[geeks] Secret codes, was US Post Office Website broken again

[Shannon Hendrix]

On Jul 20, 2009, at 17:35 , Phil Stracchino wrote:

> Shannon Hendrix wrote:
>> The whole secret question thing is pretty useless to me anyway.  I
>> don't really see it doing much.
>>
>> If people use secrets they can remember, they are useless.
>>
>> If they use secrets which are not useless, they can't remember them.
>
> Doesn't follow.  The key is to pick "secrets" that are meaningful to
> you, but highly unlikely for anyone who does not know you well to be
> able to guess even by studying publicly available information about  
> you.

Yes it does follow.

If you choose something you can remember, it's also highly likely to  
be vulnerable to dictionary attack, even if it is unique to you.

Picking personal information reduces the size of the possible  
dictionary, and clever people know how to produce attack pools that  
are more likely to be listed as personal things.

You've done one of the most basic mistakes: you've told the attacker  
the nature of the data he is looking for.

If you take Geoffrey's approach it's more secure, and functions much  
like an additional password.  However, you have the problem I describe  
above: if you pick secure secrets, you can't remember them.  If you  
pick things you can remember, they are not as secure.

There is no way for me to remember more than a small set of passwords  
and secrets that are reasonably secure, so I end up using software to  
manage them.  This is bad in a way, but it does allow me to make  
regular use of far more secure passwords and other secrets than I  
could if I had to keep them in my head.



-- 
Shannon Hendrix
shannon at widomaker.com