Comments on: Secret Question, Public Answer http://blog.didierstevens.com/2008/09/30/secret-question-public-answer/ (blog 'DidierStevens) Wed, 17 Mar 2010 18:58:11 +0000 http://wordpress.com/ hourly 1 By: Didier Stevens http://blog.didierstevens.com/2008/09/30/secret-question-public-answer/#comment-33541 Didier Stevens Tue, 30 Sep 2008 19:39:25 +0000 http://didierstevens.wordpress.com/?p=192#comment-33541 I've used Passwordmaker for a while when I switched to Firefox, but I didn't like the fact that I had to restrict my character set to the least common denominator of all systems I use. I’ve used Passwordmaker for a while when I switched to Firefox, but I didn’t like the fact that I had to restrict my character set to the least common denominator of all systems I use.

]]> By: Sandro Gauci http://blog.didierstevens.com/2008/09/30/secret-question-public-answer/#comment-33540 Sandro Gauci Tue, 30 Sep 2008 18:40:46 +0000 http://didierstevens.wordpress.com/?p=192#comment-33540 I take the random characters approach and forget about it. As for keeping my password safe - I prefer to use the hashing method. Check out the Firefox addons Passmaker and Passhash. The concept of a database-less password system has a few advantages which I like. Unfortunately no one seems to have done a proper (3rd party) analysis of any such system, although I can imagine a few attacks. I take the random characters approach and forget about it.

As for keeping my password safe – I prefer to use the hashing method. Check out the Firefox addons Passmaker and Passhash. The concept of a database-less password system has a few advantages which I like. Unfortunately no one seems to have done a proper (3rd party) analysis of any such system, although I can imagine a few attacks.

]]> By: Didier Stevens http://blog.didierstevens.com/2008/09/30/secret-question-public-answer/#comment-33539 Didier Stevens Tue, 30 Sep 2008 11:31:32 +0000 http://didierstevens.wordpress.com/?p=192#comment-33539 >BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org) Thanks, that's one of the reasons why I recommend KeePass, there are even versions for PPC/Smart phone, Windows PE, ... http://keepass.info/download.html >its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway. Correct, that's why my first recommendation is to disable secret questions by typing a string of random characters. Secret questions are not safe, avoid them. >BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org)
Thanks, that’s one of the reasons why I recommend KeePass, there are even versions for PPC/Smart phone, Windows PE, … http://keepass.info/download.html

>its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway.
Correct, that’s why my first recommendation is to disable secret questions by typing a string of random characters. Secret questions are not safe, avoid them.

]]> By: unary http://blog.didierstevens.com/2008/09/30/secret-question-public-answer/#comment-33538 unary Tue, 30 Sep 2008 11:13:15 +0000 http://didierstevens.wordpress.com/?p=192#comment-33538 >(I recommend KeePass if you need a password manager) BTW it is possible use password database created with Windows' KeePass on Linux too, with KeePassX (www.keepassx.org) >If you can provide your own secret question, then I recommend to use math. its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway. >(I recommend KeePass if you need a password manager)

BTW it is possible use password database created with Windows’ KeePass on Linux too, with KeePassX (www.keepassx.org)

>If you can provide your own secret question, then I recommend to use math.

its easier to bruteforce, trying 0-1000 takes only minutes, numbers 0-100 are in every bruteforce dictionary anyway.

]]>