Why Cleo is a terrible name for your cat, but Cn3tqz is just fine

So, bear with me here.

I'm not seriously suggesting that Cleo, Rex and Spot were bad names for your first pet, but if you took one website at face value you might end up believing that Rover1 would have been a better choice.

Pet password fail

Your Security word must be between 6 and 15 characters in length and only contain letters and numbers.

User interface developer Anna Debenham tweeted a screenshot of how a website was happy for her to use the name of her first pet as her secret security question, but not at all happy if the answer was less than six characters long.

Bad news if your first pet cat was called Oscar, Max, Bella, Tiger, Molly, Sam, Misty, Coco, Simba, Lucy, Puss, Kitty, the list goes on...

Does this mean people will use password management software like Bitwarden, 1Password, and KeePass to choose the names of their pets in future?

Or will people learn that actually, maybe it's not such a great idea to use "secret" answers to protect their accounts when those answers are easy for unauthorised parties to find out or guess?

CatMy advice is that people should stop thinking they have to answer honestly every question they are asked on the web. If a website asks you your mother's maiden name, or the name of your first school or pet, ask yourself if they really have any way to check if you are telling the truth or not.

Because maybe the site doesn't care if you have answered truthfully or not, and you can just as easily give it an answer that no-one else can determine or guess, that will keep your account more secure?

For the record, in case you need it, my mother's maiden name is 6@UfqDzkN#hsFc9. But I am thinking of renaming my dog Rover1.

Hat-tip: @anna_debenham

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

8 Responses

  1. Trevis

    May 12, 2014 at 10:07 am #

    Hello Graham, maybe you could also mention Sticky Password (http://www.stickypassword.com) as an alternative to the password managers. I have been using this software since 2005 and they are doing a great job. I have settled with them probably, so when I have tried others, they were a little bit different and not for me and I think they are worth mentioning.
    Anyway, I agree with you on this article. People are pathetic sometimes. I use strong and random passwords and hope I am safe :)

  2. jasper robinson

    May 12, 2014 at 3:55 pm #

    My on-line bank security controls are fairly serious but one feature of it is uncharacteristically odd.

    Customers need to supply a 'memorable date' in 8-digit form. Assuming that this really meant any 8-digit number, and that my bank just suggested a date as a mnemonic, I used a random number generator to create an 8-digit random number when updating my passes. But my random number was rejected and I was asked to supply a REAL date instead.

    Am I right to think that there are 100,000,000 8-digit numbers (10^8) but only 3,719,628 8-digit dates? [31 possible dates x 12 possible months x 9999 possible years – fewer if months, accurately, have fewer than 31 days each)? And that it would take a hacker about 26 times longer to crack a random number than a random date (i.e., 100000000/3719628 ~ 26.8)?

    3,719,628 8-digit dates sounds pretty good actually until you start to think about how non-random they'll be. Probably dates when the account holder was alive…maybe even their birthday!

    • Coyote in reply to jasper robinson.

      May 15, 2014 at 6:31 pm #

      To be honest: numbers only are so weak it is not even funny. Even in the 90s computers were powerful enough to go through a dictionary attack on password hashes (and that includes salted hashes and that includes _multiple_ passwords) in a day, and that is 8 character passwords so aaaaaaaa to zzzzzzzz (and every combination in between… well okay, even worse: it also includes numbers and non alphanumerical characters). Numbers is basic iteration (there are specific CPU instructions for incrementing and decrementing numbers!) and was fairly quick back then and is now much more so. In fact, I just wrote a program which demonstrates how long it takes to print every (and note: printing requires more overhead than just iterating through) every single combination from 0 to 999999 (yes, every combination, not just 1000000 numbers total). I didn't do a full 8 digits because it only will take a bit longer (certainly not long enough to really matter) and is only for demonstration purposes

      Result: 43s (and no, I didn't do that timing by a stop watch; I had the computer time it by the utility 'time' which shows how long in real time, user and system time, the program passed to it, takes to run). Also, my CPU is from 2007. To be fair it is an Intel i7 but but it was the lowest of the i7 first generation (it has 8 cores by way of hyperthreading but I was not in fact using threads at all – this was one core only).

      The only real protection with this is: lock out after X attempts (and well, I guess two factor and other deterrents – which is unfortunately all they are). So be glad it is not physical access as that would be much worse than over the wire (but regardless, take this with a grain of salt).

      Tidbit: most random numbers are pseudo-random numbers and many pRNG (pseudo random number generator) are weak, many (including system pRNGs) below the minimal standard (which is OK but not at all OK for the likes of computer security).

      • jasper robinson in reply to Coyote.

        May 31, 2014 at 3:36 pm #

        That's highly alarming but your point about locking out after X attempts is at least as reassuring. I hadn't really thought about its importance.

        Most of this goes over my head but I guess that with a sufficiently small number of attempts and a sufficiently long lock-out period we're all reasonably safe!

  3. Vito

    May 12, 2014 at 9:38 pm #

    My mother's maiden name is "UnimaginativeSecurityQuestionsSuck".

  4. Matthew Stinar

    May 13, 2014 at 11:38 am #

    I, too, use Lastpass for generating secure passwords. One of my accounts required me to create a password hint. I obliged by offering "Ur hozed." as a hint that there's no way I'm going to remember any of the passwords I generate with Lastpass. Thankfully, the fact that I use Lastpass means that I have no need of remembering my passwords.

    • jasper robinson in reply to Matthew Stinar.

      May 31, 2014 at 3:55 pm #

      Yes – tho' there are some, very occasional, situations that LP can't help with (e.g., some apps don't like LP, or even Cut and Pasting and you can't use LP to associate an Apple TV with an Apple ID).

      But these are very rare and I recommend LP to anyone who'll listen. Free and cross platform.

  5. drsolly

    May 13, 2014 at 6:30 pm #

    My daughters are called daughter.1 and daughter.2. No need for difficult naming decisions!

Leave a Reply