Comments
If you really, really, really have to link from the bowels of the devil, please use a direct link to the jpg..
Adrian Lopez • October 1, 2012 1:49 PM
“This is my dog BNuTb2h8LjDr.”
The link doesn’t work. Prompts for a password?
lazlo • October 1, 2012 2:10 PM
Why is there an eye in the bush in the top right?
makony • October 1, 2012 2:27 PM
Not cool.
Clicking on the link with a mobile phone takes me to a login page at http://m.facebook.com/login.php?
next=https%3A%2F%2Fm.facebook.com%2Fphoto.php%3Ffbid%3D1015124540753523%2522%26
refsrc%3Dhttp%253A%252F%252Fwww.schneier.com%252Fblog%252Farchives%252F2012%252F10%252Fsecurity_questi_1.html&
refsrc=http%3A%2F%2Fwww.schneier.com%2Fblog%2Farchives%2F2012%2F10%2Fsecurity_questi_1.html&_rdr
curtmack • October 1, 2012 2:29 PM
@Adrian
12 alphanumerics? That’s only 72 bits man. Hashcat could crack that in a mere 67,392 years.
So weak.
curtmack • October 1, 2012 3:03 PM
This of course assumes that you could feed it the 80 zettabyte dictionary file; even if you generated it as a CLI stream I’m not sure if hashcat would take kindly to being given a dictionary that large.
boog • October 1, 2012 3:42 PM
@lazlo
Why is there an eye in the bush in the top right?
Obviously the bush is eavesdropping, waiting to see the pet’s name the moment the word balloon appears containing it.
biz • October 1, 2012 4:31 PM
@lazlo
Bizarro usually have a lot of these unrelated objects like an eye, alien, fish, bird and so on. This cartoon had only one, which is a bit uncommon.
Ryan Ries • October 1, 2012 6:46 PM
I hate hate hate security questions. I would bet that a large portion of the answers to security questions are known to most of the subject’s friends, family and loved ones. (And disgruntled exes.) Which totally defeats the strongest of passwords, even if you changed your password daily. Everyone you’ve ever known can reset your password for you as long as they know your mother’s maiden name!
Any system that asks me for a security question when I’m setting up an account, I simply answer it with a long string of gibberish that even I don’t remember.
itgrrl • October 1, 2012 11:43 PM
@Ryan: I use a very simple technique to make my answers to security questions less guessable – simply choose an answer from a different set of answers than that presumed by the question.
e.g.
Challenge: What is your favourite colour?
Response: Mt Vesuvius.
Challenge: First car you owned?
Response: Octopus.
🙂
Alkatr0z • October 2, 2012 12:26 AM
Here’s a link to Security Monkeys blog post just recently where someone asked him for help with their personal photos being stolen from their iPhone which naturally involved security questions.
http://it.toolbox.com/blogs/securitymonkey/how-your-naked-pictures-ended-up-on-the-internet-53185
onearmedspartan • October 2, 2012 2:09 AM
What if the kid names the dog ‘Password’? or 12345? or ‘qwerty’?!
dilbert • October 2, 2012 7:35 AM
That’s hilarious! My dog’s name is Qwerty!
Fred P • October 2, 2012 8:55 AM
@itgrrl – I tried that, but as a sentence “The cutest Octopus I ever met <3” – the problem is that I quickly ran into character limits (your car model must be less than 12 character long!).
As such, I devolved to Ryan Ries’s approach. In most cases, my answers to security questions are likely stronger than the passwords themselves.
Anonymous Coward • October 2, 2012 9:42 AM
I try to answer the questions that would be easy to get wrong if you just researched my life.
For example (not true for me), if I have a biological father that is not my legal father on my birth certificate I could use information about him to answer father questions.
Jeff H • October 2, 2012 10:09 AM
It says “Pet Parking Eunuch Humping Loaf” above the comic. I thought this was part of the joke as it looks like an XKCD-style password. It turns out that each word is associated with each of the comics in the post… which is far less funny.
Fred P • October 2, 2012 11:15 AM
Apparently, part of my comment was de-fanged; no ASCII heart for me.
The omitted portion mostly describes hitting a character limit for a sentence, which forced my into the random/arbitrary password a la Ries.
No One • October 2, 2012 12:32 PM
@Jeff H: Or a clever way of remembering the random word password.
random blurt • October 2, 2012 4:16 PM
Hey! “Pet Parking Eunuch Humping Loaf” is My secret password.
Jose • October 3, 2012 3:10 PM
Amazingly true… for most regular users…
There’s an eye in each cartoon.
Dan • October 6, 2012 3:33 PM
I thought I was clever in entering gibberish answers for security questions until the time I called the phone company for service:
“And for security, what’s your mother’s… wait, that can’t be right, we’ll just skip that. How can I help you?”
Jonadab • October 9, 2012 5:00 PM
“This is my dog BNuTb2h8LjDr.”‘
12 alphanumerics? That’s only 72 bits man.
Actually, there’s significantly less than 72 bits of entropy there. It alternates much too regularly between the three character subsets (with no sequence being more than two characters long). Also, the letter selection is very heavily biased toward the middle of the keyboard (assuming a QWERTY layout). A quick back-of-the-envelope estimate suggests it may have somewhere between 45 and 50 bits of entropy.
Which is still much better than the average security question answer, granted.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
tralqst • October 1, 2012 1:34 PM
Wow, linking to Facebook, that’s new…