only an idiot
actually uses the correct stuff.
Password question = Mothers maiden name
Use a weird word like scalpel or ardvark or similar.
When ever I speak to the bank they ask if my mothers maiden name is really the weird word I have given them.
Password reset questions dead easy to guess
Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers. In the paper What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (pdf), Joseph Bonneau of the University of Cambridge and two colleagues from the …
-
-
Thursday 11th March 2010 13:15 GMT Thomas 18
uh...
If your going to use an unrelated word then you might as well just dispense with password recovery as a feature all together. If your the kind of person who forgets passwords your just as likely to forget the obscure answer (more so infact since you use it less often).
Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records. Better just to ask them to setup some kind of SECURE password system instead of retarded questions.
-
Thursday 11th March 2010 13:54 GMT Anonymous Coward
@Thomas 18
What utter rubbish. Conflicting bank record....what on earth are you on about. We are talking about the 'additional' security questions here - normally for things like password resets (which you would have even WITH a secure password system). I have NEVER given my real mother's maiden name when answering the question - and have never had any banking problems. It is just a question with preset answers - answer it how you like (and preferably in a way that other won't guess).
I would be more concerned about the bank's security for actually using the question in the first place - 'cos it's VERY bad security practice to ask anything where the answer is in the public domain.
-
Thursday 11th March 2010 13:56 GMT Anonymous Coward
@Thomas 18
And when you forget your SECURE password, how do you suggest you confirm your identity to have it reset?
Secure passwords will not negate the use of security questions for resets (or phone calls for that matter).
Also..please explain "Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records." WTF are you on about? I'm guessing that this is really not your area of knowledge, and have never had the pleasure of setting up security for a call centre.
-
-
-
Thursday 11th March 2010 13:50 GMT Marvin the Martian
Helps more if you can think
@Alyn: "Aardvark" is bad if you expect a dictionary attack --- and a dictionary attack is exceedingly unlikely (and very stupid) on a "maiden name" question.
Possibly a directory attack there (let's start with Patel and Smith as likeliest surnames) but nobody named Aardvark exists in the UK, and that was the point. Also note the "strange word like" and "or similar" in the sentence, as in "no, mine's not Aardvark but Beerwolf, actually factually".
-
-
-
Thursday 11th March 2010 13:50 GMT Anonymous Coward
totally agree..
Whenever giving security awareness training I always tell people to LIE when answering security questions (other than those scenarios where they company uses personal details they have on record as confirmation). The rules are simple (and I have actually written standards on good security questions for use in government systems): never ask for anything that is in the public domain, never use anything that can be easily discovered, or has too few potential answers (I even had to rank security questions as to how good/bad they were).
When a company does ask a stupid security question like 'mother's maiden name' that IS in the public domain, then LIE. So long as you remember your LIE you are OK. I have NEVER used my real mother's maiden name, nor real first school, nor real first company...
-
-
Thursday 11th March 2010 12:47 GMT Ben Tasker
Problem Being
Whilst sending the rest to a mobile may be more secure, who wants to have to give thier mobile number to yet more companies? Sensible people put absolute garbage in as the answer, make no attempt to memorise it, and simply don't forget the flaming password!
I hate services that insist on you setting a hint, even more so if they give you a drop down of questions to use rather than let you set your own question!
Why do people have such problems remembering their passwords, I have 8 different alphanumeric-specialcharacter passwords of at least 8 characters on the go, but don't feel the need to write them down. OK some may struggle with this, but it's really not that hard!!!!
-
Friday 12th March 2010 00:44 GMT K T
Exactly
The only sensible answer to any security question is to mash the keyboard like a drunk, coked-up monkey. Nothing companies think you can easily remember is unable to be found out easily.
On the SMS front, my bank has recently started to send SMS messages with a code to confirm online transactions (only with online payment systems who support the extra security, though). I've done two so far and the SMS arrived within a minute. However, I'd like to know how that will work when the mobile network is busy.
I shop online for the convenience. If a payment session times out (as they are bound to do), I might as well go queue up with the other proles.
-
Friday 12th March 2010 13:46 GMT I. Aproveofitspendingonspecificprojects 1
Ýùö Ćâŋ Ƌő ĩŤ Ļīķĕ Ţħıš
or you can mung it like this:
Ý;ù_ö#Ć~â)ŋ@ƋőppppĩŤ%55Ļ£ī$ķ22ĕ^Ţ*ħ-ı+š
The permutations are endless and if you use the same permutation each time you won't forget it. Exemplar gratis:
MÝyùmöo tĆhâeŋr sƋnőa mĩeŤi sĻīķĕ Ţħıš
What's the big deal? Most simple cryptography relies on word spacing and "most common letters".
Anyone out to target you is going to get you.
So if you are in a job such as a senior government official in I'llaskher or somewhere out the back of back-wad, you need professional assistance, a secure server and a tad more sense than a lip stuck, porcine brained, sock mother.
Speaking of Chimpanzees. How are things progressing with Rumsfeldgate over the loss of emails in the aweful Orifice of the Wit House?
-
-
Friday 12th March 2010 14:07 GMT Alan_Peery
8 passwords on the go
@Ben Tasker
Do yourself a favor, and find bit of encrypting software and write them down.
Why?
1) As you add more passwords, each one becomes more difficult to remember.
2) You might have a method for generating passwords. This works only until some stupid website doesn't allow you to use your chosen password as it doesn't match their password quality check.
3) Under pressure, things like passwords can be difficult to remember.
4) Non-fatal accidents involving head trauma will be even more traumatic if you can't remember your Twitter password...
-
Thursday 11th March 2010 12:47 GMT Russell Howe
What is your favourite colour?
Well, that would be "#rW^Xy60tfA?mS?", of course.
It's just another password. Treat it as such and you effectively work around the stupidly short password length restrictions on some sites.
Even more stupid than password reminder Q&A is the "Password hint" concept which you find in various places (yes, Windows, I'm looking at you).
My favourite "Password hint" which unfortunately I can't claim credit for is "Remember the password"
-
Thursday 11th March 2010 13:15 GMT Cameron Colley
Except they won't let you.
A few months ago I went to set up an account with some site or other and was asked for a reminder so I chose "What is your favourite color?" and attempted to answer with something which, while not impossible to guess, wouldn't be quite as easy as a standard one* -- but I couldn't use "Bible Black" because it had a space in it! Yes, I know I could have taken the space out and used it anyway, but that's not the point -- they were effectively trying to push users to use red|green|blue|black|white|grey rather than a passphrase.
Then there's the second problem -- if I forgot my password how in teapot's name am I supposed to remember a "clever" answer to a security question?
It's hard to implement a consistent and secure password system when every damn site has different password dos and don'ts from "must use mixed case" to "only use letters".
Please, please, please web-app-designers of the world, for the love of the unicorn, just allow complex passwords and my own choice of security question[s] for every site!
*the site wasn't that important, really, but I wanted to try to be a little more secure than default.
-
Thursday 11th March 2010 13:56 GMT Marvin the Martian
Favourite colour?
Green! Oh ahr no blue! (falls into chasm of doom)
--
The colour question is easily correctly remembered (and hard to guess) if you actually have a favourite colour. For example, #993333 (in HTML) or {.39 .13 .13} (in PSTricks/LaTeX) or whatever. Just use your favourite coordinate system, being RGB, CMYK, HSV, or other, with numbers 0.0--1.0, 0--256, 00--FF, or other. The problem is to invent a favourite colour and stick by it --- probably easiest is the colour code of your car's paint, as needed for small repair jobs.
-
Thursday 11th March 2010 21:46 GMT Andus McCoatover
Favourite colour?
For Gawds sake, don't let David Icke use that one..
Or, 'Your favourite animal?'
Turquoise, and Lizard, natch.
As far as names are concerned, my mum told me a story. (I think it's apocryphal, but she worked in a supermarket).
A woman was at the checkout, and the cashier asked for her name for some reason. "Emma Chizzit" came the reply. Think about it, but nice password.
I did have an idea I tried to code for password security. Give the system the correct password, the code would say "Incorrect password". You'd have to enter the same password 3 times before it'd let you in.
-
Friday 12th March 2010 15:26 GMT OrientalHero
Bzzzzt! Copycat!
well not exactly
....but in the film Twilight's Last Gleaming the main man is trying to gain entry into an ICBM nuclear missile silo. He is challenged for an extra character to the code but he only has what he has. He has to repeat to the operator a couple of times that there are no more letters before he is let in.
Now that was for a 1977 ICBM nuclear missile silo.
So what are you trying to protect?!!??
Perhaps some naughty pictures of Paris with some other scantily clad ....oh that's already on google.
-
-
-
Thursday 11th March 2010 12:47 GMT C Yates
It's the age old battle...
... between usability and security again...
Yes you can make things much more secure by asking multiple questions and such, but it will make it harder (or just generally more annoying) for average joe when his mates tell him to sign up for a [insert new hip brand] account somewhere...
The main problem here is really with the users - they basically need educating a lil, or at least telling that use of spouse/friend/pet's name is a no no, without at least including caps or numbers somewhere.
Paris because it should be common sense =)
-
-
Thursday 11th March 2010 14:06 GMT Anonymous Coward
Yep
"Verified by Visa" - exactly the same problem - idiotically simple questions to guess and even when you gave them a proper one, it complained that you can't use special characters.
I refuse to use it on those grounds alone.
On the brighter side, when I last spoke to my bank, the chap on the other end was highly approving of my first school - "!gydBJ$%dZ^gs9q@ Primary"
And yes, my mom IS called "Robert'); DROP TABLE Students;--" ( http://xkcd.com/327/ )
-
Thursday 11th March 2010 14:33 GMT Anonymous Coward
Limitations
I too am sick of all these stupid limitations that these retarded companies foist on us.
Stupidly short maximum character limit's, restriction to alphanumeric characters only, no spaces allows etc. It's like they are going out of their way to force you to choose a password that is easy to crack.
I prefer the hint systems where (a) you get to choose your own question and (b) at least 3 answers to different questions have to be provided in order to allow any kind of reset.
If you can choose your own questions like "what's the name of the song that reminds of my first holiday in Portugal" then not only do you have a better chance of remembering it, but it's also harder to crack (because you can frame the question to allow you too use a real, non-trivial answer that gives away no personal information about you).
-
Thursday 11th March 2010 17:04 GMT Red Bren
Making it easy for them
A former employer implemented a single-sign-on system across business critical applications and windows logins. One of the older systems required a password of up to 8 alphanumeric characters. A newer system required a password of at least 8 characters. Rather than make (expensive) changes to the older system, everyone had to have an 8 character alphanumeric password.
They also reduced the password expiry period from 90 days to 30, but left the warning period at 14 days.
-
Thursday 11th March 2010 22:45 GMT cosmogoblin
Why the warning?
Why, oh why, do network passwords have "warning periods"?
"Your password will expire in 15 days. Do you want to change it now?"
No, you fucking idiot, I'll change it in 15 days, but I'd rather not change it from the 16-character random sequence I already memorised at all!
Seriously, who in the whole world says "Actually, I could do with a new password. Why not? Let's change it to BUBBLES now."
-
-
-
Thursday 11th March 2010 14:39 GMT Andus McCoatover
Passwords, Smashwords.
Years ago, when the only 'puter we had at work was a PDP-11, I asked Austin, the chief honcho, what's the 'root' password. (OK, I was naive, in my 20's).
He replied "It's a complex key sequence".
A few years later he told me the real password.
itsacomplexkeysequence
Pretty good! Years later I tried to put Finnish words into Linux passwords - with umlauted characters - but The Penguin - ubuntu - (oddly, considering it's origin) does't like that. Now, I have to scan the Finnish dictionary for words like 'KYVYKKYYS' (capability) which really'll fuck 'john-the-ripper'. No, I don't use that one anymore.
-
Thursday 11th March 2010 16:56 GMT 10to4
Personal info is the key
What's wrong with
Name of your first crush. You never forget that and it's unlikely you told anyone who still knows you (if you're my age)
Reg no of your first car
Your Grandmother's maiden name in place of your old dear's
Name of the woman in Project Management who you have a thing for instead of your pet's surname...
Etc etc.
The trick is to know that you lied, but that you remember the lie.
-
Thursday 11th March 2010 17:00 GMT Anonymous Coward
Stupid password restrictions
I recently had to use a system that wouldn't let you have too many repeated characters in a password. I gave it a randomly generated password, RitCcLntnTGH3tZD, say, and it objected, so I shortened it to RitCcLntn and the system was happy. So, RitCcLntnTGH3tZD is easier to guess than RitCcLntn, is it?
It is my opinion that a password system should accept any password consisting of at least 6 ASCII characters. By all means give a warning if the password seems to be guessable, but don't refuse it as the password may be automatically generated or shared between multiple systems. You can't force users to choose secure passwords if they don't want to, so don't bother trying as you'll only annoy the users who know what they're doing.
-
Thursday 11th March 2010 22:41 GMT Anonymous Coward
Re: Stupid password restrictions
That's pretty dangerous but I see where you're coming from.
You can go too far with password restrictions and it actually makes it less secure in many cases.
For example forcing users to change their password every 30 days results in passwords appended with 1, 2, 3 or the month which is hardly useful. But worse than that, faced with dozens of passwords changing all the time makes people much more likely to write them down. I've seen it many times now... a bit of paper with passwords on or worse, text files stored on shared storage with their passwords in!
-
-
Thursday 11th March 2010 21:40 GMT Anonymous Coward
Hard questions
Some bank I used asked for a whole bunch of these (so it could present me with random ones). I found them really hard -"who is your favourite author?", "who is your favourite band?" It was like one of those getting-to-know-you chain emails.
Favourite author? It varies from time to time, and did I include "." after any initials? Same with my musical tastes, I like various bands. Favourite book? I think I can remember what I picked, but did I omit "The" from the title?
Even my mother's maiden name is ambiguous, she sometimes uses a hyphenated double name for the family name, sometimes not.
-
Thursday 11th March 2010 21:43 GMT Anonymous Coward
If you really think you might forget
then answer the question truthfully, but spell it backward/ROT-13/shift left/whatever other transformation you can think of. This works, because you will still only be using the allowed characters, but the answer is not really predictable. Just be consistent, or at least only use two or three methods, so you can get it in three guesses.
-
Friday 12th March 2010 00:44 GMT ElReg!comments!Pierre
Oh heck no you didn't
«Sending reset passwords via text messages to a mobile phone already associated with an account represents another step towards improved security.»
Good idea, because everyone owns a cell phone of five, ain't it?
Well, no they don't. Not to mention that text messages are not the most secure medium ever... plus a mobe is easily nicked, or borrowed.
-
Friday 12th March 2010 14:05 GMT Robert Carnegie
On reflection
Every penetration kit probably has the complete Finnish dictionary as potential passwords. Also backwards and ROT13.
The argument really is that you may be unlikely to crack one person's account by guessing the name is "Smith", but if there are 1000 people's accounts then "Smith" will probably get you at least one working one to abuse.
Do people remember names of their schoolteachers? I'm sorry, I mostly don't. But it's a time in my life I don't like to think about. Surely that isn't uncommon.
If it must be passwords and must be cryptic then human nature demands that they are short and you can write them down. Or use a barcode on a card.
If system A demands >= 8 characters password and system B allows <= 8 characters password then probably you can set the password of each to "penetration" but system B will treat it as "penetrat" and will let you type "penetratwrong" and still let you in. Or maybe it will be "penetran".
SCO UNIX did not allow "moscow" as a password becaause it contains "sco" as a substring. And when set to reject real words or numbers, it sometimes objected to hexadecimal strings, so I set passwords in bulk as "0qz" plus a random hex number. Then when I had to change them all, I made them a random hex number plus "qz0".
-
This post has been deleted by its author
-
Sunday 14th March 2010 02:11 GMT Anonymous Coward
Proper recovery answers
All mine are like 'gerufh34uih328h23a' and stored in a heavily encrypted file with a key I would only ever forget if I was dead.
Password reset questions are a huge vulnerability, like having a reinforced door with 5 locks on the front of a house, then a large unlocked window round the back
This topic is closed for new posts.
Biting the hand that feeds IT
