I was asked a very interesting question by a reporter earlier this week. To paraphrase, I was asked for "better ways" a website might secure information, rather than a password.
Here's an article I've written in the past on the topic, as to how I manage my own passwords. I still use a long, randomly generated password for each and every account (200+ and counting), to this day, but honestly, great passwords are unfortunately impossible to remember.
It's absolutely ABOMINABLE and should be ILLEGAL when sites try to identify you or recover your password by using some marginally public information.
- Which of the following phone numbers have you been associated with in the past?
- Which of these addresses have you used in the past?
- What's the name of the street you grew up on?
- What's your mother's maiden name?
- What's your high school mascot?
Fortunately, there's a much better approach. Unfortunately, very few people sites actually use it.
The best such sites actually enable you to choose both your security question/hint/challenge, and the answer/response.
Now, selecting a great question/hint/challenge is a bit of an art, but here's an excellent strategy...
Given a short sentence fragment consisting of pronouns, each and every human mind can make some fascinating, unique, and most importantly, memorable, connections. The more pronouns, the better. Pronouns are basically variables, with distinct but difficult-to-guessable values. I'm sure you've played a Mad Lib game before as a kid, right?
Here's a simple example, to introduce the concept:
- Challenge: He looked at her
- Response: BogartBergman
The more pronouns you use the better. Here's another example:
- Challenge: He traversed it for his mother
- Response: CaesarRubiconAurelia
- Challenge: He took her here for this
- Response: JimDianeBaliAnniversary
Almost anything sufficiently ambiguous would work...
- Challenge: Best that ever was
- Response: BrettFavre4
Pose that same question to a few thousand people and you'll get anything from MuhammadAli to TyrannosaurusRex to SharkWeek1987 or billions of other responses. But ask the same person that question, and they'll come up with a memorable response. In this case, it's almost like a hash or HMAC.
The reason that this works is that these challenge/responses are subjective, rather than objective and discoverable facts, like your Mom's middle name.
Hopefully you're starting to get the idea :-)
Use longer challenges, with more pronouns, for higher quality, more entropy in your responses! Perhaps you can post your own suggestions in the comments below...
I'm actually working on an automatic challenge creator, that you'll soon be able to use to generate your own challenges, and derive your own response.
:-Dustin
No comments:
Post a Comment
Please do not use blog comments for support requests! Blog comments do not scale well to this effect.
Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com
Thanks,
:-Dustin