Paul Bunyan and Babe were famous even in the story (how could they NOT be?), so it’s very easy to guess the answer to the question.
Everyone knows Paul Bunyan’s pet ox’s name is Babe.
The humor does not have to do with the word “Babe”. Rather, as people have pointed out, everyone knows the answer to that question, so it’s a bad one to use for a security question.
On the off-chance that “security question” is unfamiliar to anyone here, it’s how you prove you’re you when you’ve forgotten your password.
So the comic could just as logically have featured Charlie Brown, Buster Brown (well, maybe not), Calvin, Dorothy (Gale), Mickey Mouse, Kristoff, Jack Skellington, Little Orphan Annie, Superman, Timmy, Wallace, Eddie Munster, Richard Nixon…?
Some of them… Toto, sure, if it’s set in Oz. Zero, so long as it’s set in Halloween Town. Maybe Sven, given that he and Kristoff ended up with royal commissions. Krypto, yeah. Checkers, yes (though that’s something of a geezer ref).
But Snoopy, Hobbes, Sandy, Pluto, Lassie, Grommit, and Spot don’t really have much in-universe exposure outside of their owners and their immediate circle of friends and family, so the joke wouldn’t work so well, since Speed Bump isn’t really a fourth wall breaker (anachronism in this one aside).
Actually, I doubt many people would assume Checkers was Nixon’s first pet, so would fail on that point. Toto, Zero, Sven, and Krypto still work, all giving all indications of being their owners first pet (some combination if young owner, immortal pet, explicitly stated).
Yeah, that’s why instead of using the real answers, I make stuff to try and amuse myself so I can remember it.
So many security questions out there have bad guessabiity problems. “What city where you born in?” is pretty hard to guess if the answer is Tallulah Falls. Not so good if it’s Los Angeles. Your mother’s maiden name is more secure if it’s Arbuzskiewicz than if it’s Johnson. And I have no idea what public figures whose bio information is readily available do… guess they must have a canned set of fake answers?
“what was the color of your first car” is probably the worst security question; several random answers have a more than 10% chance of being right.
In one continuity, young Clark Kent had a cat named Fuzzball, years before Krypto. And being raised on a farm, it wouldn’t surprise me if he had other pets as well.
Does the guy talking appear to be a cyclops? Maybe because an ordinary person would be to small for the comic panel, but a cyclops is just the right size to see, but still be smaller than Bunyan.
‘ I have no idea what public figures whose bio information is readily available do… guess they must have a canned set of fake answers?”
The best solution is to have a nonsense answer, so long as you can remember what your nonsense answer is.
So, for example, if the security question is “what was the name of your first pet”, 123abc is pretty good, even against people who know you well enough to remember your first dog, Rover.
Nothing says your security question answers have to be true. You just have to remember what your answer is.
Sure, some security questions are known by friends or can be guessed, but most of the websites that I deal with have my email on file. They send a temporary password to that email address. A hacker would not only need to be able to figure out the answer to the security question, but they also have to be able to get into my email. I try to deal with sites that have at least that level of security.
“Nothing says your security question answers have to be true. You just have to remember what your answer is.”
Which if you were capable of doing that you’d be capable of remembering your password in the first place. I’ve thought of that but it’s very easy to forget what you thought was clever at the time. And it’s practically impossible to remember once you forget. On the other hand, those ‘off-beat’ questions like “who is your favorite singer” or “what was the first concert” are worse. You expect those to be consistent and memorable?
What I don’t get is why you can’t provide your own questions and answers.
You can have as difficult for others as easy for you as you like.
Ore phrase association. It gives you “mumbo jumbo” and you think “oh, yeah….” and type in “rhubarb rhubarb”.
“PecosBill” seems like a sensible password. CIDU Bill should “understand” this comic by now, he’s had since last October : > ]
Woozy, sometimes they do let you chose your own questions or use phrase association.
And I totally agree about the “Who’s your favorite singer?” questions.
“Which if you were capable of doing that you’d be capable of remembering your password in the first place.”
Not so.
Passwords, in order to be secure, have to be complex. They should include upper and lower case letters, lowercase letters, numbers, and symbols, and the list of acceptable symbols varies from location to location.
Security question answers, on the other hand, do not.
So you could use “password” as your security question answer, assuming that you can remember “password” is always the answer to the question. Or, the right answer might be the number of letters in the question, written out.
So if the question is “where did you go on your favorite vacation?” would be “thirty five”.
If your method for determining the answer is original, you’re fine. Maybe the correct answer is always the list of the first three vowels in the question. Nobody’s going to guess that, and knowing the answer you gave on site #1 won’t help a bad guy guess your answers for site #2, unless they use the exact same security questions.
“most of the websites that I deal with have my email on file.”
They also have your answers to THEIR security questions. So if the bad guys manage to infilitrate site @1, can they use the information they get from there to get in to site @2 by impersonating you? For that matter, are you using the same password on both sites? That saves them some trouble…
woozy: I can never remember what my “first job” is. Does a part-time job as a high school student count? Or summer jobs as an undergraduate? Or is it my first full-time job as a non-student? And did I use write out the full name of the institution, or use an acronym?
““what was the color of your first car” is probably the worst security question; several random answers have a more than 10% chance of being right.” — including, if you’re my age (but ONLY if you’re my age) the correct answer here of “pink and charcoal grey”
Of course, “favorite [anything]” as a security question is just asking for trouble for those with a tendency to re-evaluate preferences (hmm, yes, I *used* like movie A, but that was before the saw the director’s cut of movie B….)
So I usally just go with “one hundred nineteenth through one hundred tweny-sixth digits in value of pi, rearranged into alphabetical order in Swedish” — you know, the simple old classics.
“name of street you grew up on” (not a security question as much as a “create your stripper name” thing) also puzzles those of us who grew up on farms. My “stripper” name (pet + street) works out to Tippy Ruralrouteone, which isn’t very sexy. (Or very accurate, since our postal area was so small we didn’t actually have individually numbered rural routes, they were all just smooshed together)
‘It gives you “mumbo jumbo” and you think “oh, yeah….” and type in “rhubarb rhubarb”.’
Too obvious. Better to skip that and use “bipity bubarb”.
“So if the question is “where did you go on your favorite vacation?” would be “thirty five”.”
The thing is, and I speak from experience, when you think “I’ll answer 35 and I’ll remember that because I have my reasons” I can assure you, no, you will *not*. It’ll be “oh, yeah, I did something with numbers. What was it? It was really clever at the time….”
Then again remembering what the hell to put down for first job or favorite vacation always fail to.
Or perhaps I should say:
“Not so.
Passwords, in order to be secure, have to be complex. They should include upper and lower case letters, lowercase letters, numbers, and symbols, and the list of acceptable symbols varies from location to location.
Security question answers, on the other hand, do not.”
And it is *MUCH* easier to remember something meaningless and complex and precise than to remember something simple and meaningful *BUT* which is still none-the-less utterly INFLEXIBLE.
A suppose you could do something like “always multiply the number of last two words” Favorite vacation = 64. First car = 15 etc. But the thing is you have to commit *then and there* that you will always do that. And here’s the thing. Again I speak from experience, if you are the type of person who would *think* to do something like that then you are …. smart and clever. And smart and clever people can *NEVER* make up their mind to always do things the same way. It *will* end up with you wondering “was that when I multiple the last two words or was that the time I named a bird with the same initials as the real answer? Or is that the time I made the nickname binkity-bop for me and thought what someone named binkity-bop would make up for other people and place. So is this 35, Lemon Vulture, Marco’s slippy slide?”
You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot? E.g., emphasis on “secure spot,’ not on a post-it note next to the computer, but (say) stuck in the middle of a favorite specific book on a shelf two rooms away,.
I’ll admit that my own cheat sheet is in a book in the same room as my desktop, but there a couple of thousand books in that room (and many thousands more around the house), so I don’t think a hypothetical burglar who wants to steal my secrets is going to go through all of them on the offchance — and yes, the book and the page is memorable because meaningful to me, but only to me; I’m not stashing it in a COMPUTERS FOR DUMMIES book or anything d’oh at all like that.
“You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot?”
You can also write down clues and store them semi-openly.
Actually, why is complexity itself an issue? As long as it can’t be easily figured out (“Joshua”), it seems to me you’re still using brute force to find the correct combination.
Which means assuming I can use upper- or lower-case letters plus numbers, there are 62 possibilities in each spot, and you’d have to go through the same 916,132,832 combinations to fine “woozy” as “d4L9a”
“The thing is, and I speak from experience, when you think “I’ll answer 35 and I’ll remember that because I have my reasons” I can assure you, no, you will *not*. ”
I can assure you, I will. Because I have my rule, and it works.
—
” the thing is you have to commit *then and there* that you will always do that.”
No, you want to have planned it in advance. So that deciding to use the rule is settled by habit, every time. By comparison, you have to remember to lock the door to your car whenever you get out for it to do any good, and that ALSO means that you need to remember to take your keys with you whenever you get out. Security and convenience are mutually exclusive. The more you have of one, the less you CAN have of the other.
“that ALSO means that you need to remember to take your keys with you whenever you get out”
Or, as I decided after a bad experience of locking myself out, to also carry a duplicate key in another pocket, just in case. I figure the only way I can lose both keys is by being mugged and/or by going out after forgetting to put on my pants, and so far neither has happened. Not that I remember, anyway. . . .
‘Actually, why is complexity itself an issue? As long as it can’t be easily figured out (“Joshua”), it seems to me you’re still using brute force to find the correct combination.’
That turns out not to be the case. Most crackers start with dictionaries and check all the easy variations of those words first. “Joshua” will be in those dictionaries.
I wouldn’t call it “underestimating” as much as “asking.”
I actually have tested out passwords along the lines of WIw7mstmsritt (though using easier-to-remember Broadway lyrics)
Great article, by the way. Thanks.
“You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot? ”
Which is in itself surprisingly hard.
“that ALSO means that you need to remember to take your keys with you whenever you get out”
also surprisingly hard.
If you are rich and famous you have an entry in “Who’s Who”, and the answers to all your security questions are in there.
As Woozy said – you don’t have to tell the truth – the software will not know that you are lying. I have a default system for listing the answers which have nothing to do with the questions – especially since I never had a pet – don’t feel sorry for me, I am afraid of animals.
And there’s always password keeper programs – I have a nice long password for my password keeper, a simple one for my computer, and I let the program create my passwords for (almost) everything else. So they are 345nsdfiuhawDadk-type things – 16-20 characters and completely unmemorable, but the program will put them in 98% of the time. I have it on my phone as well (also protected by the long password), so it’s basically always with me.
My long password is the first letters of a line of poetry. My dad keeps trying to use sentences, but (as with the security questions) there are several ways to say the same thing (I Can’t Remember Two Passwords becomes I Can Only Remember One Password and doesn’t work…). Poetry (or songs, or lines from a play) are always the same words in the same order (assuming you have it properly memorized) so they work.
The other good alternative is a short sentence or set of words, that is memorable to you but non-obvious to others. Three or four words, run together (or with spaces) avoids the dictionary weakness – bluebullaxetree would be a great password for Bunyan, things he’s likely to see or think of when he’s looking to remember a password, but the odds of someone else coming up with the exact same sequence are slim. Not none, but slim.
I write down my security questions in my password keeper, in code – fox cat means something to me, but not to anyone else (or rather, it could mean lots of things, it’s not going to produce the answer to the question for anyone but me and _possibly_ my next youngest sister). Which is overkill – the password database is heavily encrypted – but makes me feel more comfortable.
The number of possible combinations grows pretty high as the number of characters increases. A password of one character has a limited range… the 52 letters, ten digits, plus however many symbols as are allowed. Let’s round that off to 100 possible characters. If you have two characters, the number of possible combinations is 100 x 100, and three characters is 100 x 100 x 100. So by the time you have an 8 character password, the total number of possible combinations is 10000000000000000… even a fast computer is going to take a while to try all the possible combinations.
However, the number of English words is considerably smaller. Around 100,000 for commonly-used words, twice that for Scrabble players and Oxford dictionary editors. Similarly, usage patterns for upper vs. lower case is predictable… the first letter is capitalized, and all the rest are lowercase. As a result, you can try all the English words, capitalized and uncapitalized, in a very small amount of time compared with trying all the possible combinations. When you tell people they have to put a symbol in their password, they tend to slap it on to the end.
So, 35 years ago, the movie WarGames featured as a major plot point a young man guessing the secret password of a top-end research scientist, and successfully cracking it, because the password is Joshua5, the name of the scientist’s son and his age at the time of his death. That password would be rejected as too easy to guess by a substantial portion of computer-password applications.
“So the comic could just as logically have featured Charlie Brown, Buster Brown (well, maybe not), Calvin, Dorothy (Gale), Mickey Mouse, Kristoff, Jack Skellington, Little Orphan Annie, ….”
There is the added pun with “hacked again”. Paul B. does quite a bit of hacking himself, after all.
I just had a thought: imagine if spell-check insisted on correcting your password all the time.
“imagine if spell-check insisted on correcting your password all the time.”
It does. It says “you must have at least 8 characters” or “you must include at least one of uppercase letters, lowercase letters, numerals, and symbols” or “you just used that one” instead of trying to pick one for you, like “autocorrect” does.
The worst is when a site rejects your password even though you know it’s correct, then gives you the option of creating a new password, and you try to use the same one you had before, and the program tells you you can’t use that password because it was your previous password. And you say THAT’S WHAT I’VE BEEN TRYING TO TELL YOU!
” the program tells you you can’t use that password because it was your previous password.”
More likely, the program is telling you that the password was previously used.
There exist people who are oppositional. When you tell them their password has to be changed, they try to change their password by changing the old password, “abc123” to the new password “abc123”. by using the “change password” function. The thing is, when we make someone change their password, we aren’t trying to test the “change password” function, we want the password to change because the longer a password stays the same, the higher the chance that someone other than the intended user has learned the password. The goal of forcing a password change is that the intended user knows what the password IS, while other people who are not the intended user at best know what the password WAS.
We’ll usually retain a hash table that prevents reusing a previously-used password, because of users who won’t, or can’t, remember a different password and attempt to subvert the systems put in place for their protection because they’d rather risk compromising whatever resources the password protects than conform to proper security practice.
Depending on application, sometimes we’ll allow a “forgotten password” function to re-use a password. There are good security arguments both ways… for enforcing password uniqueness, or not enforcing password uniqueness, if the password is being reset before it has expired.
“Bruce Schneier (well-known and well-respected in the security arena) disagrees:”
No, actually, he doesn’t. The answer he gives is the “best practices” industry standard.
Not changing passwords incurs risks. Changing passwords incurs costs. A skilled security professional weighs the costs against the risks in any specific application to determine policy. Ideally, though rarely, an educational effort is made to inform users of why the policy is set as it is.
Corollary:
The biggest problems arise when the people who are using the system have a poor understanding of the security measures being undertaken.
Here’s a (non-IT) example of what happens when there isn’t complete buy-in to security principles.
I worked in a building that was open to the public, by which I mean that anyone could walk in, get on an elevator, and get off on any floor and walk around. They discovered that they were having problems of unknown persons walking in and snatching unattended purses from desks. So a big remodel was done, closing off the ground floor so that a security checkpoint had to be passed in order to reach the elevators. Employees were given photo badges, and security staff were instructed to deny entry to anyone without a badge. The thefts continued. No, not because the employees were stealing from each other, but because of a security weakpoint in the system. Smokers needed to go outside to pursue their filthy drug habits. They’d go out the back door, which locked behind them and provided no return path… they had to walk around to the front of the building and re-enter through the public entrance. What they did instead was to block the back door open, so that the smokers, having achieved their fix, could re-enter via the same door they left from. The back door, that had no security staff present, was effectively always open.
I left that employer before they figured out a way to solve that particular problem.
THAT is a major problem with school security, also, Even tho all doors but one were locked from outside in the school where I worked, kids would just stick a pencil in between the door and the jamb and keep it open for their return, or to let someone in. And you CANNOT lock the doors from inside, obviously, so there you are . . .
I read several articles that said that a good, secure password would have capitals and symbols and also use letters that make no sense to anyone but you. Say using the first line of the pledge of allegiance (if you are in the U.S., then again, it might be even better if you were not) – ipattf would make no sense,but if you forgot the letters, you can look the pledge up to help you out. I use a sentence from a book with that can be looked up if I need to and for my email I put a different first and last letter for each email. I throw in a capital letter as one of the letters, and a symbol in the middle. (And no, the pledge is not my password for anything.)
Oops that was Meryl A that posted. I posted somewhere else today also that must have the wrong name – husband has been trying to set up my laptop to run linux off a DVD as it runs so slowly that it annoys him and I am very slow at putting out $500 for a new laptop. I have fixed it for future posts. See – my backup list had the wrong info.
Comics I Don't Understand 
Paul Bunyan and Babe were famous even in the story (how could they NOT be?), so it’s very easy to guess the answer to the question.
Everyone knows Paul Bunyan’s pet ox’s name is Babe.
The humor does not have to do with the word “Babe”. Rather, as people have pointed out, everyone knows the answer to that question, so it’s a bad one to use for a security question.
On the off-chance that “security question” is unfamiliar to anyone here, it’s how you prove you’re you when you’ve forgotten your password.
So the comic could just as logically have featured Charlie Brown, Buster Brown (well, maybe not), Calvin, Dorothy (Gale), Mickey Mouse, Kristoff, Jack Skellington, Little Orphan Annie, Superman, Timmy, Wallace, Eddie Munster, Richard Nixon…?
Some of them… Toto, sure, if it’s set in Oz. Zero, so long as it’s set in Halloween Town. Maybe Sven, given that he and Kristoff ended up with royal commissions. Krypto, yeah. Checkers, yes (though that’s something of a geezer ref).
But Snoopy, Hobbes, Sandy, Pluto, Lassie, Grommit, and Spot don’t really have much in-universe exposure outside of their owners and their immediate circle of friends and family, so the joke wouldn’t work so well, since Speed Bump isn’t really a fourth wall breaker (anachronism in this one aside).
Actually, I doubt many people would assume Checkers was Nixon’s first pet, so would fail on that point. Toto, Zero, Sven, and Krypto still work, all giving all indications of being their owners first pet (some combination if young owner, immortal pet, explicitly stated).
Yeah, that’s why instead of using the real answers, I make stuff to try and amuse myself so I can remember it.
Just ’cause it’s another longhorn . . . https://www.gocomics.com/rubes/2018/08/06
And here my first thought was, ‘BLUE.’ Guess I’m not as smart as I thought I was.
Looks like Longhorns are making a bit of a comeback!
http://www.thecattlesite.com/breeds/beef/18/texas-longhorn/
So many security questions out there have bad guessabiity problems. “What city where you born in?” is pretty hard to guess if the answer is Tallulah Falls. Not so good if it’s Los Angeles. Your mother’s maiden name is more secure if it’s Arbuzskiewicz than if it’s Johnson. And I have no idea what public figures whose bio information is readily available do… guess they must have a canned set of fake answers?
“what was the color of your first car” is probably the worst security question; several random answers have a more than 10% chance of being right.
In one continuity, young Clark Kent had a cat named Fuzzball, years before Krypto. And being raised on a farm, it wouldn’t surprise me if he had other pets as well.
Does the guy talking appear to be a cyclops? Maybe because an ordinary person would be to small for the comic panel, but a cyclops is just the right size to see, but still be smaller than Bunyan.
‘ I have no idea what public figures whose bio information is readily available do… guess they must have a canned set of fake answers?”
The best solution is to have a nonsense answer, so long as you can remember what your nonsense answer is.
So, for example, if the security question is “what was the name of your first pet”, 123abc is pretty good, even against people who know you well enough to remember your first dog, Rover.
Nothing says your security question answers have to be true. You just have to remember what your answer is.
Sure, some security questions are known by friends or can be guessed, but most of the websites that I deal with have my email on file. They send a temporary password to that email address. A hacker would not only need to be able to figure out the answer to the security question, but they also have to be able to get into my email. I try to deal with sites that have at least that level of security.
“Nothing says your security question answers have to be true. You just have to remember what your answer is.”
Which if you were capable of doing that you’d be capable of remembering your password in the first place. I’ve thought of that but it’s very easy to forget what you thought was clever at the time. And it’s practically impossible to remember once you forget. On the other hand, those ‘off-beat’ questions like “who is your favorite singer” or “what was the first concert” are worse. You expect those to be consistent and memorable?
What I don’t get is why you can’t provide your own questions and answers.
You can have as difficult for others as easy for you as you like.
Ore phrase association. It gives you “mumbo jumbo” and you think “oh, yeah….” and type in “rhubarb rhubarb”.
“PecosBill” seems like a sensible password. CIDU Bill should “understand” this comic by now, he’s had since last October : > ]
Woozy, sometimes they do let you chose your own questions or use phrase association.
And I totally agree about the “Who’s your favorite singer?” questions.
“Which if you were capable of doing that you’d be capable of remembering your password in the first place.”
Not so.
Passwords, in order to be secure, have to be complex. They should include upper and lower case letters, lowercase letters, numbers, and symbols, and the list of acceptable symbols varies from location to location.
Security question answers, on the other hand, do not.
So you could use “password” as your security question answer, assuming that you can remember “password” is always the answer to the question. Or, the right answer might be the number of letters in the question, written out.
So if the question is “where did you go on your favorite vacation?” would be “thirty five”.
If your method for determining the answer is original, you’re fine. Maybe the correct answer is always the list of the first three vowels in the question. Nobody’s going to guess that, and knowing the answer you gave on site #1 won’t help a bad guy guess your answers for site #2, unless they use the exact same security questions.
“most of the websites that I deal with have my email on file.”
They also have your answers to THEIR security questions. So if the bad guys manage to infilitrate site @1, can they use the information they get from there to get in to site @2 by impersonating you? For that matter, are you using the same password on both sites? That saves them some trouble…
woozy: I can never remember what my “first job” is. Does a part-time job as a high school student count? Or summer jobs as an undergraduate? Or is it my first full-time job as a non-student? And did I use write out the full name of the institution, or use an acronym?
““what was the color of your first car” is probably the worst security question; several random answers have a more than 10% chance of being right.” — including, if you’re my age (but ONLY if you’re my age) the correct answer here of “pink and charcoal grey”
Of course, “favorite [anything]” as a security question is just asking for trouble for those with a tendency to re-evaluate preferences (hmm, yes, I *used* like movie A, but that was before the saw the director’s cut of movie B….)
So I usally just go with “one hundred nineteenth through one hundred tweny-sixth digits in value of pi, rearranged into alphabetical order in Swedish” — you know, the simple old classics.
“name of street you grew up on” (not a security question as much as a “create your stripper name” thing) also puzzles those of us who grew up on farms. My “stripper” name (pet + street) works out to Tippy Ruralrouteone, which isn’t very sexy. (Or very accurate, since our postal area was so small we didn’t actually have individually numbered rural routes, they were all just smooshed together)
‘It gives you “mumbo jumbo” and you think “oh, yeah….” and type in “rhubarb rhubarb”.’
Too obvious. Better to skip that and use “bipity bubarb”.
“So if the question is “where did you go on your favorite vacation?” would be “thirty five”.”
The thing is, and I speak from experience, when you think “I’ll answer 35 and I’ll remember that because I have my reasons” I can assure you, no, you will *not*. It’ll be “oh, yeah, I did something with numbers. What was it? It was really clever at the time….”
Then again remembering what the hell to put down for first job or favorite vacation always fail to.
Or perhaps I should say:
“Not so.
Passwords, in order to be secure, have to be complex. They should include upper and lower case letters, lowercase letters, numbers, and symbols, and the list of acceptable symbols varies from location to location.
Security question answers, on the other hand, do not.”
And it is *MUCH* easier to remember something meaningless and complex and precise than to remember something simple and meaningful *BUT* which is still none-the-less utterly INFLEXIBLE.
A suppose you could do something like “always multiply the number of last two words” Favorite vacation = 64. First car = 15 etc. But the thing is you have to commit *then and there* that you will always do that. And here’s the thing. Again I speak from experience, if you are the type of person who would *think* to do something like that then you are …. smart and clever. And smart and clever people can *NEVER* make up their mind to always do things the same way. It *will* end up with you wondering “was that when I multiple the last two words or was that the time I named a bird with the same initials as the real answer? Or is that the time I made the nickname binkity-bop for me and thought what someone named binkity-bop would make up for other people and place. So is this 35, Lemon Vulture, Marco’s slippy slide?”
You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot? E.g., emphasis on “secure spot,’ not on a post-it note next to the computer, but (say) stuck in the middle of a favorite specific book on a shelf two rooms away,.
I’ll admit that my own cheat sheet is in a book in the same room as my desktop, but there a couple of thousand books in that room (and many thousands more around the house), so I don’t think a hypothetical burglar who wants to steal my secrets is going to go through all of them on the offchance — and yes, the book and the page is memorable because meaningful to me, but only to me; I’m not stashing it in a COMPUTERS FOR DUMMIES book or anything d’oh at all like that.
“You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot?”
You can also write down clues and store them semi-openly.
Actually, why is complexity itself an issue? As long as it can’t be easily figured out (“Joshua”), it seems to me you’re still using brute force to find the correct combination.
Which means assuming I can use upper- or lower-case letters plus numbers, there are 62 possibilities in each spot, and you’d have to go through the same 916,132,832 combinations to fine “woozy” as “d4L9a”
“The thing is, and I speak from experience, when you think “I’ll answer 35 and I’ll remember that because I have my reasons” I can assure you, no, you will *not*. ”
I can assure you, I will. Because I have my rule, and it works.
—
” the thing is you have to commit *then and there* that you will always do that.”
No, you want to have planned it in advance. So that deciding to use the rule is settled by habit, every time. By comparison, you have to remember to lock the door to your car whenever you get out for it to do any good, and that ALSO means that you need to remember to take your keys with you whenever you get out. Security and convenience are mutually exclusive. The more you have of one, the less you CAN have of the other.
“that ALSO means that you need to remember to take your keys with you whenever you get out”
Or, as I decided after a bad experience of locking myself out, to also carry a duplicate key in another pocket, just in case. I figure the only way I can lose both keys is by being mugged and/or by going out after forgetting to put on my pants, and so far neither has happened. Not that I remember, anyway. . . .
‘Actually, why is complexity itself an issue? As long as it can’t be easily figured out (“Joshua”), it seems to me you’re still using brute force to find the correct combination.’
That turns out not to be the case. Most crackers start with dictionaries and check all the easy variations of those words first. “Joshua” will be in those dictionaries.
Also, I think you’ve underestimated the speed of cracking:
https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html
I wouldn’t call it “underestimating” as much as “asking.”
I actually have tested out passwords along the lines of WIw7mstmsritt (though using easier-to-remember Broadway lyrics)
Great article, by the way. Thanks.
“You know, no matter what you choose, it’s always easy enough to write down the choice and hide the paper in a secure spot? ”
Which is in itself surprisingly hard.
“that ALSO means that you need to remember to take your keys with you whenever you get out”
also surprisingly hard.
If you are rich and famous you have an entry in “Who’s Who”, and the answers to all your security questions are in there.
As Woozy said – you don’t have to tell the truth – the software will not know that you are lying. I have a default system for listing the answers which have nothing to do with the questions – especially since I never had a pet – don’t feel sorry for me, I am afraid of animals.
And there’s always password keeper programs – I have a nice long password for my password keeper, a simple one for my computer, and I let the program create my passwords for (almost) everything else. So they are 345nsdfiuhawDadk-type things – 16-20 characters and completely unmemorable, but the program will put them in 98% of the time. I have it on my phone as well (also protected by the long password), so it’s basically always with me.
My long password is the first letters of a line of poetry. My dad keeps trying to use sentences, but (as with the security questions) there are several ways to say the same thing (I Can’t Remember Two Passwords becomes I Can Only Remember One Password and doesn’t work…). Poetry (or songs, or lines from a play) are always the same words in the same order (assuming you have it properly memorized) so they work.
The other good alternative is a short sentence or set of words, that is memorable to you but non-obvious to others. Three or four words, run together (or with spaces) avoids the dictionary weakness – bluebullaxetree would be a great password for Bunyan, things he’s likely to see or think of when he’s looking to remember a password, but the odds of someone else coming up with the exact same sequence are slim. Not none, but slim.
I write down my security questions in my password keeper, in code – fox cat means something to me, but not to anyone else (or rather, it could mean lots of things, it’s not going to produce the answer to the question for anyone but me and _possibly_ my next youngest sister). Which is overkill – the password database is heavily encrypted – but makes me feel more comfortable.
The number of possible combinations grows pretty high as the number of characters increases. A password of one character has a limited range… the 52 letters, ten digits, plus however many symbols as are allowed. Let’s round that off to 100 possible characters. If you have two characters, the number of possible combinations is 100 x 100, and three characters is 100 x 100 x 100. So by the time you have an 8 character password, the total number of possible combinations is 10000000000000000… even a fast computer is going to take a while to try all the possible combinations.
However, the number of English words is considerably smaller. Around 100,000 for commonly-used words, twice that for Scrabble players and Oxford dictionary editors. Similarly, usage patterns for upper vs. lower case is predictable… the first letter is capitalized, and all the rest are lowercase. As a result, you can try all the English words, capitalized and uncapitalized, in a very small amount of time compared with trying all the possible combinations. When you tell people they have to put a symbol in their password, they tend to slap it on to the end.
So, 35 years ago, the movie WarGames featured as a major plot point a young man guessing the secret password of a top-end research scientist, and successfully cracking it, because the password is Joshua5, the name of the scientist’s son and his age at the time of his death. That password would be rejected as too easy to guess by a substantial portion of computer-password applications.
“So the comic could just as logically have featured Charlie Brown, Buster Brown (well, maybe not), Calvin, Dorothy (Gale), Mickey Mouse, Kristoff, Jack Skellington, Little Orphan Annie, ….”
There is the added pun with “hacked again”. Paul B. does quite a bit of hacking himself, after all.
I just had a thought: imagine if spell-check insisted on correcting your password all the time.
“imagine if spell-check insisted on correcting your password all the time.”
It does. It says “you must have at least 8 characters” or “you must include at least one of uppercase letters, lowercase letters, numerals, and symbols” or “you just used that one” instead of trying to pick one for you, like “autocorrect” does.
The worst is when a site rejects your password even though you know it’s correct, then gives you the option of creating a new password, and you try to use the same one you had before, and the program tells you you can’t use that password because it was your previous password. And you say THAT’S WHAT I’VE BEEN TRYING TO TELL YOU!
xkcd to the rescue again: https://xkcd.com/936/
” the program tells you you can’t use that password because it was your previous password.”
More likely, the program is telling you that the password was previously used.
There exist people who are oppositional. When you tell them their password has to be changed, they try to change their password by changing the old password, “abc123” to the new password “abc123”. by using the “change password” function. The thing is, when we make someone change their password, we aren’t trying to test the “change password” function, we want the password to change because the longer a password stays the same, the higher the chance that someone other than the intended user has learned the password. The goal of forcing a password change is that the intended user knows what the password IS, while other people who are not the intended user at best know what the password WAS.
We’ll usually retain a hash table that prevents reusing a previously-used password, because of users who won’t, or can’t, remember a different password and attempt to subvert the systems put in place for their protection because they’d rather risk compromising whatever resources the password protects than conform to proper security practice.
Depending on application, sometimes we’ll allow a “forgotten password” function to re-use a password. There are good security arguments both ways… for enforcing password uniqueness, or not enforcing password uniqueness, if the password is being reset before it has expired.
Re periodic password changes: Bruce Schneier (well-known and well-respected in the security arena) disagrees:
https://www.schneier.com/blog/archives/2010/11/changing_passwo.html
Aha – More About Passwords . . .
“Bruce Schneier (well-known and well-respected in the security arena) disagrees:”
No, actually, he doesn’t. The answer he gives is the “best practices” industry standard.
Not changing passwords incurs risks. Changing passwords incurs costs. A skilled security professional weighs the costs against the risks in any specific application to determine policy. Ideally, though rarely, an educational effort is made to inform users of why the policy is set as it is.
Corollary:
The biggest problems arise when the people who are using the system have a poor understanding of the security measures being undertaken.
Here’s a (non-IT) example of what happens when there isn’t complete buy-in to security principles.
I worked in a building that was open to the public, by which I mean that anyone could walk in, get on an elevator, and get off on any floor and walk around. They discovered that they were having problems of unknown persons walking in and snatching unattended purses from desks. So a big remodel was done, closing off the ground floor so that a security checkpoint had to be passed in order to reach the elevators. Employees were given photo badges, and security staff were instructed to deny entry to anyone without a badge. The thefts continued. No, not because the employees were stealing from each other, but because of a security weakpoint in the system. Smokers needed to go outside to pursue their filthy drug habits. They’d go out the back door, which locked behind them and provided no return path… they had to walk around to the front of the building and re-enter through the public entrance. What they did instead was to block the back door open, so that the smokers, having achieved their fix, could re-enter via the same door they left from. The back door, that had no security staff present, was effectively always open.
I left that employer before they figured out a way to solve that particular problem.
THAT is a major problem with school security, also, Even tho all doors but one were locked from outside in the school where I worked, kids would just stick a pencil in between the door and the jamb and keep it open for their return, or to let someone in. And you CANNOT lock the doors from inside, obviously, so there you are . . .
I read several articles that said that a good, secure password would have capitals and symbols and also use letters that make no sense to anyone but you. Say using the first line of the pledge of allegiance (if you are in the U.S., then again, it might be even better if you were not) – ipattf would make no sense,but if you forgot the letters, you can look the pledge up to help you out. I use a sentence from a book with that can be looked up if I need to and for my email I put a different first and last letter for each email. I throw in a capital letter as one of the letters, and a symbol in the middle. (And no, the pledge is not my password for anything.)
Oops that was Meryl A that posted. I posted somewhere else today also that must have the wrong name – husband has been trying to set up my laptop to run linux off a DVD as it runs so slowly that it annoys him and I am very slow at putting out $500 for a new laptop. I have fixed it for future posts. See – my backup list had the wrong info.