nanog mailing list archives
Re: gmail security is a joke
From: Jimmy Hess <mysidia () gmail com>
Date: Fri, 29 May 2015 21:30:34 -0500
On Fri, May 29, 2015 at 1:42 AM, Joe Abley <jabley () hopcount ca> wrote:
That's what I should do. Instead, I pull down the list of candidate questions and think to myself...
...
- I don't have a favourite colour
My favourite color is Red, but the answer is rejected because it's less than 6 characters long; it turns out your favorite color can be Yellow, Orange, or Purple, but not Blue, Green, Gray, or Pink.
and around this point, I start to think - I am going to look for amusing cats on youtube
After finding one, now you have a favorite pet.... I suggest generating a random string for secret answer questions, just as if it was another password. Write down the answers; stick them in a lockbox. Some websites will prompt for the answers during normal login later as if answering personal questions was some legitimate way to confirm a login from an "untrusted" computer....... in that case, save a copy as secure notes in the password vault, Or put the answers to a .txt file encrypt - using GPG. It is a bit bogus: the whole notion of asking in a format where the response can easily be automatically entered, for authentication purposes, the sort of questions about you that would be easily looked up using public records, or that distant acquaintenances and former schoolmates would know the answers to... There is an improvement in use cases where the traditional response is just to accept the request and e-mail a new temporary password. In cases where "the answer" is used as if it was a second factor, that's fairly obnoxious and generating a false sense of security in the process. In cases where it can be used to reset password directly or call in over the phone and reset a password or change the account --- the strength of the password is weakened to the strength of the weakest security answer.
Joe
-- -JH
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke Blair Trosper (May 28)
- Re: gmail security is a joke William Herrin (May 28)
- Re: gmail security is a joke Rich Kulawiec (May 28)
- Re: gmail security is a joke Joe Abley (May 28)
- Re: gmail security is a joke Peter Beckman (May 29)
- Re: gmail security is a joke Richo Healey (May 29)
- Re: gmail security is a joke Sander Steffann (May 29)
- Re: gmail security is a joke Barry Shein (May 29)
- Re: gmail security is a joke Valdis . Kletnieks (May 29)
- Re: gmail security is a joke Owen DeLong (May 29)
- Re: gmail security is a joke Jimmy Hess (May 29)
- Re: gmail security is a joke Justin M. Streiner (May 29)
- Re: gmail security is a joke Rich Kulawiec (May 30)
- RE: gmail security is a joke Thijs Stuurman (May 26)
- Re: gmail security is a joke Harald Koch (May 26)
- Re: gmail security is a joke Anil Kumar (May 26)
- Re: gmail security is a joke Valdis . Kletnieks (May 27)
- Re: gmail security is a joke Rafael Possamai (May 27)
- Message not available
- Re: gmail security is a joke Larry Sheldon (May 27)