#1361 – Encrypt
Posted on September 6, 2011 at 12:00 am by Chris
Chapter: Comics
It cracks me up when banks ask me “security” questions like “What High School did you go to?” or “How many fingers do you have on your left hand?” These really aren’t very secure questions. They should ask things that are harder to research or observe like “What did you have for lunch on the first day of school in 5th grade?” or “Why do I have to ask you 3 times to clean up your room?”
Today’s Maximumble pays the bills.
Well, TEH HACKERZ make the news pretty regularly and fear of random cyber criminals fits right in with the deep-rooted and in many cases all-consuming fear much of the age range using online money handling services has of unfamiliar teenagers. Most people simply aren’t smart enough to realize that the two classes of people who are at all likely to take an interest in or do damage to the average adult’s accounts – good-for-nothing relatives and pissed-off former intimate partners – are also the class of people who are most likely to know those little factoids, so they feel secure. >.>
We’ve been very carefuly trained to come up with passwords that are hard to remember, and easy to ‘brute force’ crack. Better to use a short memorable phrase – they’re much harder to crack. It’s the number of characters that make the difference – not the obscurity of them – that matters.
You could easily use one of those banking security questions as a bullet-proof password “What color was your first car” would take a century to brute-force crack. 🙂
You mean using the question itself as the password/passphrase, not the answer, right? Because “red” wouldn’t make for a particularly strong password.
So maybe in systems where you can choose your own “security” questions, you can improve security by playing ‘Jeopardy!’, i.e., swapping the answers and questions …
Oh, and obligatory webcomic crosslink with respect to your first paragraph: http://xkcd.com/936/ 🙂
Correct – The question itself (or any such similar mockeries as amuse you) as the password. I’ve been known to l33t-5p33k Bible verses as passwords, when I’m feeling unusually paranoid.
That XKCD link explains the whole business better than I ever could – Thanks!
When looking for a good security questions, imagine you’re a family member trying to guess it. Even without that though, they can be really, really easy to guess.
Also, @maskman, very very few passwords can actually be bruteforced now. email, bank accounts, paypal… they have too many features to block against multiple attempts. Keyloggers, security questions and even GUESSING is how most passwords are lost.
Wish that were true – But bad security implementation still exists all over the place, and often in places you’d expect it to be solid. Doing the job right frankly involves more money and more energy than some copmanies are willing to expend – And ‘Some’ is a bigger number than anyone likes to admit.
Wait…you guys actually answer the bank security questions with an answer that has anything at all to do with the question? What high school? 47. Color of first car? Easter.
Good idea 🙂
Also, if your first car was yellow, easter would be an answer that you could remember easily because chickens are yellow.
Or, you could combine it with the idea discussed by others here, so they ask “What was your mothers maiden name?” and you answer “What was the name of my first dog?”
“What was the last name of your first mother’s maiden dog?”
The biggest danger are standard passwords. Not standard like “secretpw” or “123456” but rather passwords that you use and re-use in various places. Anyone can set up a random forum on a certain hot topic, wait for people to register, and bam! tons of email/username/password combinations harvested!
If you have a system on how you create each password, maybe don’t make that system too easily guessable either.
hotmail password: “McFly2Hotmail”
amazon password: “McFly2Amazon”
Mybank password: “McFly2Mybank”
probably wouldn’t be too great in the long run …
Sarah Palin’s email password was cracked by answering those easy-to-answer security questions back in 2008.
Bingo. Proof of concept.
here, K6dC4ef3! here boy!