Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Thursday, November 20, 2008

Worst cognitive password?

Cognitive passwords are those questions your bank and other accounts have you setup so that you can reset your password or verify your identity if you have forgotten your password.   I personally am not a big fan of these.   If forced to implement a solution based on these I would go with several "In the Wallet" questions.   Questions that would require the individual pull something from there wallet to answer the question.   Things like:
"What are the last 6 digits of your library card number?" 
"What is the last name of the issuer of your fitness club card?" 
"What is the last 6 digits on your favorite Shopping club card?"
If you use these types of questions you have to give the user many choices.   Not everyone has a shopping club card  or a library card, so a broad set of questions works best.   The goal of coming up with the questions should be to have answers that can not be easily guessed or looked up on the internet.   Here are some examples of horrible questions.

Looked up with some simple information about the user:
"So Sarah Palin, where did you meet your spouse?"
"What is your voting precinct or district?"

Easily brute forced or guessed:
"What is your favorite baseball team?"   Guess what 80% of the people in Atlanta say.
"What is your favorite color?"   Come on, who isn't madly in love with one of the primary colors?

The last category of question that suck is those tha only a few possible answers that could be right.   Today I renewed by subscription to a prominent computer SECURITY magazine that asked me, "How many siblings do you have?"  With the exception of a few families we can pretty much rule out anything greater than 4.  And all of those families have their own discovery channel show, so we know their answers.   The best I can hope for is that my answer wont be brute-forced in the first 5 attempts!

Summary:  Avoid cognitive passwords if you can.  If you have to use them, be very careful with the questions you choose.