You are here

Your Mother's Name, Redux

Bruce Schneier, Ed Felten and Steve Ragan all had reactions similar to mine regarding Sarah Palin's email account. As might be expected, the folks posting in Schneier's comment thread were even more hard-core: Most suggested just using a secure password (something like "18D*F9afgsk*", maybe) in place of an answer. But Ragan had what I thought was the most interesting and useful extension to my own practice:

 

If you can pick you own question and answer, then that is the best bet. Make the question and answer something that no one knows, and that would never appear on a personal blog, Facebook or MySpace profile, or outside a close circle of family and friends.

For example, the question could be the name of your personal doctor. This will stop many of the guessing attacks on the system, and offer a stronger level of protection. Moreover, the answer needs to be a full sentence, and use all of the available space offered by the form when signing up for the account.

Q: What is the name of your doctor?

A: Her name is actually the name of the city where she was born.

What if you cannot pick a personal question and have to select one of the offered questions and answers? The fix here is also a simple one, namely you should lie. Lie through your teeth, pick a question, make the answer the same as you would if you wrote the question yourself, and stick to this lie.

The explanation is a little unclear, IMO, so I'll re-state it: You make your answer a complete sentence that you can remember and that is as long as it can be given the size of the box. That way the complexity of the "backup password" [Schneier's phrase] is increased exponentially just by virtue of its length, but the password actually becomes more memorable, because now it's mnemonic.

This is how and why WPA Passphrases work work the way they do. You can have your network authentication be something like "when i was a kid we loved to eat grasshoppers in cleveland." It's absurd and counter-factual (so hard to guess), but memorable (so you don't have to write it down).

Add new comment