{"id":480,"date":"2008-09-25T02:56:48","date_gmt":"2008-09-25T07:56:48","guid":{"rendered":"http:\/\/www.mccambridge.org\/blog\/?p=480"},"modified":"2022-09-11T00:40:37","modified_gmt":"2022-09-11T00:40:37","slug":"a-note-about-security-questions","status":"publish","type":"post","link":"http:\/\/www.mccambridge.org\/blog\/2008\/09\/a-note-about-security-questions\/","title":{"rendered":"A Note About Security Questions"},"content":{"rendered":"<p>I saw a post at <a href=\"http:\/\/www.schneier.com\/blog\/\">Schneier on Security<\/a> this evening that I wanted to highlight.\u00a0 In light of the Palin email hack incident, Bruce Schneier <a href=\"http:\/\/www.schneier.com\/blog\/archives\/2008\/09\/sarah_palins_e-.html\">discusses the &#8220;extra security questions&#8221;<\/a> that various websites will ask you to verify your identity in case you&#8217;ve lost your password.\u00a0 You&#8217;ve seen these: the things like, &#8220;What was your first high school mascot?&#8221;\u00a0 As Schneier points out, these are the opposite of increased security.\u00a0 In fact, they can make you <em>more<\/em> vulnerable, because they are usually quite easy to figure out.<\/p>\n<p>Let&#8217;s see&#8230; Colin grew up in Green Bay, WI.\u00a0 Even counting the parochial schools and allowing that he might live as far away from Green Bay as, say, a radius of one county in any direction, that will leave us what, maybe a dozen school districts and perhaps two dozen high school mascots to try?\u00a0 Hmm&#8230; what is harder to guess: a 8-12 character password of letters and numbers (36<sup>8<\/sup>+&#8230;+36<sup>12<\/sup> = 4,784 million billion possibilities) to log in to my account, or a high school mascot (24 possibilities) to get the opportunity to <em>pick<\/em> the password to my account?\u00a0 Even if I were from somewhere with a few more schools to pick from, say New York, the list is still, shall we say, &#8220;short&#8221; compared to the number of passwords an attacker does <em>not<\/em> have to guess.<\/p>\n<p>Oh, and shucks&#8230; Looks like I just gave away the answer to &#8220;City you grew up in?&#8221;<\/p>\n<p>Thinking about this reminded me of a related experience from a recent ordeal in opening a bank account.\u00a0 Near the very end of the application, the bank pulled data from my credit report to &#8220;verify my online identity.&#8221;\u00a0 Presumably, they were going to ask me questions that only I or someone with very intimate knowledge of my financial situation and history could know the answers to.\u00a0 Well, two slight problems with that idea.<\/p>\n<ul>\n<li><strong>Problem the First:<\/strong> They had one of the answers wrong.\u00a0 Believe me.\u00a0 I took the test 7 times over several weeks, and surprisingly, I happen to know exactly what type (mobile, land line, pager, etc) of phone number the number I gave them was.\u00a0 Their answer (whatever it was&#8230;) was wrong.\u00a0 How do I know that I didn&#8217;t get one of the other questions wrong?\u00a0 Well&#8230;<\/li>\n<li><strong>Problem the Second: <\/strong>They asked a question <em>anyone<\/em> could answer correctly:\u00a0 &#8220;In what state was your social security number issued?&#8221;\u00a0 This doesn&#8217;t seem so bad on first blush: after all, you&#8217;d need to know where I was born to know that.\u00a0 Except for the slight problem that <a href=\"http:\/\/www.cdc.gov\/nchs\/howto\/w2w\/w2welcom.htm\">births are public record<\/a>, so anyone who knew enough about me to forge a bank application but happened to lack my place of birth could readily guess and find out, and second: social security numbers are issued with the first three digits <a href=\"http:\/\/www.csgnetwork.com\/ssnmbrcalc.html\">identifying the place<\/a> they were issued in.\u00a0 Oh, and the application just asked for that social security number, too&#8230; funny, that.<\/li>\n<\/ul>\n<p>I&#8217;ll not claim to be the security wizard that Mr. Schneier is, but I do think it is a great idea to try to think things through, and hope I can encourage that for you as well.<\/p>\n<p>For those security questions? I like answers like: &#8220;My high school mascot was a enT&amp;)slelj3734lcnsf8a-1-&amp;&amp;+{&#8221;<\/p>\n<p>You either trust yourself to remember your password, or you don&#8217;t.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I saw a post at Schneier on Security this evening that I wanted to highlight.\u00a0 In light of the Palin email hack incident, Bruce Schneier discusses the &#8220;extra security questions&#8221; that various websites will ask you to verify your identity in case you&#8217;ve lost your password.\u00a0 You&#8217;ve seen these: the things like, &#8220;What was your [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/posts\/480"}],"collection":[{"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/comments?post=480"}],"version-history":[{"count":1,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/posts\/480\/revisions"}],"predecessor-version":[{"id":1559,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/posts\/480\/revisions\/1559"}],"wp:attachment":[{"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/media?parent=480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/categories?post=480"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mccambridge.org\/blog\/wp-json\/wp\/v2\/tags?post=480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}