Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.misc > #1336

Re: random passwords

From Michael Black <mblack@pubnix.net>
Newsgroups alt.os.linux, comp.os.linux.misc, comp.security.misc
Subject Re: random passwords
Date 2018-08-26 11:44 -0400
Message-ID <alpine.LNX.2.20.1808261133580.31343@thrush> (permalink)
References (8 earlier) <pls3bu$p7f$3@dont-email.me> <87bm9qqpj0.fsf@hpz420.dhh.gt.org> <plse3k$2ne$1@dont-email.me> <GK2dnWxgcoDYjR_GnZ2dnUU7-XnNnZ2d@giganews.com> <pltd860127t@news3.newsguy.com>

Cross-posted to 3 groups.

Show all headers | View raw

On Sun, 26 Aug 2018, Jean-David Beyer wrote:

> On 08/25/2018 10:28 PM, Robert Heller wrote:
>> At Sat, 25 Aug 2018 20:27:32 -0000 (UTC) Rich <rich@example.invalid> wrote:
>>
>>
>> One other bit of idiocy is the "Security Question" nonsense favored by banks.
>> Rather then have the customer make up the Security Question(s), the on-line
>> banking software has a fixed hardwired set, most of which have answers that
>> can be easily determined from public information (assuming the customer
>> records "honest" answers).  Stuff like "Who was your best man at your
>> wedding?" Do people make wedding guests sign NDAs? -- I think not -- an
>> attacker can do some social engineering and/or public records searches and
>> have a short list of answers for each of the stock Security Questions for the
>> target customer.
>>
>> If the *customer* made up the Security Question(s), they can be any random
>> thing.  And if the "Security Question(s)" were in fact nonsense, with nonsense
>> answers, that layer of security would have very high entropy.
>>
> What bugs me with those is that often none of the  offered questions
> have answers because they do not apply to me.
>
> Stuff like "Who was your best man at your wedding?" when I was never
> married. "What is the name of your favorite pet?" when I never had a
> pet. "What was the address of the first house you lived in?" when I do
> not have the slightest idea. "What is your favorite football team?" when
> I have no interest in sports and do not even know the names of any
> football teams.
>
But so long as you record the answer (and maybe the question) it becomes a 
secondary bit of security.

My bank had some of those questions, and I think one I gave an answer 
which I would remember, the others were kind of vague.  But at some point 
they invoked one of those security questions, probably because I shifted 
computers or something, and since I'd written down the answers I'd typed 
in, I could check.

If I'd not saved the answers, I probably would have been stuck.  Good 
security, not good in terms of me using that website.

Plus, any real answers given may be public record, though it's down a 
slope for someone to have that information as well as a password or 
something.  But "your favorite cartoon" isn't likely to be readily 
available, unless it really is your favorite cartoon and talk about it a 
lot.

What I find interesting is sites that let you sign up without being 
physically present.  My bank account was like that,  I had to supply some 
ifnormation that they did know, but wasn't likely to be readilu available. 
Or the website for checking on income tax here in Canada.  They use banks 
to verify your identiy, you get sent to your bank's website and then have 
to log in there, and then I guess the bank sends a verification in some 
way to the income tax site.  You also have to enter some result from 
your income tax return, I think a random line which you'd mostly be the 
only one with access to.  But you only get limited access, you can 
either arrange a code via a phone or through the mail.  Once you enter 
that code, you get full access, but it's not a second password, you just 
need it the once.  Though my bank card changed, and I lost access to the 
income tax site, so I have to go through the process again.

I was jsut reading about phone numbers being used for security, and the 
article I read made the point that with cellphones, phone numbers have 
become personal.  WIth landline, anyone in the house uses the phone, so 
it's not as strong.  But we saw the same thing in reverse for internet 
access, you used to own your own internet account, any ISP I've used has 
either required some ID, or I've actually interacted with someone from the 
company.  Now with broadband, lots of people may use the same internet 
account, so endless logging into other sites.

   Michael

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 14:05 +0000
  Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-23 09:47 -0500
    Re: random passwords Wouter Verhelst <w@uter.be> - 2018-08-24 10:16 +0200
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:46 +0100
        Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-24 09:19 -0400
        Re: random passwords Daniel60 <daniel47@eternal-september.org> - 2018-08-25 21:57 +1000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-25 13:32 +0100
  Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 15:50 +0100
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:40 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:12 +0000
      Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 18:49 +0100
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-09-01 13:45 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-09-01 15:02 +0000
          Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-09-01 16:54 +0000
          Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-09-04 07:37 +0100
  Re: random passwords Rich <rich@example.invalid> - 2018-08-23 15:12 +0000
    Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 12:49 -0400
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:18 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:27 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:44 +0000
    Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:38 -0600
      Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:47 -0600
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 02:20 +0000
        Re: random passwords Jasen Betts <jasen@xnet.co.nz> - 2018-08-24 05:10 +0000
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 02:32 +0100
        Re: random passwords Rich <rich@example.invalid> - 2018-08-24 01:56 +0000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:37 +0100
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 20:13 -0600
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:42 +0100
            Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 11:55 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 08:37 -0400
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 13:51 +0100
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 12:41 -0400
            Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-25 02:03 +0000
              Re: random passwords Java Jive <java@evij.com.invalid> - 2018-08-25 11:32 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-25 07:49 -0400
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:12 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:40 +0000
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-27 20:10 -0400
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 00:17 +0000
                Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-27 20:52 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-27 22:31 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 10:23 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 14:45 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-28 23:00 +0000
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 01:22 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 07:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:37 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 12:25 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 19:35 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-29 17:46 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 06:53 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-30 07:48 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 19:07 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-31 00:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-31 03:10 +0100
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-31 12:26 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 23:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:35 +0100
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 23:45 +0000
      Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-24 18:07 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 20:27 +0000
    Re: random passwords Bud Frede <frede@mouse-potato.com> - 2018-09-03 07:23 -0400
  Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:57 +0000
    Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:07 +0000
  Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:02 +0000
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 17:25 +0000
      Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:32 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:46 +0000
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 18:07 +0000
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:51 -0600
    Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-24 02:35 +0000
  Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 11:13 -0500
    Re: random passwords Rich <rich@example.invalid> - 2018-08-25 17:24 +0000
      Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 13:17 -0500
        Re: random passwords Rich <rich@example.invalid> - 2018-08-25 20:27 +0000
          Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-25 21:28 -0500
            Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-26 01:19 -0400
              Re: random passwords Rich <rich@example.invalid> - 2018-08-26 13:43 +0000
                Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-26 14:15 +0000
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 15:18 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 09:30 -0500
              Re: random passwords Michael Black <mblack@pubnix.net> - 2018-08-26 11:44 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-26 16:40 -0500
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-28 13:29 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 14:32 +0100
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:17 +0100
                Re: random passwords Melzzzzz <Melzzzzz@zzzzz.com> - 2018-08-27 06:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 08:15 +0100
                Re: random passwords Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:44 +0000
              Re: random passwords azigni <azigni@yahoo.com> - 2018-08-26 12:55 -0600
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 16:09 -0500
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 21:32 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:19 +0100
            Re: random passwords Doug McIntyre <merlyn@dork.geeks.org> - 2018-08-26 00:41 -0500
              Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 06:48 -0500

csiph-web