Security Questions/Passwords
Just about everything online that requires a password incorporates this “security question” feature in one way or another, and it’s the dumbest idea ever.
1: Most places require you to enter “security questions” as a means of password retrieval or reset. They should be called “hack my account questions” since they’re always general questions that anybody remotely close to you will already know. If anybody that wants into your account doesn’t know this information, how difficult is it to find out somebody’s hometown, their mother’s maiden name, or the high school from which they graduated? It doesn’t matter if your password is iS%trH3#4o — if you gave legitimate answers to idiotic “security” questions like “What was your first pet’s name?” it takes absolutely no effort to have this password reset or retrieved. Aside from the sticky-note-on-the-monitor, this is the easiest way to either learn somebody’s password or gain access to an account of theirs.
Some places don’t REQUIRE security questions and exist only as an option for stupid people that set up accounts and forget passwords to them. If they’re absolutely required, I never answer security questions truthfully, opting instead to just trust myself to not forget my passwords. Here’s another use of security questions which has most recently pissed me off:
2: My credit union’s virtual teller online application required me to fill out five security questions. I’m extremely thankful I didn’t fill them with gibberish like I normally do, because you are required to respond to one of these questions every time you log in. AFTER you’ve already entered your login and password, the system randomly chooses one of your “security” questions and makes you answer it before you’re allowed access. Again, since “private” information such as the name of my best childhood friend is either already apparent or easily found out, all this does is create one more annoying step for me to log in to do my banking, rather than add an extra level of security to my account.
Making Secure Passwords
I have a horrible memory. I never remember dates, I forget names, and I can’t quote movies. But for whatever reason, I’m particularly adept at memorizing random strings of letters and numbers. Phone numbers and other patternless sequences stick in my head much better than, for example, my manager’s name at work. Cheryl? Cherie? Sharon? Who knows. Anyway, after years of installing or cracking the same pirated software, I quickly started memorizing serial numbers and learned I didn’t have to look the number up when I reinstalled Photoshop or Windows. I started using fragments of memorized serial numbers as passwords, since they generally contain both letters and numbers, occasionally in mixed case. This worked pretty well for me, and even to this day several of my passwords are comprised of chunks of serial numbers.
When I started working in networking, my boss had an even better idea. He would think up a word — for example, computer. Any letters that could be substituted for numbers would be swapped out; in this example, c0mpu73r, effectively 1337ifying it. Finally, at least one character would be capitalized and one would be replaced with a non-alphanumeric character: c0Mp#73r. Suddenly, what started out as a simple-to-remember word has become a very strong password. Of course, this brilliant idea was cut a little short as everybody at my work plastered our ridiculously strong administrative passwords on sticky notes all over the place, so they weren’t that hard to figure out.
Also, refrain from using the same password on every account. It doesn’t matter if your password for your credit card account is c0Mp#73r if it’s the same one at your Hotmail, which can easily be compromised. I have about 15 different passwords I use that I categorize into three distinct categories of security. The first level is “don’t care”, as in “I honestly don’t care if this account is compromised, because it’s not important to me.” An example of a “don’t care” password is anything I can “strum” on my keyboard. For example, “strumming” first my left then my right hand on the home row creates the password asdf;lkj. This is useful as I can type that in about .04 seconds. Of course, you’re not limited to the home row. I may move up a row, alternate right and left hands or reverse the direction of the “strum”. The second level is made up of private accounts that would piss me off if they were compromised but aren’t going to do serious damage like cost me money. These are generally my random fragments of serial number passwords. Finally I have my highest level, which is reserved for anything that could cost me money were it compromised: my bank account, my credit card, etc. These generally use the c0Mp#73r-type passwords.
Working with average users on their computers all the time, I’m constantly amazed at the simplicity of their passwords, even on important accounts. A favorite I see over and over again is the “add 1 to the login” trick. Since logins are sometimes easy to guess, or even stored and displayed, this is seriously stupid shit.
Login: steve
Pass: steve1
Yikes. Don’t want strangers digging around in your email? Come up with decent passwords, don’t use the same password everywhere and don’t create backdoors with those inane security questions.
October 4th, 2007 at 4:51 pm
“Get the hell out of my office”
October 5th, 2007 at 1:11 am
I still have that screenshot somewhere.
October 5th, 2007 at 6:55 am
Hahaha. Best password hint ever.