Insecurity Questions: My father's middle name is vR2Ut1VNj

jpgoldberg

This topic is for comments on the blog post "Blizzard and Insecurity Questions: My father's middle name is vR2Ut1VNj"



It will be unhidden once the blog post is up.



[Edit: Well it should have been unhidden when the blog post went up, but looks like I forgot.]

jpgoldberg

Let me add a new post here to get the date of this thread working.

DBrown

It's not a requirement that "In 1Password for Windows, you get to the Strong Password Generator through the browser extension."



People using 1Password for Windows can invoke the Strong Password Generator using menus ([b]File[/b] > [b]New Item[/b] > [b]Password[/b]), just as you recommend for people using 1Password for Mac:



[indent=1][img]http://content.screencast.com/users/DMBrown/folders/Snagit/media/55ae89ca-0479-4c6d-a4ce-c9e7bbe4e038/2012-08-11_08-32-00.png[/img][/indent]



See the 1Password for Windows user's guide for details.

jpgoldberg

Thanks, David!



I've corrected the original article as well to reflect this.



Cheers,



[s]-j[/s]

danco

I wonder about security questions required by banks. I usually give correct answers to such questions as place of birth, because I can envisage a bank branch asking for identification such as a passport or birth certificate.



I had just opened an account with a new bank, and I told them that some of their security questions were insecure nowadays (last school, for instance). I don't put up much detail on networking sites because of giving too much information, but many people would have that kind of stuff easily available to others.

MikeMcFarlane

I tend to use longish pass phrases (with only vaguely related answers and a small number of mixed characters) for security questions in case I ever need to answer the questions over the phone. Giving a 20-30 mixed character password 'seems' like a recipe for confusion over the phone. What do you think?



Why are you only recommending a 9 character answer? Why not go the whole way and use a 'full length' password (20-40 characters) answer?



I also have a dedicated email address just for password recovery.



But given all my logon information is safely recorded in 1password, I do wonder if it is even worth answering the security questions or providing a recovery email when it is such an obvious security risk. I too wish they would go away. What do you think?

jpgoldberg

That's a good catch.



I didn't mean to suggest that I was recommending only nine characters. Obviously these should be longer. But again, they often need to be read over the phone, so don't go wild with length of these either.



You are also correct that security questions do no good for 1Password users. But we often don't have the choice when we sign up for a service. They can be insisted on.



It's still worth recording your answers to security questions, even if you never expect to use them. I ran into a bit of trouble last year when to "sign" certain school district forms on line, I needed to provide both my site password and the answer to my security question. This turned out to be a problem as I hadn't kept a record of my security question for the school district's website. It turned out that by using my password alone I could go to my account settings to review or change my security questions, so I was still able to sign the form.



If you are wondering how requiring the security question in addition to the password was "extra security" for signing forms, when the security question could be seen by just using your password, well, you are not the only one asking. What this goes to show is that we have to design our system to not only work with sensible systems, but to also work with sites that don't do things in the most sensible ways.



Cheers,



-j

MikeMcFarlane

Thanks for the reply Jeff.



I do use the notes section to store my security questions and answers, bit it would be nice to have the option to conceal notes (like you give us the option to conceal passwords) in case of shoulder surfers.



I personally prefer using the notes section to having 1password browser extension store them automatically from a webform fields into 1password fields. I often find if I am using the browser extension to save all the fields from a sign up form that it saves a lot of other stuff too so then when I come to autocomplete the form next time I sign in things don't always go as they should. I usually create a new record in the 1password app and manually enter only the info I need to save. Maybe I am doing something wrong but I would prefer to continue doing it this way personally, but I can see why others might like it saved automatically too. Choice is good.

jpgoldberg

At the moment, 1Password doesn't have specialized tools for dealing with security questions, so I recommend that you use the notes within a Login. One reason to use the notes is that if you "update" the Login information on a subsequent login, the various fields will be reset. Your notes, however, will be preserved over such an update.



Your suggestion about concealing the contents of notes from shoulder surfers is a good one. I can't promise you anything, but these are the kinds of things that we do change over time as we learn more about how people best use 1Password.



Cheers,



-j

tatchley

I can agree that Security Questions are insecure, but what if you lost control of your 1Password data after creating a random answer? They are designed to be used in case you forget your password, so put all of your hens in one basket, you would loss access to the account. I'm guessing the answer then is to no loss the data, right?

khad

You make a very good point, tatchley. [url="http://blog.agilebits.com/2011/04/18/keeping-your-data-at-your-finger-tips-part-i/"]Data availability is an [b]essential[/b] aspect of security[/url]. Having strong passwords (or random answers to security questions) does you no good if you can't access to them.



In most cases, your email address is still a means of authentication, so as long as you have access to the email account you used to sign up for the site, you will be able to gain access to your account. Certain sites — I imagine financial sites especially — will have other ways to authenticate you if you ever do need to regain access to your account but are completely unable to access the answers to your security questions.



All that said, as always, we have designed 1Password to make the secure thing to do the easy thing to do.



The more computers and devices you sync with, the greater chance you have that data loss — through hardware failure, loss, theft, or otherwise — will have a minimal to no impact on your access to your accounts.



We recommend syncing your 1Password data via Dropbox to your other Macs, PCs, iPhones, iPods touch, iPads, Android, and/or Windows Phone 7 devices.



If you are syncing via Dropbox, you can easily access your 1Password data from anywhere in the world using the 1PasswordAnywhere feature:



http://help.agile.ws/1Password3/1passwordanywhere.html



One thing that a lot of folks overlook is that 1PasswordAnywhere also works with a [b]local, offline backup[/b]. No Internet connection is required. You can access your data via 1PasswordAnywhere in any modern browser from a Time Machine, SuperDuper, Carbon Copy Cloner, or other local backup of your hard drive. Needless to say, backups are crucial. Mat Honan found this out the hard way, and we have some recommendations based on his story:



http://blog.agilebits.com/2012/08/19/more-than-just-one-password-lessons-from-an-epic-hack/



Be sure you have regular onsite backups as well as offsite backups (in case your house burns consuming both your data and the backup of it).



If you sync with multiple devices and have a good backup strategy, the risk of losing access to 1Password approaches zero.



We have made every effort to tip the pros and cons list in favor of using 1Password to store [b]all[/b] your sensitive data rather than decreasing your security in some areas because of a fear of data loss. No solution is perfect, though, so you will have to do what you are comfortable with.



I hope that helps you make an informed decision. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

tatchley

Yes, I would agree backups are important. Question: Let's say I want to backup my 1P data on two different cloud sites. I do not use these sites to store any other critical or otherwise important data besides my 1P data. In this case, would it be acceptable to reuse a diceware password? So both sites would be accessible by the same password? I know you condem password reuse, but not much harm would be done if the one password was found out, since I only use it for those two low-risk sites.

khad

The security gained from using a different password to access the [i][b]exact same data[/b][/i] is probably minimal, but we always recommend using unique passwords. Consider the scenario:



1. Cloud-R-Us is breached. Your Cloud-R-Us password becomes known to Those Who Would Exploit It.

2. Cloud-R-Us resets all account passwords in a timely fashion so the attacker cannot use the password there.

3. But you aren't yet aware of the breach, so you don't know to change your Head-In-Cloud password.

3. Your Head-In-Cloud account is now accessible to Those Who Would Exploit It.



Had you not reused the password, you would be safe. This is pretty much the exact reason reusing passwords is a bad idea.



We may assume that this exact scenario is unlikely, but stranger things have happened (pretty regularly actually).



Stay safe out there! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

tatchley

So then use the same password, but add an extra number on the end? <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

khad

Haha! Yeah, I hear "password1" is a good option. They will never guess that. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/tongue.png' class='bbc_emoticon' alt=':P' />