Wednesday, May 28, 2014

Forgot Your P'word? Call Your Mother, Or Follow These Helpful(?) Suggestions

Ah, the P'word, that peesky memory test. As this blogger ages like cheap wine, his mental acuity is dwindling day-by-day. The constant reminder is the error message that accompanies a p'word entry to gain access to this or that web site. Of course, a request to reset the p'word presents more memory-hurdles: the security questions that no one else could answer. If this is a (fair & balanced) perennial Catch-22, so be it.

[x Slate]
Two Stupid Password Tricks
By Doug Harris

Tag Cloud of the following piece of writing

created at TagCrowd.com

This isn’t a post telling you that you should use a different password for every site, that you should use multifactor authentication for your email, or that you should use a password manager to store strong passwords. You should do those. (And you should eat less dessert, exercise more, and call your mother. — [See Above.])

This is a post to share two stupid password tricks that will make your online life a little more secure without the (perceived) hassle of those other measures.

The first stupid password trick is a way to improve the “security questions” that sites have you set up in case you need to recover your password. What’s your mother’s maiden name? What street did you grow up on? Who was your first-grade teacher?

The idea is that only you will know the answer to these questions. By answering them correctly, the site verifies that you are you and lets you reset your password.

Ask Sarah Palin how that worked out for her. The flaw is that you aren’t the only person who knows the answer to these questions. It’s not just the public figures who are vulnerable. We’re all Googleable, and those #TBT posts on Facebook and Twitter could give away a lot about your early years. Someone who’s determined to get access to your email can do a little research and unlock your account.

My trick? Lie and keep telling the same lie.

  • What’s your favorite ice cream flavor? Louis Armstrong.
  • What was the name of your high school? Louis Armstrong.
  • In what city did you have your first job? Louis Armstrong.

Don’t give correct answers. Use the same stupid answer for all of your security questions. (If you’re worried you’ll forget the stupid answer, store it in a password manager.)

Stupid password trick No. 2 was inspired by a friend’s tweet:

My first reaction to this was, “Why aren’t you using a password manager?” But the more I thought about this, the more I think this password dance is really a simple method of implementing something like one-time passwords. Why use a memorable password at all?

Choose something really random, don’t worry about saving it or remembering it, and force the site to re-authenticate you through email!

You get security without the need to add random sites to a password vault and don’t need to install LastPass or anything new.

A few caveats:

  • If you really went to Louis Armstrong High School, don’t use Louis Armstrong as the answer for your security questions.
  • Don’t use Louis Armstrong anyway. It’s been used as an example here. (Just like you shouldn’t use “correct horse battery staple” as your password)
  • Yes, I know they’re not really one-time passwords. True one-time passwords would be enforced to single-use only by the authenticating server. These are enforce to single-use only by your mind (the same weak mind that thinks that you don’t need a password manager).
  • There are almost certainly e-commerce sites that limit how frequently you can change your password. That would cause havoc with this password management method if you plan to visit the site regularly.

These password tricks are stupid. They’re the equivalent of justifying the calories of the ice cream sundae by parking on the far side of the parking lot. It’s better than not, but you can do more.

You should exercise more, call your mother, and take stronger measures to secure your online existence. Ω

[Doug Harris is Slate's Chief Software Architect. He received a BA (cognitive science) from Vassar College.]

Copyright © 2014 The Slate Group



Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright © 2014 Sapper's (Fair & Balanced) Rants & Raves

No comments:

Post a Comment

☛ STOP!!! Read the following BEFORE posting a Comment!

Include your e-mail address with your comment or your comment will be deleted by default. Your e-mail address will be DELETED before the comment is posted to this blog. Comments to entries in this blog are moderated by the blogger. Violators of this rule can KMA (Kiss My A-Double-Crooked-Letter) as this blogger's late maternal grandmother would say. No e-mail address (to be verified AND then deleted by the blogger) within the comment, no posting. That is the (fair & balanced) rule for comments to this blog.