18 February 2019

Surviving the Byte of the Cobra, part 2

by Leigh Lundin

The exemPlum doesn’t fall far from the tree…

Yesterday, we discussed password problems. Today, we look at those subversively risky personal questions used to zero in on you and perhaps your wallet.

A fair lot of crap programming comes out of Bangalore, so it’s befitting software designers call this particular law of unintended consequences ‘the cobra effect’.
The Cobra Effect
During British Crown Rule of India, legend says administrators grew concerned about the numbers of vipers infesting Delhi. The colonial governor offered a bounty for every dead cobra brought in. However, the plan’s short-term success was undermined by enterprising locals breeding cobras to collect bounties. The British governor terminated the program. Disappointed cobra farmers subsequently released their breeding serpents into the wild, far worsening the problem… or so the parable goes.
Character Reference

Last week, I needed to register on-line with a county agency. (No, my readers, NOT the Department of Corrections as the snarky amongst you might suspect.)

The first hint of difficulty lay in the most restricted character set to date, merely letters and numbers, no punctuation whatsoever. This thoughtfully provides bad guys huge hints: “Psst. Save time, fellas. Don’t bother testing the lock with those difficult oddball characters.”

The next clue… You know those personal identifying questions in case you forget your password? Questions like naming your favorite cheese or your first juvenile parole officer? These questions mask some of the greatest risks in computerdom. Anyone who knows the least bit about you can guess the answers.

Worse, I’ve encountered sites that provide convenient drop-down menu answers, a selection of eight or so choices. One of the most popular questions with a handy menu is, “What’s your favorite color?”

Presumably this helps the spelling-challenged, but what a gift to bad guys. Immediately black-hat hackers rule out black and white, rarely anyone’s favorites. That leaves six or eight choices, hardly a burden for the least capable password cracker. They need not guess if they notice the blue shirts and blue cell phone cover ordered on Amazon and now appearing in your latest Facebook pose.

Moral: Never answer a question with a menu choice.

Orange County registration questions
Orange County Registration Questions
 Your Government at Work

At left, notice the personally identifiable questions from the aforementioned county agency. Anyone with the slightest knowledge about you can guess the answers. Anyone who doesn’t know you, can easily google your name, learning where you attended high school, your favorite team, your pets, and your mother’s maiden name.

What can you do about it?

Don’t play the game.

First, of course, avoid Q&A with drop-down menus. That’s a given.

If the web page doesn’t feature drop-down menus, you can answer your favorite color of yellow, orange, or red with “sweet cream banana pie yellow”, “fancy freckle-farm fulvous fantasy,” or “notorious red dye number 2”.

If you know French, Spanish, or Romanian, you might utilize that knowledge, perhaps in combination with the verbose suggestion above. Answer your favorite color as ‘rouge’, ‘rojo’, or ‘roșu’. If you don’t know a foreign language, try Pig Latin, e.g, ‘edray’ or ‘ellowyay’.

But I never could abide by the rules. There’s an easier way than such hard-to-remember replies.

You can boost security if you make your answers– every answer– a non sequitur, a nonsense phrase. Remembering will be easier if you use the same response, such as “None of your damn business.” For example:
© BBB
Favorite author?
None of your damn business.
Favorite color?
None of your damn business.
Favorite team?
None of your damn business.
Web sites like Apple’s recognize and object when an answer is repeated while populating a questionnaire. One solution is to exactly echo the question with leading or trailing words. For example, “Favorite author?” can be answered with, “My favorite author is none of your damn business,” or more simply, “Stuff my favorite author,” and “Stuff my favorite team,” etc.

Most importantly, choose a method that fits your style, then keep that information to yourself. Not playing by their dictates helps keep your data safer.

Don’t play the game.

Make up your own rules.

Password Security Question

Q. What’s your favorite security question?

A. ______________________________

5 comments:

Eve Fisher said...

My favorite security question is "mother's maiden name". Easy, easy, easy to crack in this day and age.
My favorite password (which I never use) is 12345678 or "password". Really? You're that secure with other people seeing your crap?
I do use foreign languages a lot in my passwords. Which one? None of your business. ;)
Thanks for the posts Leigh!

Elizabeth said...

My credit union first asks for my login ID, then on the next page it shows me a picture & a short phrase I selected a long time ago, then a message that if I don't recognize the picture or phrase, then I might not be on the genuine credit union website. After that is the actual sign-in page which asks for a password. So my question is, what good are the picture & the phrase?

Robert Lopresti said...

http://wondermark.com/942/

Robert Lopresti said...

http://wondermark.com/866/

Leigh Lundin said...

(laughing) Good riposte, Eve!

Elizabeth, I also use a credit union and I get the same artifacts. My guess is the developers originally intended for the customer to post a personal photo of kids or something meaningful, but instead opted for a collection of pictures, at least in my bank’s case. The great thing is if your CU truly uses the same program, you have an expanded character set and a choice of passwords not available with the big banks, such as the example I gave yesterday. Yours might look something like:
€£iZ@ßeth+LotsMoreCharacters
Be sure the symbols you use are readily accessible on both your computer and mobile devie. All of the characters I’ve shown here can be typed on a Mac keyboard. I’m not sure about Windows, but I know Microsoft made improvements at the OS level so the user doesn’t have to resort to using MS Word to pick out letters. These characters can be accessed by Android and iPhones.

Rob, too funny. I hadn’t see that comic series before.