Hemingway Authentication Scheme

From 1955, intended as humor:

In the future when I should ever call on the telephone to make a request or issue an order I will identify myself as follows: This is Hemingway, Ernest M. Hemingway speaking and my serial number is 0-363. That is an easy number to remember and is not the correct one which a con man might have. A con character would say 364. So we will make it 363. Any character can then ask how many shares I own and I will reply truly to the best of my knowledge. If the bank has made any once contemplated mergers or there has been a split that I had not been informed of I might give an inaccurate answer.

Posted on July 13, 2010 at 12:42 PM • 26 Comments

Comments

RHJuly 13, 2010 1:26 PM

Wouldn't it be better to pick your serial number to be "the first uninteresting number," which has the natural benefit of changing itself whenever a theif shows interest in it!

RogerJuly 13, 2010 1:44 PM

So the method here is the exchange of incorrect data which is correct for the particular authentication? Interesting. Could also be extended to use different answers for different meanings. One issue might be remembering or documenting the answers (pre-shared keys) and their meanings.

KathrynHJuly 13, 2010 1:47 PM

I've considered that, but the problem is remembering *which* incorrect information you gave the institution with which you are conversing. You can write it down, but that's like writing down a password. It's a big no-no.

QnJ1Y2UJuly 13, 2010 2:27 PM

@Kathryn

It's been discussed here often - writing down a password is part of a security tradeoff, and it's usually a good idea. The risk of someone breaking in and finding your notes is much smaller than the risk of someone online guessing your easy-to-remember password.

If you put those notes into a password safe, you're usually even better off.

Rick LobrechtJuly 13, 2010 2:30 PM

Sounds like the telephone authentication scheme used in Sarah Connor Chronicles.

Although I think their number rotated based on date.

periJuly 13, 2010 3:00 PM

R H: the first uninteresting number...natural benefit of changing itself .

How interesting!

JuergenJuly 13, 2010 4:15 PM

@RH According to Le Lionnais, the first uninteresting number is 39. Which, he hastens to add, doesn't make it interesting, thus avoiding any paradoxes.

BWJuly 13, 2010 4:31 PM

Yeah I don't like giving out accurate information, so for security questions I give lies. With the diversity of mandatory security questions, I can't keep them all straight. Good thing I don't forget my passwords all to often.

But some questions I answer truthfully, only problem being that the answers change with time. So when answering those questions I first have to ask myself "When did I create this account?"

One solution I've found to the generic & easy security questions problem is to mentally add a couple extra words. So "What is your mothers maiden name?" becomes "What is your best friend's mother's maiden name?"

I avoid security questions that I would ever answer in a non-security context.

pdf23dsJuly 13, 2010 5:52 PM

I just store answers to "security questions" (what a name) along with my password in my password safe.

larsJuly 14, 2010 2:30 AM

I think he got something right there. First he established a shared secret, second he initiated transfer of this secret into safe storage. Assuming that the letters integrity, authenticity and secrecy are provided, this scheme is neither unheard of nor spectacularly insecure.

We have to criticize the choice of secret in some parts though. For a start the field "serial number" is chosen in a way that may be easy to guess, because it is derived by a overtly simplistic transformation (increment by 1) from a allegedly insecure number (the serial number of Hemmingway's account). Some improved methods should be used here.

;-)

Peter A.July 14, 2010 4:35 AM

Mother's maiden name and such stuff is ususally applied in too many contexts. Threfore it is not often feasible to give false or inaccurate information. For example you may be legally or contractually obliged to give accurate information to a bank or some other institution for bookkeeping, but than they reuse portions of it as authentication tokens. This is just braindead, but you are simply not able to change their policy - you have to either accept it or refuse doing business with them. But if it is a common business practice you basically have no choice.

"Security questions" out of the realm of personal data (like favourite color etc.) are a little better, but as Bruce and others have pointed out many times before, these are just alternative passwords and, if answered thruthfully or even deceptively but according to the question's meaning, terribly weak ones.

A couple of months ago I was forced by my employer to open an account with one American financial institution. During the activation process I had to provide nearly ten (can't remember the exact number now) authentication tokens. This is just crazy. I have generated all of them by dd'ing my /dev/random and base64'ing the output, then written them all down.

BillJuly 14, 2010 5:16 AM

I have multiple 'mothers maiden names'.

I'm forgetful, but call centres are content to let me cycle through the list until I find the right one. :)

It is a dumb process, but I accept the risks for utility; after all I've no idea who's really on the end of the line ('John' in Bangalor, really?) nor their intent. But so far, so good.

NemoJuly 14, 2010 10:42 AM

I've used - and advocated (see www.slugsite.com/archives/1328) - using fictitious answers to security questions that are plausible/possible answers to *other* common security questions. Works great for computer systems, but call center staff seem to have difficulty accepting that *my* answer to, say, "What's your mother's maiden name?" really is "New York City", and that *my* answer to "where were you born?" is "McNamara", so I suppose there are tradeoffs.

phred14July 14, 2010 11:34 AM

@QnJ1Y2U

I write my passwords on a scraps of paper and put it in the change compartment of my wallet. I'm always careful with my wallet. It's practically always either in my pocket or in its storage place. In addition, because the little pieces of paper are jumbled around with coins, the "expire" with time, becoming unreadable and falling apart.

We're all "trained" to be careful with our money, so this is training re-use. I also have pwsafe/MyPasswordSafe, and it's master passphrase is strictly memorized. I only write down one particular password - the one I need most often.

p@ssw0rDJuly 14, 2010 12:21 PM

@Bill
I have multiple 'mothers maiden names'.

That is a good practice.
In the words of PI Extraordinaire Steve Rambam, "Make one up."

Uncle ErnieJuly 14, 2010 6:30 PM

He was an old man alone at his computer, and he had gone 84 days now without being asked for proper authentication. In the beginning, there had been a cat with him, but the cat's parents had told it that the old man was salao, which is the worst kind of security risk, so now he computed alone....... Hey, that's not too bad! I can write again! Maybe life IS worth living!.....Hang on a minute. Let me get my toe out of this trigBAM!!

Chris, just ChrisJuly 15, 2010 2:14 AM

My relationship with my mother provides me with a never-ending supply of humorous, memorable and not-trivially-guessable answers to security questions. Do you have any idea how many names there are for unpleasant eternal destinations and their wicked rulers? ;)

SavanikJuly 15, 2010 9:27 AM

@Bill

"I'm forgetful, but call centres are content to let me cycle through the list until I find the right one. :)"

Hmm, so your call centers are used to you giving several wrong answers as well? Now all I need is a list of common maiden names...

Heck, someone good at pretexting might even be able to get the call center to accept something like that without even knowing. "Oh, I had this written down somewhere, it started with an M... no? Maybe an L?"

This does not make me feel more secure.

Raul Alberto jagerJuly 16, 2010 10:17 AM

For a wrong password, I read a very interesting idea: to set the ATM so that if you type your pin backards it will send an alarm for 911 to go inmediatly to this place. Something like that will be very handy in case you have somebody behind you, with a gun, asking for money.

Steve ParkerJuly 16, 2010 10:50 AM

@Raul Alberto jager:
Many home alarms have a similar functionality; if you trigger the alarm by mistake, you phone up and give the password to confirm that it is a false alarm, and they don't send anyone round.

If you give the *other* password, they know that an intruder is forcing you to claim that it is a false alarm, so they send the big boys round.

Either way, even if it's on speakerphone, or if the intruder themselves makes the call, using the password you gave them, the security firm are alerted and the intruder is unaware of it.

Other PedantJuly 20, 2010 11:45 AM

When websites ask for my birthday, I generally tell them it was yesterday, and forget about it. That's only ever once caused a problem: when I wanted to reset my Yahoo password, that was the meta-key. (No badguy could ever know my birthday?)

JonathanJuly 31, 2010 6:41 PM

The proliferation of websites demanding that you set up security questions & answers as part of creating your account means that hundreds of unimportant organizations have personal information about you that can be stolen and used to break into your important accounts.

At first what I used to do was use profanity as the question and/or answer in every case. Then it dawned on me that this didn't solve the problem, because the problem is actually answers being the same across the board, even if they are just profanity.

The only real defense against websites demanding personal information is to use random information every time and not lose your password, as someone else also posted.

Is it a paradox that we have to employ countermeasures against security measures that are ostensibly in our interest?

Clive RobinsonAugust 1, 2010 12:27 AM

@ Jonathan,

"Is it a paradox that we have to employ countermeasures against security measures that are ostensibly in our interest"

Short answer is "No".

The slightly longe answer is "It is the result of the falliblety of the human mind expressed as something aproximating the lowest common denominator of average human ability".

That is we know by experiance all humans "forget", that is knowledge fades. However what they can remember and for how long appears dependent on many things.

For instance the length of time you can remember knowledge appears to be based on amongst others,

- How young you where when you first became aware of the information.
- How frequently you have cause to revisit that information captured by your mind as knowledge.
- What you do with the knowledge on recall.

Also there appears to be significant differences between short term and long term memory. And the conversion from short term to longterm is effected by the rate at which you become aware of new information (information overload).

Further the abbility to recal longterm memories to short term memory for concious use is effected by the rate you are being exposed to new information at the time (it's why shutting your eyes and humming or sticking your fingers in your ears appears to help you remember)

Likewise for similar reasons converting the short term knowledge into a physical action appears to vastly strengthan a long term memory (that is writting it down actualy makes the memory stronger). This may also be in part, due to the fact the conversion to a mechanical process holds the information in your short term memory significantly longer than you would otherwise do and thus the conversion to longterm memory is reinforced. This is one of the areas under investigation with "Cognitive Behavioral Therapy" which has many otherwise very odd and effectivly inexplicable results.

There is also the issue of "associativity" as well, that is an infrequently recalled piece of knowledge gets strengthaned by being associated with another piece of information that is frequently recalled. An appt example of this is "mothers maiden name".

Again associativity appears to be vastly strengthend by conversion through a physical sense such as touch or smell.

I could give you a bunch of (dubious) analogies such as "VDU screen burn in" or "deepening groves by repetitve over writting" for the short to long term memory process and "path lengths on access trees" for associativity etc, but as we don't realy have much of a clue as to how human memory realy works...

What we do know from experiance is that the normal concious human mind does forget and recal of knowledge gets progresivly more difficult with time between recals (importantly there are exceptions to this normal "memory fade" such as "savants" found on the Autistic Spectrum. [1]).

So you have the odd situation that a frequently used password usually becomes embedded in a persons mind, whilst the security questions and answers attached to it are very infrequently used.

Thus all other things being equal you would expect the security question and answer to be normally forgoton more quickly than the password... Opps...

Thankfully all things are not equal, due to long and repeated use some knowledge becomes deeply embeded and other knowledge inherits the embeddedness by being intimatly associated with with deeply embedded knowledge.

Thus easily remembered security questions fall into either deeply embedded (first pets name) or associated with deeply embedded (mothers maiden name).

Unfortunatly "deeply embedded" knowledge is due to the very reason it is deeply embedded usually very well known to others and thus a matter of record in one way or another.

And where there is a record it can be found by those unknown to us either by direct access to the record or through another person wh has access to the record (theMs Pailin Problem).

The very difficult part in this modern "interconnected information" age is not in remebering knowledge or in accessing others records, but in stopping the record being made in the first place.

It is because of this "fallible memory" / "infallible record" problem we have a large number of security issues when the record is also "available".

Unfortunatly the most desirable solution of "no records" is not going to happen for a plethora of reasons.

Nor for the same reasons the next best option of "no access to records", but it gives a big clue as to a way forward.

Which is create unique and nonidentifiable records that only you have access to. Thus something like a password safe where frequent use of the locking password embeds it deeply in your mind alone and the use of random passwords, security questions and answers.

However there is still one problem,

"Where did I leave the bl**dy thing!!!"

Without other precautions such as backups the system is fragile. But this in tern creates security issues...

If the backup is not securely encrypted it can be copied and "brut forced" in a period of time proportional to the strength of the password.

And as you have to remember this password for a very very long time with infrequent access we get back to the original problem of the fallability of the human mind.

Thus in turn you get back to the issue of unique records with access locked to the record creator.

Solve this problem within the context of the fallible human mind and you've cracked the "password" problem


[1] Autistic Spectrum Disorders (ASD) appear to have some connection to "left handedness" and "males" and is considerably more prevalent in engineers and scientists and those who deal with information as opposed to physical objects. Architects and designer engineers for instance work with the often abstract information about physical objects not the objects themselves, and in the process transform the abstract information that appears "ugly" to most people into a physical realisation that has "beauty" even though it might remain abstract.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..