So many accounts so many passwords. I have several computers, several phones, bank accounts, airline accounts, rental car accounts, brokerage accounts, Wi-Fi network protection and of course various work systems. You may suggest a SSO (single sign on) strategy. That is a reasonable suggestion but will be a topic for another day. I have most of my passwords “securely” stored but inevitably I lose track of a password.
A lot of systems offer means to recover your password. Most approaches offer little resistance to sophisticated attacks. The most basic is upon your request to send a new randomly generated password to your e-mail account. You log-in with the randomly generated password and then make a new password. You are back up and going. Or the bad guy is up and going. Just last week I used a system that used this approach. Most people should understand this approach is riddled with vulnerabilities. However, for a system that has minimal personal information that is used once a year this may be OK.
There are also systems that offer another level of protection. Challenge response. During enrollment you supply answers to several questions. The questions are usually something about you. This is done by your bank, brokerage accounts, social media sites and various government systems. This approach is only an incremental improvement. The answers to the questions are usually information that is easily researched or guessed. An example question: What is your mother’s maiden name? Pretty easy for a bad person to look in public records and determine the answer. In my case the answer is Hale.
We have implemented an incremental improvement to the basic challenge response strategy that significantly enhances the level of security and requires no more effort by the user.
1) Multiple challenge response questions. The questions are items that you will remember but cannot be “researched”. Example: What is your favorite saying?
2) You select a subset of the possible questions
3) All answers are stored but first go through a “slow” hash algorithm. This is completely transparent to the user.
4) The user can add to the basic challenge response questions by generating their own passphrase
5) The passphrase also requires an answer. The passphrase answer is also stored after going through a slow hash algorithm.
6) The questions, passphrase and hashed responses are not stored on your local device
7) If you need to recover your password, you will need to answer the questions to the various challenge response questions plus the passphrase and then the system will prompt you for a new password
8) All communication occurs through a secure tunnel
In the absence of this type of system make up answers that you will remember to the lame easily determined questions. Example: What is your mother’s maiden name = pizza5equals9cool13dudette17yea
Recent Comments