Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Terr_ 6 days ago

It's possible an attacker might say: "My first pet's name is random gibberish", and the person on the other end goes: "Yep, that's what it says."

I'm not sure how many companies that would happen at, but it seems... just dumb enough to be plausible.

Marsymars 6 days ago | parent | next [-]

1Password’s default for secret questions is a sequence of English words, rather than random gibberish.

rjsw 6 days ago | parent [-]

See https://xkcd.com/936/

eru 6 days ago | parent [-]

Why would you want to memorise a password? That's what password managers or even paper is for.

(Writing your passwords down on paper is actually less crazy than it sounds like:

It's impossible to hack paper from the internet. And, if someone has physical access to your stuff, they could install a keylogger anyway.)

Terr_ 5 days ago | parent | next [-]

> Why would you want to memorise a password?

You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P

> Writing your passwords down on paper is actually less crazy than it sounds

I agree that physical security can be incredibly useful against a lot of modern threats... but we can do better. I wish there was a dedicated password-keeper device format of:

* A small keyboard and screen

* The data encrypted at rest by one master password

* Only permits upload/download of the the encrypted file over USB. With some companion software, you just plug it into your computer, computer copies the encrypted file to somewhere on disk that gets regularly backed up, the disconnects and beeps to tell you it's done.

* Sturdy enough that any "Evil Maid" attack needs to be done by a professional rather than a conniving roommate or jilted partner.

* Tracks history of entries, last-changed, etc.

eru 5 days ago | parent [-]

> You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P

Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Your proposed device seems a bit complicated. You can get pretty far with a piece of paper and this protocol:

Construct your password from two parts. (1) random gibberish you write down on paper, (2) a 'correct horse battery staple'-style part that you memorise.

Btw, have you looked into Yubikeys? They are better than password storage, because they can store your private keys and do signing with them. The key never leaves the device. (They can also store passwords, I think.)

Terr_ 5 days ago | parent | next [-]

> Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

> You can get pretty far with a piece of paper

Password Papers (A) never get backed-up, meaning they'll be locked out of basically everything if the house burns down and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.

Terr_ 5 days ago | parent | prev [-]

> Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

> You can get pretty far with a piece of paper

Password Papers (A) never get backed-up and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.

eru 5 days ago | parent [-]

> Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

Why from anywhere?

OptionOfT 6 days ago | parent | prev | next [-]

For secret answers like this I have Bitwarden generate a set of words that I put in. The words are actual English words, so the 'random gibberish' moniker wouldn't be correct.

But at least the answer doesn't match the question.

I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.

eru 5 days ago | parent [-]

> I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.

I usually pick the first or default question. But yeah, that order might change.

avhon1 5 days ago | parent | prev | next [-]

Passwords in this style (passphrases) are also much easier to transcribe to devices that don't have or support password managers, or when sharing a password verbally or in writing.

5 days ago | parent | prev | next [-]
[deleted]
juped 6 days ago | parent | prev [-]

got to have a password manager password, and a login password

eru 5 days ago | parent [-]

Write that down on a piece of paper.

incone123 6 days ago | parent | prev [-]

The CSR shouldn't see the whole string but not all systems follow that approach.