[geeks] Secret codes, was US Post Office Website broken again

Phil Stracchino alaric at metrocast.net
Mon Jul 20 19:13:13 CDT 2009 

Shannon Hendrix wrote:
> On Jul 20, 2009, at 18:27 , Phil Stracchino wrote:
> 
>>> Yes it does follow.
>>>
>>> If you choose something you can remember, it's also highly likely to
>>> be vulnerable to dictionary attack, even if it is unique to you.
>> You're assuming you choose a single-word response.
> 
> That's what most people use.
> 
> Besides that, you still reduce the attack pool, no matter how many  
> words you use.

It's got to be at least slightly better than asking for public-record
data for "verification".  That's not even a question of an attack pool,
it's a question of doing a few simple lookups.  A user-defined question
might at least get some people to spend a minute or two thinking about
questions with non-obvious answers.  At worst, even a stupidly chosen
user-selected question is likely to be no worse than a public-record
question-and-answer that doesn't make the attacker guess AT ALL.


>> Have you?  If the question is "typing error", what's the nature of the
>> data in the answer?  I'll give you three free tries just to guess the
>> correct *context*.
> 
> The question isn't "typing error", or any user-made quest in 99% of  
> the websites out there, which is what we are talking about.
> 
> Yes, we should be able to make our own questions.
> 
> But the fact is that right now, virtually all such systems ask for  
> very common things which are easy to attack.

You appear to be referring to the sites which, instead of asking you for
a single piece of public-record data to "verify" your identity with,
give you a choice between three to five different pieces of
public-record data.  I think we can both agree that's not really any
substantive improvement.

If, on the other hand, you're talking about the underlying problem of
"too many users choose weak passwords", that's not a flaw or weakness of
user-defined or even merely user-chosen-from-a-list "secret questions."
 (Not to imply that choose-from-a-list-of-public-record-questions
doesn't have its own weaknesses worse than almost anything else.)



-- 
  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric at caerllewys.net   alaric at metrocast.net   phil at co.ordinate.org
         Renaissance Man, Unix ronin, Perl hacker, Free Stater
                 It's not the years, it's the mileage.

More information about the geeks mailing list