RE: Foibles of user "security" questions

2008-01-14 Thread Dave Korn
On 07 January 2008 17:14, Leichter, Jerry wrote: > Reported on Computerworld recently: To "improve security", a system > was modified to ask one of a set of fixed-form questions after the > password was entered. Users had to provide the answers up front to > enroll. One question: Mother's maid

Re: Foibles of user "security" questions

2008-01-14 Thread Peter Gutmann
Florian Weimer <[EMAIL PROTECTED]> writes: >* Jerry Leichter: >> I can just see the day when someone's fingerprint is rejected as >> "insufficiently complex". >It's been claimed that once you reach the retirement age, one person in ten >hasn't got any fingerprints which can be used for biometric pu

Re: Foibles of user "security" questions

2008-01-14 Thread ' =JeffH '
of possible relevance... Mike Just. "Designing and Evaluating Challenge-Question Systems". IEEE SECURITY & PRIVACY, 1540-7993/04, SEPTEMBER/OCTOBER 2004. =JeffH - The Cryptography Mailing List Unsubscribe by sending "unsubsc

Re: Foibles of user "security" questions

2008-01-11 Thread Florian Weimer
* Jerry Leichter: > I can just see the day when someone's fingerprint is rejected as > "insufficiently complex". It's been claimed that once you reach the retirement age, one person in ten hasn't got any fingerprints which can be used for biometric purposes. -

Re: Foibles of user "security" questions

2008-01-09 Thread mtd
Victor Duchovni wrote: > A > security savvy user will recognize this as a second password, that > multiple sites seem to want to share, and enter something unique and > unmemorable (stored on a "keychain" or just discarded if the primary > password is similarly safely stored). In fact, I see secu

Re: Foibles of user "security" questions

2008-01-08 Thread Victor Duchovni
On Tue, Jan 08, 2008 at 07:43:58AM +0800, Ian Farquhar (ifarquha) wrote: > I've been having this problem for years (my mother's maiden name is, > indeed, four characters long). It's often rejected as too short, yet > I'm forced to enter it. I do the workaround of entering it twice, but > then ha

RE: Foibles of user "security" questions

2008-01-07 Thread Ian Farquhar (ifarquha)
om: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leichter, Jerry Sent: Tuesday, 8 January 2008 4:14 AM To: cryptography@metzdowd.com Subject: Foibles of user "security" questions Reported on Computerworld recently: To "improve security", a system was modified to ask on

Foibles of user "security" questions

2008-01-07 Thread Leichter, Jerry
Reported on Computerworld recently: To "improve security", a system was modified to ask one of a set of fixed-form questions after the password was entered. Users had to provide the answers up front to enroll. One question: Mother's maiden name. User provides the 4-character answer. System r