Page 58 - Cyber Defense eMagazine - October 2017
P. 58

Correcting the mistake of security questions
               Before getting to the solution for the password problem, a mention needs to be made of
               one password-related issue: security questions. Predefining a series of questions and
               answers based on personal details of a user’s real life as a means to enhance security
               is an absolutely awful idea. I’m not exactly sure how this was ever deemed a good idea.
               Security professionals are constantly telling users to keep a tight hold on their personal
               information,  not  to  choose  passwords  that  are  easy  to  guess,  and  not  to  reuse
               passwords  across  accounts.  Enter  security  questions,  which  give  third  party
               organizations  unnecessary  additional  private  information  about  users,  have  answers
               that cannot only be guessed but are in many cases are freely available with a Google
               search, and have questions / answers that are reused everywhere. It is the antithesis of
               everything security professionals preach.

               As a user, you can turn this around to your advantage. Choose any security questions,
               or make them up, and provide an unintelligible stream of characters for the answers.
               Provide different answers for the same questions on different web sites. Do not provide
               any  authentic  answer or private  information whatsoever.  If  you  are  an app  developer
               with  security  questions  in  your  app  –  get  rid  of  them.  Depending  on  your
               implementation, these may actually be lessening the security of your app and increasing
               the amount of private personal information you are storing.


               Common sense to the rescue
               The  good  news  is  that  when  common  sense  is  applied  to  the  real  problem,  a  viable
               alternative isn’t hard to identify. Every password should present the most difficult math
               problem possible to compute. Therefore, it should have the following characteristics:

                   •  The length should be as long as possible (64 characters recommended, though if
                       you  attempt  this  you  will  learn  immediately  how  many  apps  /  web  sites  don’t
                       allow lengthy passwords).
                   •  It  should  incorporate  as  large  a  key  space  as  possible:  lowercase  letters,
                       uppercase letter, numbers, and special characters.
                   •  It should involve no mnemonics, words, dates, or any discernible or meaningful
                       information.
                   •  It should be completely random; no patterns should be used.

               This establishes the password complexity, but there are some additional requirements
               which govern its pragmatic use:


                   •  The  password  should  not  have  to  be  remembered  –  better  yet  if  it  isn’t  even
                       known by the user.
                   •  The password should only be used for one account only.
                   •  The password should not have to be typed.

               When all of these requirements are taken into account, then the clear answer is the use
               of a password manager. A password manager allows lengthy, random passwords to be

                    58   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   53   54   55   56   57   58   59   60   61   62   63