gmail security is a joke
Jimmy Hess
mysidia at gmail.com
Sat May 30 02:30:34 UTC 2015
On Fri, May 29, 2015 at 1:42 AM, Joe Abley <jabley at hopcount.ca> wrote:
> That's what I should do. Instead, I pull down the list of candidate
> questions and think to myself...
...
> - I don't have a favourite colour
My favourite color is Red, but the answer is rejected because it's
less than 6 characters long; it turns out your favorite color can be
Yellow, Orange, or Purple, but not Blue, Green, Gray, or Pink.
> and around this point, I start to think
> - I am going to look for amusing cats on youtube
After finding one, now you have a favorite pet....
I suggest generating a random string for secret answer questions,
just as if it was another password.
Write down the answers; stick them in a lockbox.
Some websites will prompt for the answers during normal login later
as if answering personal questions was some legitimate way to confirm
a login from an "untrusted" computer....... in that case, save a
copy as secure notes in the password vault, Or put the answers to
a .txt file encrypt - using GPG.
It is a bit bogus: the whole notion of asking in a format where
the response can easily be automatically entered, for authentication
purposes, the sort of questions about you that would be easily
looked up using public records, or that distant acquaintenances
and former schoolmates would know the
answers to...
There is an improvement in use cases where the traditional response is
just to accept the request and e-mail a new temporary password.
In cases where "the answer" is used as if it was a second factor,
that's fairly obnoxious and generating a false sense of security in
the process.
In cases where it can be used to reset password directly or call in
over the phone and reset a password or change the account --- the
strength of the password is weakened to the strength of the weakest
security answer.
> Joe
--
-JH
More information about the NANOG
mailing list