Friday, March 28, 2008

When it's safer to lie

ComputerWorld has an article by Paul F. Roberts about the inherent weakness and dangers of "knowledge based authentication." This refers to the canned questions that many online entities use as secondary authenticators (e.g., when you need to recover a lost password).

For some time now, I've adopted the practice of making up harder-to-guess answers to such questions, e.g., saying that my first pet's name was OhMyGod, or that my mother's maiden name was Smithereens. It is important to give a different answer to each site, so that compromise of one site does not provide access to the others who use the same question. Of course, I then have to keep a record of what I have told each site, but I have control of that record.

You might think that if I can keep a per-site record of secondary authenticators, I can keep a per-site record of passwords. Of course, I do that, too, but you'd be surprised at how often I have to ask for a password reset, or a site de-authorizes my password, or some such thing, requiring using the secondary authenticator.

By the way, like most security professionals, I've stopped even trying to use memorable passwords for websites. I use machine-generated random strings of ten upper and lower case letters and digits. There are nearly 10^18 (a billion billion) of them, so guessing a random one is impractical for anyone with less resources than the NSA. By contrast, the success rate in the game of 20 Questions suggests that most people only have about a million memorable facts in their heads, and that there's a lot of overlap between different players' millions.

Labels: ,


Post a Comment