Passwords are always silly, so I try to use one-off passwords. I'm resetting my password at Fidelity.com and they have a max of 12 characters with no spaces or punctuation allowed.
WEAK.
Plus, they have pre-set security questions.
DOUBLE WEAK.
This is insecure. Not horrible, but silly. I understand these are here for the convenience of the company -- not having to store question text, reducing the number of phone calls to reset passwords, but still.
WEAK.
I hope we, as security professionals, can do better. Here's a tip: If you have a password policy that requires say, numbers and has maximum length, and you publish that policy on your website, you have *reduced* the amount of work a hacker has to do to brute-force a password. You've helped them understand the key space to search. Sigh.
For now, I use random passwords and random answers.
3 comments:
They may have preset questions, but you don't have to give the right answer. My first grade teacher's name was Smith, but if any website asks you that, Smith won't work!
Don't give the correct answer. My first grade teacher's name was Smith, but that little bit of information won't help you get into any of the websites I frequent.
@rth You can remember your first grade teacher's name? Amazing.
Post a Comment