[geeks] Secret codes, was US Post Office Website broken again

[Shannon Hendrix]

On Jul 20, 2009, at 18:27 , Phil Stracchino wrote:

>> Yes it does follow.
>>
>> If you choose something you can remember, it's also highly likely to
>> be vulnerable to dictionary attack, even if it is unique to you.
>
> You're assuming you choose a single-word response.

That's what most people use.

Besides that, you still reduce the attack pool, no matter how many  
words you use.

> Have you?  If the question is "typing error", what's the nature of the
> data in the answer?  I'll give you three free tries just to guess the
> correct *context*.

The question isn't "typing error", or any user-made quest in 99% of  
the websites out there, which is what we are talking about.

Yes, we should be able to make our own questions.

But the fact is that right now, virtually all such systems ask for  
very common things which are easy to attack.

I'm not talking about a great system or even a better one, I'm talking  
about what we have out there now.  It's really not very good.

It's even worse when it doesn't even work.


-- 
"Where some they sell their dreams for small desires."