(no subject)
Jun. 5th, 2013 06:58 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
which_chickI recently verified and updated my master list (it's hardcopy) of passwords and usernames. I have a lot of them, from livejournal and flickr to fitocracy and facebook, thence to reddit, metafilter, amazon and beyond. There's online banking at three banks, a brokerage account, my EZpass (for the turnpike), my cell phone, my credit card, my gmail, my administrator passwords for home and work computers... all of them allegedly different, all allegedly some monster combination of numbers, letters, special characters, and so forth.
It turns out that there are, for me, passwords that matter and passwords that don't matter. If you want to post to flickr as "me", well, OK. If you are interested in claiming I do heavy lifts on fitocracy, fine. If you want to make off with 50K of stock in my brokerage account, not-so-OK. In fact, that might piss me off pretty seriously. If you want to buy a shit-ton of books using the 15K of credit card that I have on file with Amazon, yeah, that's a problem too.
The internet recognizes that some security is more important than other security, as well. As an effort to provide more "security", many of my financially-oriented sites have security questions. Security questions, or (more realistically) "security" questions, are a waste of time and space. First off, the space they suggest for you to use for your answer is insufficient. Take, for example, "Year your father was born" -- for most people, the answer is going to be 19xx. My dad (71) has (currently deceased) parents who were born in 19xx. I (43) have parents who were born in 19xx. My brother's son (12) has parents who were born in 19xx. So, the space that actually varies for the damn answers is the xx part. That's 99 different things to put in there, which is trivial to get by trial-n-error. How many answers do you think the cracker person has to decode to figure out that the "security" question is "Year of *event*" and that *event* happened in the 19xx's? Ten? Fifty? If I got ten straight 19xx answers from a file of "security" answers, I would target my brute-force efforts on the 19xx answers, for real. These guys aren't stupid.
"Security" questions that don't ask for a year presuppose a rational, word-based answer, typically a short one. This makes them extremely vulnerable to dictionary attacks. For "City you first lived in after college", once you get a fistful of place names (Philadelphia, Baltimore, Seattle, Chicago, Dallas, Phoenix, etc) then the baddie can focus his or her efforts on "place names" of which I am sure there is a database somewhere.
By using words or years, the "security" questions are limiting the sorts of answers that one might give. Sometimes they let you write your own question and answer, which is cute, but still it makes people put in answers that are not very hard to guess.
What's a security-conscious person to do? I don't have a great answer. What I currently do for things I actually give a shit about having stolen is use strong(er) passwords, insofar as I am able, answer the "security" questions however I like, and keep a paper copy of site/user/pass combinations and "security" question answers so that I can get into stuff I don't use *that* frequently. (My brokerage account, for example, has my Roth IRA in it. I visit it about 3x a year. I do not need "instant" access to it.) And I have a complicated gmail password that *sigh* I have brute-forced into my head so that I have it.
Strong(er) passwords: more than fifteen characters, including numbers, letters, capital letters, and non-alphanumeric characters like ; or , or &. They do not contain any combination of letters that makes a word or any "l33t" spelling. They are "randomly" generated by virtue of me opening a magazine and taking the first letters and punctuation of a paragraph, with some numbers and crap thrown in there if not enough occurs naturally. So, for example, a good password from the June 2013 issue of Equus would be tro7T dwCatc,ws.Tds21 (Sample password. Not used for any of my accounts... but mine look rather like that.)
"Security" answers: They look rather like the strong(er) passwords. If the question is asking for a date, I do not give it a date. Ever. If the question asks for a name, I do not give a name. So, for example, if the site asks for "favorite flavor of ice cream", I put in something along the lines of TLRos fAbt32yor,wtp dh,. I have yet to come upon "security" questions that make sure your answer is consistent with the question asked. Like, if it says "What year was your mother born?" and you put in TLRos fAbt32yor,wtp dh, it never ever says back "That is not a year. Please enter a year." There's no sanity-checking for security questions, so do what you like with them.
I keep two paper copies of the master password list, one at the office and one at my house. They're handwritten and photocopied and not particularly find-able, given the state of my housekeeping. I realize that this is not particularly ideal, but it's how I roll.
Finally, for ease-of-life, I just don't give a shit about things that don't have money attached to them. You could crack my facebook or my livejournal or my ao^3 or my reddit if you really wanted. The passwords I use for that sort of thing aren't that hard to guess and I re-use 'em all the time (there are three that I cycle through). Good luck getting into my gmail, though.
It turns out that there are, for me, passwords that matter and passwords that don't matter. If you want to post to flickr as "me", well, OK. If you are interested in claiming I do heavy lifts on fitocracy, fine. If you want to make off with 50K of stock in my brokerage account, not-so-OK. In fact, that might piss me off pretty seriously. If you want to buy a shit-ton of books using the 15K of credit card that I have on file with Amazon, yeah, that's a problem too.
The internet recognizes that some security is more important than other security, as well. As an effort to provide more "security", many of my financially-oriented sites have security questions. Security questions, or (more realistically) "security" questions, are a waste of time and space. First off, the space they suggest for you to use for your answer is insufficient. Take, for example, "Year your father was born" -- for most people, the answer is going to be 19xx. My dad (71) has (currently deceased) parents who were born in 19xx. I (43) have parents who were born in 19xx. My brother's son (12) has parents who were born in 19xx. So, the space that actually varies for the damn answers is the xx part. That's 99 different things to put in there, which is trivial to get by trial-n-error. How many answers do you think the cracker person has to decode to figure out that the "security" question is "Year of *event*" and that *event* happened in the 19xx's? Ten? Fifty? If I got ten straight 19xx answers from a file of "security" answers, I would target my brute-force efforts on the 19xx answers, for real. These guys aren't stupid.
"Security" questions that don't ask for a year presuppose a rational, word-based answer, typically a short one. This makes them extremely vulnerable to dictionary attacks. For "City you first lived in after college", once you get a fistful of place names (Philadelphia, Baltimore, Seattle, Chicago, Dallas, Phoenix, etc) then the baddie can focus his or her efforts on "place names" of which I am sure there is a database somewhere.
By using words or years, the "security" questions are limiting the sorts of answers that one might give. Sometimes they let you write your own question and answer, which is cute, but still it makes people put in answers that are not very hard to guess.
What's a security-conscious person to do? I don't have a great answer. What I currently do for things I actually give a shit about having stolen is use strong(er) passwords, insofar as I am able, answer the "security" questions however I like, and keep a paper copy of site/user/pass combinations and "security" question answers so that I can get into stuff I don't use *that* frequently. (My brokerage account, for example, has my Roth IRA in it. I visit it about 3x a year. I do not need "instant" access to it.) And I have a complicated gmail password that *sigh* I have brute-forced into my head so that I have it.
Strong(er) passwords: more than fifteen characters, including numbers, letters, capital letters, and non-alphanumeric characters like ; or , or &. They do not contain any combination of letters that makes a word or any "l33t" spelling. They are "randomly" generated by virtue of me opening a magazine and taking the first letters and punctuation of a paragraph, with some numbers and crap thrown in there if not enough occurs naturally. So, for example, a good password from the June 2013 issue of Equus would be tro7T dwCatc,ws.Tds21 (Sample password. Not used for any of my accounts... but mine look rather like that.)
"Security" answers: They look rather like the strong(er) passwords. If the question is asking for a date, I do not give it a date. Ever. If the question asks for a name, I do not give a name. So, for example, if the site asks for "favorite flavor of ice cream", I put in something along the lines of TLRos fAbt32yor,wtp dh,. I have yet to come upon "security" questions that make sure your answer is consistent with the question asked. Like, if it says "What year was your mother born?" and you put in TLRos fAbt32yor,wtp dh, it never ever says back "That is not a year. Please enter a year." There's no sanity-checking for security questions, so do what you like with them.
I keep two paper copies of the master password list, one at the office and one at my house. They're handwritten and photocopied and not particularly find-able, given the state of my housekeeping. I realize that this is not particularly ideal, but it's how I roll.
Finally, for ease-of-life, I just don't give a shit about things that don't have money attached to them. You could crack my facebook or my livejournal or my ao^3 or my reddit if you really wanted. The passwords I use for that sort of thing aren't that hard to guess and I re-use 'em all the time (there are three that I cycle through). Good luck getting into my gmail, though.
