On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote:

For Web sites these days, I generate random strong passwords and keep
them on a keychain on my Mac. Actually, the keychain gets synchronized
automatically across all my Mac's using .mac/MobileMe (for all their
flaws).  When I do this, I enter random values that I don't even
record for the security questions.  Should something go wrong, I'm
going to end up on the phone with a rep anyway, and they will have
some other method for authenticating me (or, of course, a clever
social-engineering attacker).

An except from my recent blog post:

Now, this topic is not new. Bruce Schneier wrote about it a few years ago [2]. Schneier says that he “type[s] a completely random answer,” but consider this anecdote: a colleague of mine uses the same technique. He called up customer service once, who then asked him, “what’s the answer to your security question?” He said, “some random numbers.” The response was “okay.” So picking random numbers might be less secure than picking a realistic answer? :-)

[2] http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html

Apu Kapadia, Ph.D. UIUC 2005
Research Assistant Professor
Department of Computer Science, Dartmouth College, USA

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to