack, or bypass the  
login.

Same result.

The whole secret question thing is pretty useless to me anyway.  I  
don't really see it doing much.

If people use secrets they can remember, they are useless.

If they use secrets which are not useless, they can't remember them.

It's not really a solution to the problem, more like a speed bump.

Using software to track this so you can use really good ones is  
probably an improvement for site security, but then you have the risk  
of the program being accessible to someone who gets hold of your system.

-- 
Shannon Hendrix
shannon at widomaker.com

More information about the geeks mailing list