"What is it?", you may later regret asking.
You give the site a "security word". Later, they will ask you not for the word, but a few randomly selected letters, for example the second, fifth and eighth, and next time it might be the first, fifth and sixth (note to self -- lopadotemachoselachogaleokranioleipsanodrimhypotrimmatosilphioparaomelitokatakechymenokichlepikossyphophattoperisteralektryonoptekephalliokigklopeleiolagoiosiraiobaphetraganopterygon may not be the best choice for this exercise).
If you picked, say, security, and the system asks for the second fifth and eighth letters, you would give 'e', 'r' and 'y'. If someone's looking over your shoulder, how much information do they have? Let's fire up the old UNIX shell
$ grep '^.e..r..y.*' /usr/share/dict/words | wc -l
84
What this means is that there are 84 words in the dictionary on my system that have 'e', 'r' and 'y' in those positions, or about six bits of entropy. Most of them are words like ventrohysteropexy and dextrogyratory that people are unlikely to pick. The person who helped me set up the account in question recommended something "easy to remember". Odds are it's "security".
If not, all an attacker has to do is guess the letters that the site asks for next time. There's a good chance that at least one will be one the attacker has already seen. There won't be a lot of choices for the unknown letters. Without looking at the list, I'd bet that 'q' isn't on it and 'e', 't' and a few others cover most of the possibilities. Even without having looked over your shoulder, an attacker would know just from the security word being English that certain letters are better to try in certain positions.
So basically you have another hoop to jump through that adds minimal actual security, but tries to create the illusion of strong security, while really just making the system harder to use. Huzzah.
No comments:
Post a Comment