Wednesday, 25 May 2011

Memorable words: Just lie!

Much has been written of the recent attacks on the Sony network but one of the smaller details I noticed made me want to write this short article.

One of the types of data that was lost in the data breach were the answers to users security questions. You know the ones I mean, when you sign up for a service and you get asked questions like "What is your favourite colour" or "Mother's maiden name". These questions are designed to be used if you forget your password in order to verify your identity before allowing access to your account where, you can reset your password (best) or it displays your password on screen (worst).

This data being available to bad people is obviously not a good thing as they can theoretically go through the password reset process, answer your security questions and gain access.

Those in security are always banging the drum about avoiding password re-use between sites but this is still incredibly common despite reasonably good password management programs being available these days to aid the process (KeePass, LastPass, even vi with OpenSSL or GnuPG).

However, even if you're using a different password for every site, if the bad guy can just reset it he wins, you lose.

So I'll let you in on a little secret, when you register for something and it asks you what your favourite colour is "you don't actually have to tell the truth". Furthermore, you don't even need to enter a colour!

Here's a suggestion, use the same random password generator (you do use one right?) and generate some random string as your answer. Then use that same password manager application (or text file encrypted) to store the question and your answer. Use different answers for every site, just like you use different passwords and lo, if the answers to these questions make it into the hands of people of ill will you can at least be confident that your only exposure is from that one website.

This approach also affords you protection against people attempting to guess your security answers. How many goes will it really take to guess your favourite colour for example? There aren't that many to choose from.

So, in summary, the recommendation should be widened. Avoid not only password re-use but also any other data which could be used to gain access to the account when the data is a free choice.

No comments:

Post a Comment