How to Answer Secret Questions

Many accounts permit or require users to answer so-called “secret questions”.  The idea is that you can provide answers to questions so that they can verify that it’s you answering the questions.  Unfortunately for most of these questions the answers are easily obtained by an attacker.  Here we discuss how to prevent those attacks so that your “secret answers” to their “secret questions” can actually be secret.

First of all let’s recognize that the answers to most secret questions can be obtained by a good researcher.  “Where did you attend high school?”  “Where were you born?”  “What was the model of your first car?”  In order to make your answers secret you must somehow provide an answers that’s more that just the real answer.  One technique is to use a password manager and to save the questions along with a randomly generated answer.  “What is your mother’s maiden name?” might be answered “dFr%@4d“.  As long as you have a secure, private place to store the question and the answer so that you can find it when you need to authenticate, this is a secure method of solving the problem.   However, most people would prefer to answer the questions in such a way that they can remember the answers.

A simple method for this is to have secret word. (For extra security you can have a different word for each account – but you will need to remember that word!)  For this example let’s assume that my secret word is “markers“. That’s my secret word for all of my personal accounts.  I will use that everywhere.  Therefore the answer to all of my secret questions will be prefixed with that word.  The answer to “Where did you attend high school?” changes from “Randolph High School” to “markers Randolph High School“.  The answers to “Where were you born?” and “What was the model of your first car?“, would be “markers Boston” and “markers Sentra“.  As long as I do not tell anyone my secret word then my answers are secret, and they can’t be hacked, even if an attacker knows the real answers through research.

In review, select a secret word.  One that you do not tell anyone.  Then use that word in front of the actual answers to any secret questions.  Suddenly all of your accounts are far more secure than they were before.


Apple vs FBI – Infosec Failure for San Bernadino

While much of the argument about the iPhone data centers on whether Apple should comply with an order to break their own protections, companies which own phones should note that the real failure is that of San Bernadino County’s information security policies and procedures.  They permitted their property ( the iPhone ) to be used in such a way that they no longer had control of it.  In effect, they provided their employee with a safe, a cyber space safe, and they did so without maintaining their own key to the safe.  Now that they want access to their own property (the iPhone ) , they find that their information security policies and procedures have failed.  In cases where an organization provides a safe (especially a safe inside a phone) they should consider carefully what will happen if the employee does not provide access to the safe, whether that’s because the employee has won the lottery, been terminated, or passed away.

Thinking about such events may not always be easy or comfortable, but considering such risks is critical to a complete, mature information security stance.  In this case having a plan in place would have made it possible to provide assistance to law enforcement in a potentially serious matter, and that would have been better San Bernadino County, the families of those affected, and indeed all good people who want to prevent such cowardly attacks in the future.  Have a tested plan in place.  Hope you never need it, but have it in place ahead of time.  It makes all the difference.

Apple vs FBI – Not About Just One Phone

There seems to be some question about Apple refusing access to a single phone.  First of all, let’s be clear.  The failure is that of San Bernadino County.  They own a device, the phone, which might contain information useful for a federal investigation.  They can’t get into their own phone.  Consider that the phone is like a safe.  San Bernadino County bought a safe, and they let their employee take it home.  The employee changed the password.  Now the employee is dead, and they want access to the safe.  Now, if I had lost the combination to a safe, I’d hire a safe cracker.  I would not blame the safe company for building a good safe.  Furthermore, if the FBI wanted access to the property of San Bernadino County then they’d be ordering San Bernadino County to unlock the phone.  Then the owner of the property, San Bernadino County, could hire a hardware hacker to break into the phone.

But instead of going after a single phone, the federal government has ordered a manufacturer to subvert the security of their product.  Again, if they wanted access to a single phone they’d hire an expert to break in.  If this were to happen in China, I’d expect the government to command its citizens to do what it says.  Here in the U.S. I don’t understand how the government can order someone in this way.

The terrorists hate us because we treat people as individuals.  We have gender, racial and other equality written into our laws.  They consider women to be property.  We educate all children, boys and girls.  They kill girls who try to go do school.  We encourage freedom of speech.  They kill those who speak out against the government.  We have freedom.  They do not. They want us to become a place where people fear the government.  We need to be better than that.

There are other reasons that the government should not break the encryption of iPhones, but that’s a topic for another post.

How to Choose Good Passwords

With our continued reliance on passwords, it is still a good idea to select good, secure, and memorable passwords.  It’s also very important to change them periodically.  We’ll cover some suggestions on selecting good passwords that naturally expire, and we’ll cover a bit about password safety.

There is no such thing as the perfect password, and there are many different ways that passwords can become compromised.  This does not mean that we should simply give up and use “Password” or “Excalibur” for all of our passwords.  It does mean that we should all choose passwords that are appropriate for the assets that they’re protecting, and we should all change our passwords periodically.

First of all, we should not have one password for everything.  If your password is compromised you do not want that to allow an attacker to gain access to every single account that you have.  A simply way to have different passwords for every account is to separate your passwords into two halves.  One half is a good password perhaps 6 to 8 characters.  The other half is unique to the account of that particular password.  For example, if your good half is “ILFit5!” and you are choosing passwords for your email and for your mobile phone online account then those two passwords might be “ILFit5!gmail” and “ILFit5!tmobile“.  Now you have two different passwords, but they are easy to remember (more about remembering that first half in a bit.)  While there might be some concern that a person who gets one password might see the pattern and use it for other accounts, this is not a risk we’re mitigating with this strategy.  What we are preventing is keyboard loggers, network sniffers, and stolen password hashes – all attacks that can be connected to automation – where the attacker wrote a program that grabs the username and the password and then tries it against as many other web sites as it can find.  In these cases there’s never any person reading the password.  It’s a program.  It just tries the same username and password all over the place.  You’ve now secured your account against these.

Now, for the “good” half of the password.  Let’s take a six word (or more) seasonal sentence.   For this example “I like flowers in the spring.”  We’ll take the first letters which gives us “I Like Flowers In The Spring”, or ILFITS.  Now let’s change the case.  I suggest using capitalization to emphasize the words that are important.  So let’s make it “I Like Flowers in the spring”, or ILFits.  Now let’s add a number or change something to be a number.  Since the s and the number 5 have similar shapes, let’s make that a 5.  Now we have “ILFit5“.  Finally we need a special character in the password.  Let’s add an exclamation point for emphasis.  This gives us a final password of “ILFit5!“.  This is too short to be the whole password, so it will need to be followed by a unique identifier. As describe above, using as different identifier per account is a good way to keep passwords different.  There are some web sites and other accounts that have very poor password requirements, and which don’t allow some special characters.  This is very frustrating, particularly for those of us in the security industry.  When you run across one of these I suggest having a different sentence.  Perhaps “Some websites don’t value my security”, or “SWdvm5“.

Passwords that are tied to the seasons automatically remind you to change them.  Each time I’m logging into my tmobile account I’m repeating the words (in my head of course) “I like flowers in the spring.”  If I’m still using that password during the summer, this password method reminds me when it’s time to change my passwords.  It’s a good idea to have a list of your accounts and their passwords either electronically or on paper, but that’s a topic for another time.

Remember.  Give your passwords two parts, and for the password part use a Six word Seasonal Sentence to remind you to change that part of the password at least four times a year.