Entries Tagged "comics"

Page 3 of 10

Secret Questions

Interesting research:

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

I’ve written about this problem.

EDITED TO ADD (4/13): xkcd on the secret question.

Posted on March 16, 2010 at 6:44 AMView Comments

Cybersecurity Theater at FOSE

FOSE, the big government IT conference, has a “Cybersecurity Theater” this year. I wonder if they’ll check photo IDs.

On a similar note, I am pleased that my term “security theater” has finally hit the mainstream. It’s everywhere. My favorite variant is “security theater of the absurd.”

And this great cartoon. And two more.

Jon Stewart didn’t use the words “security theater,” but he was pretty funny on January 4.

Posted on January 8, 2010 at 12:14 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.