[geeks] Secret codes, was US Post Office Website broken again
Phil Stracchino
alaric at metrocast.net
Mon Jul 20 17:27:06 CDT 2009
Shannon Hendrix wrote:
> On Jul 20, 2009, at 17:35 , Phil Stracchino wrote:
>
>> Shannon Hendrix wrote:
>>> The whole secret question thing is pretty useless to me anyway. I
>>> don't really see it doing much.
>>>
>>> If people use secrets they can remember, they are useless.
>>>
>>> If they use secrets which are not useless, they can't remember them.
>> Doesn't follow. The key is to pick "secrets" that are meaningful to
>> you, but highly unlikely for anyone who does not know you well to be
>> able to guess even by studying publicly available information about
>> you.
>
> Yes it does follow.
>
> If you choose something you can remember, it's also highly likely to
> be vulnerable to dictionary attack, even if it is unique to you.
You're assuming you choose a single-word response.
> Picking personal information reduces the size of the possible
> dictionary, and clever people know how to produce attack pools that
> are more likely to be listed as personal things.
>
> You've done one of the most basic mistakes: you've told the attacker
> the nature of the data he is looking for.
Have you? If the question is "typing error", what's the nature of the
data in the answer? I'll give you three free tries just to guess the
correct *context*.
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the geeks
mailing list