Comments

--October 1, 2012 1:42 PM

If you really, really, really have to link from the bowels of the devil, please use a direct link to the jpg..

makonyOctober 1, 2012 2:27 PM

Not cool.

Clicking on the link with a mobile phone takes me to a login page at http://m.facebook.com/login.php?
next=https%3A%2F%2Fm.facebook.com%2Fphoto.php%3Ffbid%3D1015124540753523%2522%26
refsrc%3Dhttp%253A%252F%252Fwww.schneier.com%252Fblog%252Farchives%252F2012%252F10%252Fsecurity_questi_1.html&
refsrc=http%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2012%2F10%2Fsecurity_questi_1.html&_rdr

curtmackOctober 1, 2012 2:29 PM

@Adrian

12 alphanumerics? That's only 72 bits man. Hashcat could crack that in a mere 67,392 years.

So weak.

curtmackOctober 1, 2012 3:03 PM

This of course assumes that you could feed it the 80 zettabyte dictionary file; even if you generated it as a CLI stream I'm not sure if hashcat would take kindly to being given a dictionary that large.

boogOctober 1, 2012 3:42 PM

@lazlo

Why is there an eye in the bush in the top right?
Obviously the bush is eavesdropping, waiting to see the pet's name the moment the word balloon appears containing it.

bizOctober 1, 2012 4:31 PM

@lazlo

Bizarro usually have a lot of these unrelated objects like an eye, alien, fish, bird and so on. This cartoon had only one, which is a bit uncommon.

Ryan RiesOctober 1, 2012 6:46 PM

I hate hate hate security questions. I would bet that a large portion of the answers to security questions are known to most of the subject's friends, family and loved ones. (And disgruntled exes.) Which totally defeats the strongest of passwords, even if you changed your password daily. Everyone you've ever known can reset your password for you as long as they know your mother's maiden name!

Any system that asks me for a security question when I'm setting up an account, I simply answer it with a long string of gibberish that even I don't remember.

itgrrlOctober 1, 2012 11:43 PM

@Ryan: I use a very simple technique to make my answers to security questions less guessable - simply choose an answer from a different set of answers than that presumed by the question.

e.g.
Challenge: What is your favourite colour?
Response: Mt Vesuvius.

Challenge: First car you owned?
Response: Octopus.

:-)

Fred POctober 2, 2012 8:55 AM

@itgrrl - I tried that, but as a sentence "The cutest Octopus I ever met

As such, I devolved to Ryan Ries's approach. In most cases, my answers to security questions are likely stronger than the passwords themselves.

Anonymous CowardOctober 2, 2012 9:42 AM

I try to answer the questions that would be easy to get wrong if you just researched my life.

For example (not true for me), if I have a biological father that is not my legal father on my birth certificate I could use information about him to answer father questions.

Jeff HOctober 2, 2012 10:09 AM

It says "Pet Parking Eunuch Humping Loaf" above the comic. I thought this was part of the joke as it looks like an XKCD-style password. It turns out that each word is associated with each of the comics in the post... which is far less funny.

Fred POctober 2, 2012 11:15 AM

Apparently, part of my comment was de-fanged; no ASCII heart for me.

The omitted portion mostly describes hitting a character limit for a sentence, which forced my into the random/arbitrary password a la Ries.

DanOctober 6, 2012 3:33 PM

I thought I was clever in entering gibberish answers for security questions until the time I called the phone company for service:

"And for security, what's your mother's... wait, that can't be right, we'll just skip that. How can I help you?"

JonadabOctober 9, 2012 5:00 PM

> "This is my dog BNuTb2h8LjDr."'
> 12 alphanumerics? That's only 72 bits man.

Actually, there's significantly less than 72 bits of entropy there. It alternates much too regularly between the three character subsets (with no sequence being more than two characters long). Also, the letter selection is very heavily biased toward the middle of the keyboard (assuming a QWERTY layout). A quick back-of-the-envelope estimate suggests it may have somewhere between 45 and 50 bits of entropy.

Which is still much better than the average security question answer, granted.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..