Schneier on Security: Tagged security questions

Entries Tagged "security questions"

Page 1 of 2

Nihilistic Password Security Questions

Posted three years ago, but definitely appropriate for the times.

Posted on September 18, 2020 at 2:08 PM • View Comments

Intimate Partner Threat

Princeton’s Karen Levy has a good article computer security and the intimate partner threat:

When you learn that your privacy has been compromised, the common advice is to prevent additional access—delete your insecure account, open a new one, change your password. This advice is such standard protocol for personal security that it’s almost a no-brainer. But in abusive romantic relationships, disconnection can be extremely fraught. For one, it can put the victim at risk of physical harm: If abusers expect digital access and that access is suddenly closed off, it can lead them to become more violent or intrusive in other ways. It may seem cathartic to delete abusive material, like alarming text messages—but if you don’t preserve that kind of evidence, it can make prosecution more difficult. And closing some kinds of accounts, like social networks, to hide from a determined abuser can cut off social support that survivors desperately need. In some cases, maintaining a digital connection to the abuser may even be legally required (for instance, if the abuser and survivor share joint custody of children).

Threats from intimate partners also change the nature of what it means to be authenticated online. In most contexts, access credentials—like passwords and security questions—are intended to insulate your accounts against access from an adversary. But those mechanisms are often completely ineffective for security in intimate contexts: The abuser can compel disclosure of your password through threats of violence and has access to your devices because you’re in the same physical space. In many cases, the abuser might even own your phone—or might have access to your communications data because you share a family plan. Things like security questions are unlikely to be effective tools for protecting your security, because the abuser knows or can guess at intimate details about your life—where you were born, what your first job was, the name of your pet.

Posted on March 5, 2018 at 11:13 AM • View Comments

Dumb Security Survey Questions

According to a Harris poll, 39% of Americans would give up sex for a year in exchange for perfect computer security:

According to an online survey among over 2,000 U.S. adults conducted by Harris Poll on behalf of Dashlane, the leader in online identity and password management, nearly four in ten Americans (39%) would sacrifice sex for one year if it meant they never had to worry about being hacked, having their identity stolen, or their accounts breached. With a new hack or breach making news almost daily, people are constantly being reminded about the importance of secure passwords, yet some are still not following proper password protocol.

Does anyone think that this hypothetical survey question means anything? What, are they bored at Harris? Oh, I see. This is a paid survey by a computer company looking for some publicity.

Four in 10 people (41%) would rather give up their favorite food for a month than go through the password reset process for all their online accounts.

I guess it’s more fun to ask these questions than to poll the election.

Posted on November 21, 2016 at 6:04 AM • View Comments

Could Keith Alexander's Advice Possibly Be Worth $600K a Month?

Ex-NSA director Keith Alexander has his own consulting company: IronNet Cybersecurity Inc. His advice does not come cheap:

Alexander offered to provide advice to Sifma for $1 million a month, according to two people briefed on the talks. The asking price later dropped to $600,000, the people said, speaking on condition of anonymity because the negotiation was private.

Alexander declined to comment on the details, except to say that his firm will have contracts “in the near future.”

Kenneth Bentsen, Sifma’s president, said at a Bloomberg Government event yesterday in Washington that “cybersecurity is probably our number one priority” now that most regulatory changes imposed after the 2008 credit crisis have been absorbed.

SIFMA is the Securities Industry and Financial Markets Association. Think of how much actual security they could buy with that $600K a month. Unless he’s giving them classified information.

Digby:

But don’t worry, everything Alexander knows will only benefit the average American like you and me. There’s no reason to suspect that he is trading his high level of inside knowledge to benefit a bunch of rich people all around the globe. Because patriotism.

Or, as Recode.net said: “For another million, I’ll show you the back door we put in your router.”

EDITED TO ADD (7/13): Rep. Alan Grayson is suspicious.

Posted on June 24, 2014 at 2:30 PM • View Comments

Security Question Cartoon

Funny.

Posted on October 1, 2012 at 1:12 PM • View Comments

Naming Pets

Children are being warned that the name of their first pet should contain at least eight characters and a digit.

Posted on July 6, 2012 at 9:40 AM • View Comments

Captchas

Funny.

Posted on February 10, 2012 at 2:08 PM • View Comments

I’ve already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here’s a new one, courtesy of the National Archives: “What is your preferred internet password?” I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.

Posted on September 8, 2011 at 6:14 AM • View Comments

Fun with Secret Questions

Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: Do you know why I think you’re so sexy?
A: Probably because you’re totally in love with me.

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Okay, now it’s your turn.

Posted on April 30, 2010 at 7:24 AM •

Secret Questions

Interesting research:

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

I’ve written about this problem.

EDITED TO ADD (4/13): xkcd on the secret question.

Posted on March 16, 2010 at 6:44 AM • View Comments

1 2 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.