Tag Archives: random

Rant: Security Questions Are Stupid

We’ve all heard this bit before, especially the avid readers of Bruce Schneier’s security blog, but after seeing the security questions available on a new account I created today, I just had to do my own rant.

Security questions are considered by some to be a form of “two-factor authentication”. They’re no such thing. If used to further secure login, they’re just an extra password which is almost guaranteed to be much more guessable than your usual password. If used to recover a lost password, they function to replace your password with something almost certainly less secure.

Some suggest giving nonsense answers to security questions for this reason. Of course, then you’re back where you started: You’ll never remember your answers. That’s when you could’ve remembered your answers if you answered them honestly, which is often just as impossible. And now we’re back to writing it down on paper, which negates the entire point.

Yet these stupid things are required on a majority of secure sites now. Can security auditors please stop trying to please their clients and tell them the truth about how security questions just make things worse?

The questions which prompted this rant:

  • “What was your favorite color in elementary school?” – Now, let’s assume I remember that time of my life in the first place. At which point in elementary school? Let’s say I just pick one, and let’s even more fantastically say I somehow stick to remembering which one. Most children will have said one of the colors of the rainbow. Say it with me now… “Dictionary attack”!
  • “What is the nickname of your youngest sibling?” – Suppose I don’t have any siblings. Suppose I am the youngest sibling. Suppose my youngest sibling doesn’t have a nickname. And even aside from all this, names suffer from relatively low entropy, though admittedly not as low as colors.
  • “What was your first job?” – Have I ever had a job? Am I young enough that I remember exactly which thing I did first? Do I count doing chores as a child? Do I count shoveling snow for my neighbors? Do I count internships? How do you define a “job”?
  • “What breed of dog was your first pet?” – I’ve never had a dog as a pet in my life. And that’s even after the assumption that I have a pet at all. If I did, was the first one a dog, and did I only get one dog at that time? By the way, the entropy of dog breeds is even lower than that of colors when you include all colors.
  • “What is the nickname of your oldest sibling?” – See youngest sibling.
  • “What is the name of your first pet?” – Again, suppose I have no pets. Suppose my “first” pet was one of a group. Suppose I picked an arbitrary one out of a group. Also, low entropy again.
  • “Who was your childhood hero?” – What constitutes a hero? Suppose there wasn’t someone I looked up to in childhood? Suppose there was more than one? Suppose I just don’t remember? And the entropy of a hero’s name is likely to be rather lower, on average, than that of a regular name.
  • “What was the model of your first car?” – Where do I even begin here? Did I ever own a car? Am I even old enough to drive? Do I remember its model? Do car models have any kind of entropy at all?
  • “What was the name of your earliest childhood friend?” – I had lots of friends as a child. Didn’t everyone? Suppose, more morosely, that I had none. Am I going to know which one was the earliest? And yet again, the low entropy of names.

Now, I grant, most of these are pretty silly nits. They don’t have to be accurate answers, just ones to which I can remember the answers consistently. Unfortunately, the more likely I am to remember the answers, the less likely they are to be remotely secure passwords.

Password strength doesn’t count when the answers are only one word long and chosen from a limited pool, people.

The dangers of games

As a programmer, I have the dubious pleasure of enjoying overcomplicated, highly technical games such as EVE Online. For those who don’t know, EVE is an MMORPG that functions essentially on the opposite premise from World of Warcraft. Pretty much nothing is done for you in EVE. There’s a million ways to screw up and nothing you can do once that’s happened. It’s rather like real life in that way. Despite its poorly-done Python UI and downright pathetic Mac port (it’s the cider wrapper layer on top of wine emulation), I enjoy the game, primarily because it exposes so much of the “nitty-gritty” details of how its universe works. A player has control over very detailed numbers and data relating to the functioning of their spaceships and even their bodies. Often it’s too much data; it’s very easy to forget one tiny thing and lose millions of ISK (in-game money) and a great deal of time because of it. Neglecting to bookmark a wormhole exit comes to mind. EVE also does nothing for you. To install implants or activate jump clones, you have to manually pause your skill training queue, for example, even though this is something the game could very easily do for you, and there’s no apparent reason to make the player click the extra four buttons.

In any case, the thought behind this whole bit is, games are addictive. This is not a new discovery, for the world or for me, and I don’t expect anyone to be astonished by the revelation. For people such as me, who fall in love very easily with inane technical details and exacting numbers and gated progression (the need to finish task X before being able to learn the details of the task Y that follows), EVE is particularly so. It’s easy to say “I’ll just do one mission and then get to work,” and in a game like World of Warcraft where quests or even group dungeons are typically short these days (vanilla WoW notwithstanding), that would mean an hour of playing a game and then several hours of productive time. Setting aside the question of the “well just one more” syndrome, which is another problem altogether, the same comment made about EVE usually involves suddenly realizing I’ve spent six hours I meant to use for coding just finishing the one task! It always takes longer to blow up NPC ships than the mission description suggests (even using the Cliff Notes available online). Then there’s travel time between areas of a complex to consider, especially in a slow ship like most of the more powerful ones, and time spent salvaging wrecks (an extremely profitable activity well worth the effort if you have the time to spend, especially on more difficult missions), and then there’s organizing and selling/using whatever you gained from the mission and the salvage.

EVE unfortunately has the problem that for some play styles (including mine), play consists of paying intent attention to the same thing happening over and over for an hour or three, most of that time spent with no user input (and what input there is is also repetitive). Taking one’s attention off for a moment lends itself to finding the entire effort wasted. This would be a spectacular thing for some forms of autistic, but I’m not one of them! Oh well. I still like the game, because there’s a very real sense of accomplishment to completing various tasks.

The upshot of it all is that the existence of such games tends to sap the time I’d otherwise spend making progress. Yet, if asked if I’d rather the game be taken away, I have to say no, because I still need the distraction. What I want, really, is more control over the length of the distraction. “Just do it” doesn’t work for everyone, people!

I would recommend EVE Online to compulsives and the technically minded. I would not recommend it for those who don’t have the patience to wait before being able to explore facets of the game. Some of the higher-end stuff takes literally months to gain the skills for.

This post didn’t really have a conclusion, or a solid point. I just kinda felt like getting all that out. :-)


With apologies to Pete Seeger and Malvina Reynolds…

Little Tic-Tacs in the boxes
Little Tic-Tacs made of sugar gum
Little Tic-Tacs, little Tic-Tacs, little Tic-Tacs all the same
There’s a white one, and a white one, and a white one, and a white one
And they’re all made out of Ticky-Tacky
And they all look just the same

This came to me when someone said “Tic-Tacs” and “ticky-tacky” to me. That is all.

The utility of a scripting language.

I feel like quite a geek. I had some text copied from my IRC client that I wanted to transform to XML for my XSLT sheet to display all nicely on the Web interface. Format of a line copied from the client:

altered nickname<tab><tab>message<tab>hh:mm:ss<space><AM or PM><carriage return>

Correctly formatted XML for the XSLT sheet:

<message><time>unix timestamp</time></time><type>2</type><sender>correct nickname</sender><content>message</content></message>

How to transform this? I could’ve done the majority of the work with a PCRE regexp and search/replace, but that wouldn’t have fixed the nicknames (since you can’t make if/else decisions in a replace in most editors) or calculated the correct UNIX timestamps. So I turned to scripting, of course. Some would have chosen to use Ruby, others Python, or Perl, or possibly even bash for some masochistic reason. I chose PHP.

Took five minutes, most of which was spent constructing the regexp. The code:


$conversation = file_get_contents(__FILE__, false, NULL, __COMPILER_HALT_OFFSET__);
$valid_nicks = "nick1|nick2|nick3|nick4|nick5";
preg_match_all('/^('.$valid_nicks.')(?:\t+)(&#91;^\n\t&#93;+)(?:\t+)(\d+):(\d+):(\d+)&#91; &#93;(&#91;AP&#93;M)$/mSu', $conversation, $matches, PREG_SET_ORDER);
$xml = "";
$time = time();
foreach ($matches as $splitline) {
    $nick = $splitline&#91;1&#93;;
    $message = $splitline&#91;2&#93;;
    $hour = $splitline&#91;3&#93;;
    $minute = $splitline&#91;4&#93;;
    $second = $splitline&#91;5&#93;;
    $meridian = $splitline&#91;6&#93;;
    if ($nick === 'nick1' || $nick === 'nick2') {
        $nick = 'real_nick1and2';
    } else if ($nick === 'nick3' || $nick === 'nick4') {
        $nick = 'real_nick3and4';
    ++$time; //mktime($hour + ($meridian === 'PM' ? 12 : 0), $minute, $second, date('n'), $meridian === 'PM' ? 1 : 2, date('Y')));
    $xml .= "<message><time>{$time}</time><type>2</type><sender>{$nick}</sender><content>{$message}</content></message>\n";

echo $xml;

// the conversation was pasted here

I daresay that was a pretty cheaply elegant bit of work, if I may be allowed to pat myself on the back. Entirely trivial stuff, but it shows how useful scripting can be for some tasks. How inane would that conversion have been, replacing the nicks by hand and calculating the timestamps one at a time? The conversation was about 500 lines long. Yay scripting.

Please, don’t comment with a one line Perl script to do the same thing from STDIN, I’m well aware you can use Perl to compress any complexity down to what looks like a couple hundred bps of line noise :-D.

P.S.: I am fully aware that the code has several inefficiencies, odd-seeming decisions, things that could’ve been done better, and so on, and so on. Who cares? It works. It’s not meant to win design awards.

The last remnants of the old Republic have been swept away.

“Impossible! How will the Emperor maintain control without the bureaucracy?”
“The Regional governors will have direct control over their territories. Fear will keep the local systems in line; fear of this battle station.”

“Guinan, I need your help. Could you sit over there?” – Riker
“Seems simple enough…” – Guinan