I was asked a very interesting question by a reporter earlier this week. To paraphrase, I was asked for "better ways" a website might secure information, rather than a password.
Here's an article I've written in the past on the topic, as to how I manage my own passwords. I still use a long, randomly generated password for each and every account (200+ and counting), to this day, but honestly, great passwords are unfortunately impossible to remember.
It's absolutely ABOMINABLE and should be ILLEGAL when sites try to identify you or recover your password by using some marginally public information.
- Which of the following phone numbers have you been associated with in the past?
- Which of these addresses have you used in the past?
- What's the name of the street you grew up on?
- What's your mother's maiden name?
- What's your high school mascot?
All of those are trivial to discover about a person. Try it on someone you sort of know -- a friend or colleague. I bet you could socially engineer your way through 4 or 5 of those in a matter of minutes.
Fortunately, there's a much better approach. Unfortunately, very few people sites actually use it.
The best such sites actually enable you to choose both your security question/hint/challenge, and the answer/response.
Now, selecting a great question/hint/challenge is a bit of an art, but here's an excellent strategy...
Given a short sentence fragment consisting of pronouns, each and every human mind can make some fascinating, unique, and most importantly, memorable, connections. The more pronouns, the better. Pronouns are basically variables, with distinct but difficult-to-guessable values. I'm sure you've played a Mad Lib game before as a kid, right?Here's a simple example, to introduce the concept:
- Challenge: He looked at her
- Response: BogartBergman
The question is a reference to the line in Casablanca, "Here's lookin' at you kid". In that quote, Rick (Humphrey Bogart) toasts Lisa (Ingrid Bergman). That question will jog my memory and I'll remember the rest. Others probably won't make that connection. Pronouns are like programming variables. I happen to have their values in memory, but others won't. Out of context, it makes no sense whatsoever. Just say it outloud, "He looked at her."The more pronouns you use the better. Here's another example:
- Challenge: He traversed it for his mother
- Response: CaesarRubiconAurelia
If classic movies and classic Rome aren't in your wheelhouse, use something more personal. Maybe your Dad took your Mom on a nice vacation...
- Challenge: He took her here for this
- Response: JimDianeBaliAnniversary
Almost anything sufficiently ambiguous would work...
- Challenge: Best that ever was
- Response: BrettFavre4
Pose that same question to a few thousand people and you'll get anything from MuhammadAli to TyrannosaurusRex to SharkWeek1987 or billions of other responses. But ask the same person that question, and they'll come up with a memorable response. In this case, it's almost like a hash or HMAC.
The reason that this works is that these challenge/responses are subjective, rather than objective and discoverable facts, like your Mom's middle name.
Hopefully you're starting to get the idea :-)
Use longer challenges, with more pronouns, for higher quality, more entropy in your responses! Perhaps you can post your own suggestions in the comments below...
I'm actually working on an automatic challenge creator, that you'll soon be able to use to generate your own challenges, and derive your own response.
:-Dustin