Search This Blog

Thursday, October 03, 2013

A Public Service Announcement

Keeping those at bay who would rather smash and grab or destroy than do anything productive -- and no, I'm not talking about progressives here -- requires the rest of us to jump through all manner of annoying hoops.  As much as I'd like to provide an easy answer to bridging the gap between airport parking and reaching the gate, I can't.

However, I am going to throw out a suggestion for dealing with an aspect of keeping our lives away from the vandals who really need vigorous kidney punching: computer hackers.  As much as I'd like to provide an easy answer to captchas (Restating the Obvious's is particularly annoying, and it isn't Harry's fault), I can't.  But I'm going to throw out a way to deal with the plethora of security questions to which we are obliged to provide answers.

There are a couple serious problems with security questions.

First, depending on the question, the answer is knowable -- your high school, for instance.  Sarah Palin had her personal Facebook account hacked because she picked a couple questions just like that, and then gave the true answers.

Second, if multiple people are to have legitimate access, their answers can obviously vary, sometimes insidiously.  I temporarily lost access to a joint account with the other SWIPIAW because, as it happens, the spelling of female names is notoriously feminine, and there are probably a half-dozen different ways of spelling our maid of honor's first name.  Then there is the problem of whose first pet, junior high school, favorite teacher, book, food, song, ad nauseum.

Therefore, I recommend taking an entirely different approach to security questions: use a rule to provide an answer that has nothing to do with the question, and will provide the correct, and different, answer to any question.

For examples: The answer to every security question is the first letter of each word in the question.  Or the second letter.   Or the first letter for the first word, second letter for the second, etc.  Or the first letter in each word, starting with the last word. 

The important thing is to pick one rule that is easy for you to remember, and use it every time. 

That means you can pick any question you want, always be able to provide the "correct" answer, and no one else will, no matter how much they know about you; unless, that is, you tell them your rule.  Using the first rule on a typical question, which may not even have an answer: 

<blockquote>What was the name of your first pet?  wwtnoyfp </blockquote>

And you thought Great Guys was good only for reasonably high-faluting sparring.


Peter said...

The other modern tyranny is PIN and access numbers, especially for the elderly. How can anyone possibly remember tham all unless they always use the same one, which is obviously a dangerous no-no? I used to use 7777 for everything, until somebody warned me it would be easy for Internet hackers to guess or steal. So I switched to 948&2% and now feel much safer.

Hey Skipper said...

There are couple other ways to make that easy.

Take a pass phrase and type it one row displaced on the keyboard, so the absolutely verboten password "password" becomes 0qww94e. Then you can change that up a little by adding the first two letters of the company name to the end or beginning.

And for pins, pick some number, like your home address, then add the pin and discard any carries.

So assume you get stuck with a pin like 5906, and your house address is 8505. On the back of the card, write 3401. To get back your PIN, subtract 8505 from 3401, supplying the carries where needed.

No one is going to get your PIN unless they know your rule. And there are simpler ways, like shifting the PIN one or two places either direction, and wrapping. A two place right shift of 5906 would be 0659, or mirroring both pairs would yield 9560. The problem with the simpler ways is a person, having gotten the wrong response, might think to try simple ways to get the right pin. With my add and carry discard method (which I wouldn't have mentioned, except I don't use it anymore), no one is going to get the right answer before running out of tries.

Anyway, the point is that people can easily create and unique passwords based on an easy password and a simple rule, and the results will be very difficult to break.

That said, the best solution is a password manager program like 1Password (there are others just as good, but that is the one I use, and it is absolutely brilliant. It costs $40, and will synchronize your secure information across all your devices through Dropbox.) With it, you only have to remember one password to access all your logins. The program will, if you want, completely random character strings for passwords, which you have no need to know.

It is so good, I'd be happy to pay $400 for it.

But it doesn't work as well with security questions. It will store your answers just fine, but just picking a rule and sticking with it is much easier.

(And, BTW, so far as I know, that idea, which I have been using for years, is mine alone and is released into the wild for the very first time here.)

(Unless, of course, and this is far more likely, I'm epically clueless.)

Clovis e Adri said...

H. Skipper,

The problem with the password manager is that, if someone hacks it, he wins it all. It is usually a bad idea in terms of security design to do that.

Of course, the odds that someone will worry so much in targeting you on that level are low, unless you keep valuable secrets. The mere fact you keep your stuff in dropbox indicayes you do not...

Harry Eagar said...

There is far more security rigmarole to access my credit union account, where the maximum balance is in the low thousands, than to access my biggest security account, with high balances.

I have more than one brokerage account. hoping that if there is a breach on their end (all too likely), I won't lose it all.

Annoying Old Guy said...

It's easy to add rigmarole, it's hard to add security. I suspect your credit union is just engaging in security theater without add any actual security. That's my experience with my local banks.

I have worked with large financials specifically on security and they are far more conscious of that than any local bank I've dealt with.

Hey Skipper said...

The problem with the password manager is that, if someone hacks it, he wins it all.

I suspect that is far more easily said than done. 1Password (and probably all similar programs) uses 128 bit encryption. My password isn't written anywhere. It is a random series of letters, numbers and special characters.

It is encrypted before it gets to dropbox, so it is no more accessible there than anywhere else. (That said, I'm not going to use a publicly accessible computer to use it.)

Also, 1Password is integrated with web browsers, which makes users immune to phishing attacks.


Why do some sites use an image you are supposed to remember? Of all the security theater, I'd think that is it. After all, it is very likely you won't miss something that isn't there.

And I'd think something financial sites would do is a password lookup (I seem to remember reading that there are hacker dictionaries out there that rank by frequency passwords that have come from companies that have been hacked) and tell you how common your password is.

And I'm also surprised sites with important information don't make you enter your password via a virtual keyboard where the keys are scrambled each time, to get around malware that records keystrokes.

Annoying Old Guy said...

Why do some sites use an image you are supposed to remember?

So *you* can verify the website's identity. For any key website that provides that, I memorize the image so I know I've connected to the correct place and not some spoof via a typo or a DNS subversion. Certificates help with that as well, but I do like the defense in depth.

Of course, I never access any website with important information from my cell phone. Facebook and gmail? Sure. Bank account? Never.

Keep in mind that hackers frequently grab fully qualified domain names that are just a character or two off real ones precisely to catch typographic errors.

For financial websites, they spend a lot more time and effort on their own security (which I can't talk about much) so that breaches are the customers problem :-). And what studies I have seen indicate that forcing people to use "better" passwords has little or negative effect on security. Passwords are lousy security, but so far all the alternatives have been worse.

Hey Skipper said...

[Hey Skipper:] Why do some sites use an image you are supposed to remember?

[AOG:] So *you* can verify the website's identity.

The rest of my sentence points out the human factors problem. Of the dozen or so financial sites I have logins for, about a third use key images.

The problem with that is the extremely high error rate of not noticing what isn't there.

If all websites had image based own identity schemes, then it would work because not seeing one would be decidedly odd.

But when half or fewer do, then not seeing an image isn't unusual, particularly when I don't log on to most of these sites particularly often.