djcapelis (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} djcapelis) wrote,@ 2009-05-07 16:00:00 |
|
Dealing with security questions
These days everyone asks you for a question and answer combination to recover a password online. These often stump me... it's fairly easy to find out where I went to elementary school or what my mother's maiden name is. Everytime I have to make a new one of these I'm constantly put into a bind.
The trickiest part of coming up with a good security question and answer pair is trying to meet two criteria that have an annoying tendency to conflict:
It turns out, there is something that matches this criteria quite well. That's relationships and—more particularly for those who have one to take advantage of—a sexual history.
Now this isn't for everyone, obviously some people's sexual history is rather well documented on Web 2.0 and/or rather well known by their friends, but even in some of these cases it can at least cause quite a bit of work for an attacker and can be used for low-security low-risk type of Q&A pairs. Your friends often can mess with you in other ways, logging onto your accounts usually isn't one of the ones they care to bother with. But hey, maybe your friends like messing with you. Whatever, it's up to you.
There's obviously one more concern I didn't quite document either that's brought up rather quickly when you get into relatioinships and sex. The question shouldn't be that embarrassing. Sometimes you end up talking about these over the phone to some poor customer service representative and something like "Who did I first go down on under the bleachers of my old high school that one time?" is probably not a question or an answer you really want to share with them. That's just too much information. (By the way, for those wondering: This is not an example of a valid question that matches my history.)
So what types of questions are appropriate?
Well, did you ever have a short lived relationship? Simply asking the question:
"Who came before Xander?" or "Who came after Yolanda?" where either Xander, Yoland or the person who matches the answer to those questions could be the person you were in that short lived relationship with awhile back that your friends probably (and maybe hopefully?) forgot about by now.
Or even: "Complete the series: Xander, Yolanda, ???, Zeta." For those with more, uhm, elaborate histories the series could even be people you only did a certain types of acts with if you don't want it to be a simple chronological listing of relationships or partners.
Things like "Who was my first kiss?" tend to come up in those stupid Internet quizzes a lot, so avoid those. Things like firsts are often interesting information and people not yourself are likely to remember them. The person you kissed is likely to remember whether or not they were your first, they may not remember whether they were your fourth or fifth... so questions like "Who was the third person I kissed?" is much more likely to be something you'll still be able to answer but other people will find much more difficult.
Now these still leave some room for social engineering, but doesn't everything?
So go meet someone new tonight, it's a security issue.
(In related news... security implications of blogging about how you chose your security questions online? Probably not the best thing to do, leave it to the professionals.)
These days everyone asks you for a question and answer combination to recover a password online. These often stump me... it's fairly easy to find out where I went to elementary school or what my mother's maiden name is. Everytime I have to make a new one of these I'm constantly put into a bind.
The trickiest part of coming up with a good security question and answer pair is trying to meet two criteria that have an annoying tendency to conflict:
- The answer to the question need to be something you'll remember or could easily find out.
- The answer can't be something anyone else would know or could easily find out.
It turns out, there is something that matches this criteria quite well. That's relationships and—more particularly for those who have one to take advantage of—a sexual history.
Now this isn't for everyone, obviously some people's sexual history is rather well documented on Web 2.0 and/or rather well known by their friends, but even in some of these cases it can at least cause quite a bit of work for an attacker and can be used for low-security low-risk type of Q&A pairs. Your friends often can mess with you in other ways, logging onto your accounts usually isn't one of the ones they care to bother with. But hey, maybe your friends like messing with you. Whatever, it's up to you.
There's obviously one more concern I didn't quite document either that's brought up rather quickly when you get into relatioinships and sex. The question shouldn't be that embarrassing. Sometimes you end up talking about these over the phone to some poor customer service representative and something like "Who did I first go down on under the bleachers of my old high school that one time?" is probably not a question or an answer you really want to share with them. That's just too much information. (By the way, for those wondering: This is not an example of a valid question that matches my history.)
So what types of questions are appropriate?
Well, did you ever have a short lived relationship? Simply asking the question:
"Who came before Xander?" or "Who came after Yolanda?" where either Xander, Yoland or the person who matches the answer to those questions could be the person you were in that short lived relationship with awhile back that your friends probably (and maybe hopefully?) forgot about by now.
Or even: "Complete the series: Xander, Yolanda, ???, Zeta." For those with more, uhm, elaborate histories the series could even be people you only did a certain types of acts with if you don't want it to be a simple chronological listing of relationships or partners.
Things like "Who was my first kiss?" tend to come up in those stupid Internet quizzes a lot, so avoid those. Things like firsts are often interesting information and people not yourself are likely to remember them. The person you kissed is likely to remember whether or not they were your first, they may not remember whether they were your fourth or fifth... so questions like "Who was the third person I kissed?" is much more likely to be something you'll still be able to answer but other people will find much more difficult.
Now these still leave some room for social engineering, but doesn't everything?
So go meet someone new tonight, it's a security issue.
(In related news... security implications of blogging about how you chose your security questions online? Probably not the best thing to do, leave it to the professionals.)
