On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:
For Web sites these days, I generate random strong passwords and keep
them on a keychain on my Mac. Actually, the keychain gets
synchronized
automatically across all my Mac's using .mac/MobileMe (for all their
flaws). When I do this, I enter random values that I don't even
record for the security questions. Should something go wrong, I'm
going to end up on the phone with a rep anyway, and they will have
some other method for authenticating me (or, of course, a clever
social-engineering attacker).
An except from my recent blog post:
Now, this topic is not new. Bruce Schneier wrote about it a few years
ago [2]. Schneier says that he “type[s] a completely random answer,”
but consider this anecdote: a colleague of mine uses the same
technique. He called up customer service once, who then asked him,
“what’s the answer to your security question?” He said, “some random
numbers.” The response was “okay.” So picking random numbers might be
less secure than picking a realistic answer? :-)
[2] http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html
--
Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA
http://www.cs.dartmouth.edu/~akapadia/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
