Network World’s Identity Management Newsletter, 12/11/06
Secret questions are not foolproof
By Dave Kearns
The problem, as many have pointed out, is that this so-called secret information is readily discoverable by anyone who wants to dig a bit. As security maven Bruce Schneier said in “The Curse of the Secret Question” : “I’ll bet the name of my family’s first pet is in some database somewhere.” Bruce’s suggestion? “My usual technique is to type a completely random answer – I madly slap at my keyboard for a few seconds – and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password.” Well that actually defeats the one good purpose of the secret password as well as blocking the bad uses – an example of tossing out the baby with the bathwater. I’ve got a better suggestion.
May I suggest our old friend ROBOFORM’s random string generator?
Yup, for each site that needs my Mom’s maiden name, they can have a unique one. F53FA849645C26 for Yahoo, EFA897CABA45D4 for Google, and DAD999B5244BA2 for AOL.
And, if they want my favorite pet’s name, it’s in turn C9AF, 7B2B, or 222459.
See spammers can go ahead and guess all they want!
And, my first car was a BAD753!