G1234! - Safer Storage and Handling of User Answers to Security Questions - Arnold Reinhold

good morning everybody again everybody can hear me in the back okay I know maybe people could spread out a little further because you know - there - people too close to me here gets claustrophobic so I've been involved in password security for a long time maybe some of you heard of dice where that was one of the things I did have a bunch of other things I don't to spend a lot of time on that dice where the last time I took folk it was available 17 languages now we're up to 22 languages and growing so there's a lot of support from the community obviously I'm not doing these translations but also written a bunch of

dummies books according to the news magazines Hillary Clinton learned about email from reading my book so it's all my fault one more book plug I recently encountered this and if you haven't seen her - haven't heard of it and like you haven't these are a series of lectures that were given in the 70s by the head of the National Cryptologic school for the National Security Agency and they're mostly Declassified there a few little bits whitened out and they're really fascinating really if you want to learn about computer security from the people who actually do it who are talking frankly to their recruits not not talking to the general public I highly recommend this so much so much for

advertising okay today's problem is how to deal with the storage of the answers to security questions now I think there's almost unanimous opinion in the security community that security questions are a bad idea and at the same time they're ubiquitous and they're good reasons for that which is that people do forget their passwords and not only do people forget their passwords but sometimes in the course of upgrades and and that's to really no fault of their own their password records get corrupted and the Eakins if you been through spending hours on the telephone with the help desk for these sorts of things you know it's a pain and one of the problems is howdy how does the how does the

company that's providing the service know who you are and for better or for worse it seems that security questions seem to be an area that has been widely adopted and hasn't been readily replaced my interest in this came from a bunch of discussions on Harry massacres cryptography lists NIST was proposing their new guidelines that they would allow people to remove spaces between words in a passphrase and the question is you know why would you even think of something like that but anyway they were it was a lot of pushing and shoving to to get them to say well maybe we won't allow that and it's an issue particularly for pass phrases like dice where you can run two words together and

make a different word a word that was already on the list and thereby shorten the shortened the effective strength anyway one of the things that came up was that somebody gave an example of security question answers were removing spaces and other forms of canonicalization is actually a helpful thing to do because it increases the likelihood that when the time comes to check an answer that a user submits that it will match up because the maybe person put in a space maple didn't put in a space run at capitalize the litter didn't capitalize the litter you really don't care that much about that for the security answer check but in the course of this the question came up why that

that people a lot of places hash the answers and the question was why would you do that because when you hash an answer even a small error can result in invalid hash there's no such thing as closed in a hash answer and the answer was that legal departments and companies are very concerned about the fact that these security answers may contain personal information that they don't want to be responsible for storing and that's an answer but in fact hashes aren't really gonna do very much to protect you and it seemed wrong and I got interested in that and I felt it was really important to document in some detail why that really is a bad idea

now security questions have a long answer long history I think we were all familiar through what's your mother's main name question which I think goes back to George Washington's time or something I actually got asked I had to open a bank account just a couple of weeks ago and they asked me that question like like this is this is their idea of security there are lots of problems with the whole security question business the fact that you can for example there are all these geological sites and even if you don't have your genealogy up there your third cousin once-removed has a family genealogy up there and it's easy to figure out your mother's maiden name you know your second cousin twice

removed first name all that kind of stuff is pretty readily available and getting more so my talk is basically going to be focused on storage how to safely store these answers which is a kind of a narrow narrow cut on this whole problem but I think again it's important because what people are doing it seems to me it is wrong but one interesting attack that isn't related to storage I just read about a couple of weeks ago is a person in the middle attack if you will where people are creating some attractive sounding website offering a free account and when you sign up it starts to ask you security questions but what it's really done has gone into your Gmail account or

gone into your bank and when they posed the security to do a password reset when they asked the security question they reformat as a security question for creating an account on this new dating site or whatever the heck it is and as you type in the answers they feed the answers back and and that way they they can circle you know they can hopefully get you or from their perspective hopefully get you to inadvertently reset your account on your bank or your whatever what other other thing is important all right it's back to storage basically if you're going to have security questions you have to store the answers okay and since everybody agrees that security questions

are a bad idea there's very little advice on how to do this you know if you're going to do it anyway what's the best way to do it the latest version of the nist SP 863 b guidelines basically say don't do it I'll discuss that more in a couple of slides down the road OWA SP has a page on this was just actually pretty good they have a lot of suggestions but they basically say you know hash it or or or encrypted it's your choice and obviously you can't you don't want to store plaintext of these answers because that's the most dangerous thing you can do but secure storage is not so simple and we're all

familiar with the endless stories of security breaches everything from Ashley Madison to the government Office of Personnel Management where apparently the the Chinese intelligence agency now has a copy of everybody's security clearance forms from I think whenever the breach was 2016 or 2015 all the way back to the 40s or whatever this is a slide I went to another presentation there there are two types of companies according to this is at that time FBI director Muller saying there are two types of companies those that have been breached in those that will be and one of the federal judges respond that there are only two types of companies left those that have been hacked and that don't know they've been hacked so

the whole question of you know protecting the information the actual bits that are stored in the corporate database it's it's not obviously you want to make sure people can't copy that to the best your ability but you can't rely on that it's just too too many examples where that stuff's been stolen so again OWA SP suggests doing either way encrypting or hashing for questions some some some security questions setups let the user create their own question in that case the questions themselves have to be recoverable so those questions have to be encrypted but the answer is the only at some level you only really need to know where her and the answers submitted later on matches

the original answer and at first blush hashing seems to do the trick so one one issue of hashing is that it discourages complex answers in other words if you've if you've wrote a little sentence or two about your first grade teacher you're unlikely to type that same sentence again six months down the road when you've forgotten your password on the other hand lawyers like ashing because again from their perspective out of sight out of mind we've hashed this data wound up we're no longer storing it nobody can claim we're misusing private information and you know if there's a breach they can claim well we did what everybody said you should do you should hash it and

again might one of the purposes this talk is to you know sort of try and document once and for all that that really doesn't solve the problem that that that isn't a good enough answer so probably most people here I take it our familiar with what a cryptographic hash function is do I don't have to go to to great detail or but basically they're a one-way function they scramble up the data they take however much data you put in reduce it to some fixed size in such a way that even one bit change in the input should make a change on the average half the bits in the output and there may many of these around md5

and sha-1 are kind of old and people are discouraged from using it but there's a whole bunch of newer ones that are still considered secure and there's a big butt which is that even though you can't give it an output it's not computationally easy or even feasible to undo the calculation that produce that output on the other hand that output acts as an Oracle it acts as a as a tool that can if you have a guess as to what the input might have been it will tell you whether you're right or wrong won't tell you anything else won't say you're close it won't say in your arm you're cold but it will say if you're right and the problem

is that most of the standard hashes were designed to be computed efficiently and that lets you test lots of guest guesses quickly and nowadays a lot of these algorithms can be run on graphics processing units which have multiple computers in them they're designed obviously to make computer gaming efficient but they also turn out to be really great for trying to crack passwords and for example the one of the newer model NVIDIA GPUs for $500 and change can do 2.8 billion billion hashes a second so if you have a few million possibilities it can rip through those in almost no time so the the model that that people are using for security storing security question answers is

essentially the same model that people use for storing passwords themselves and there are a couple of different levels for doing that the simplest is just just a hash it and that turns out to be not a great reason not a great solution because of the ability to pre-compute large quantities of hash outputs and store them and just do a table lookup to find them the better approach is salting where you add a a random nonce I ran random string of bits that you store with the user's password and you incorporate that in the hash so that no two users will hash the same password the same way and then there are more advanced hashes that have

been come developed which deliberately try to slow down the process either by doing the same hash over and over or by doing more complicated things where they use up lots of memory these have a lot of advantages and are probably the best practice these days for storing passwords but we'll talk about them in a minute that these are not necessarily suitable for security question answers then the final thing is the keyed hash we use a secret key that that's corporate why when you form these hashes and that's more secure but you now have a single point of failure if somebody breaks into the software and can get hold of that key then then they have

access to all your secrets okay and I think as we all know in the end there's a more tight off schedule today crackers are winning up the hand the arms race with password storage hashes cracking is a massively parallel process you don't have any of the complexities where that we work into communication slows down parallelism if you just run a whole bunch of processors at the same time and they one of them just has to raise their hand when they found the answer Moore's law is working against you the economics of gaming gaming is a very lucrative business for the computer industry so a lot of technology has gone into massively passive massively parallel processors for gaming and they're

available very inexpensively in addition for for Bitcoin and other cyber coin lock bindings people are developing special-purpose chips which again will let you go from billions of guesses a second to trillions of guesses a second so what I'm going to show is the problems even worse when it comes to security question answers again enterprise databases are hard secure that they need to be accessed by many different places they have to be backed up they often have to be simply synchronized in terms of multiple sites so that the volume of data that actually comprises the security answer answers is small enough that if a hacker can get into the system they can pump that stuff out through

various channels in really in a matter of seconds and again if even if they can only get a part of the file that can offer be enough very often an attacker who wants to attack a corporation really is just looking for one account that they can get into and then escalate privileges on that account so that even though they get a chunk of that password answer file that can be helpful there are some advantages that that the security question answer the security question answer storage problem has over password storage first of which is that the whatever access to these security questions takes place is fairly where you do it when you first create an account you do it if for some reason you

need to change those questions and you do it when you need to reset your password and and that for each user step of going to be you know every at most a couple times a year hopefully in addition the reset information once you've cleared the hurdle of answering these security questions it's typically sent by email so the fact that you have some security on your email account provides another layer of protection but the bad news is that there are a lot of ways to get around get around email protection intercepting and a lot of it's not clot not encrypted so you can intercept it along the way and and and somehow get whatever little special code

they sent you they sent the correct user the attacker my people get hold of it and in any case this is a two-factor authentication system if you will the security question answers plus the axis of the email but if the security question answers are not securely stored you're back to one factor okay this is the new draft the NIST National used to be National Bureau of Standards the the federal government's primary group for producing standards for computer security they are producing a new draft a new version of their 63 863 series of security recommendations and one of their sections they talk about they use the term knowledge-based verification and they have two bits of guidelines one

of which is the the cryptographic service provider or whatever CSP stands for shall not use knowledge-based verification questions for which answers do not change where I regularly over a period of time for example what was your first car and I think maybe they're thinking about a situation like or a bank or a credit card company and say what what was your last transaction or what was the last thing you bought on the credit card and that's actually reasonable advice but for a lot of situations where password reset takes place it's in a situation where the user really hasn't been on that site for months and months and months so the reason they forgot their passwords is they're not using it

regularly so it really begs the question which is that if you want to affect the KT usual you have no nothing but what they answered a bunch of questions it really has to be information that's long-term from the users perspective otherwise you know they're not not gonna remember what what they what meal they had you know on November 12th last year the other thing that I found was a little weird is they can they allow the possibly of multiple choice answers of at least a minimum of four answers per question and I I have no idea what they're thinking there if you have a you present me with a security question challenge when I'm trying to break into

account I have four questions four possible answers you know it's a 25% chance I win even if I have two questions it's you know one in sixteen I can try sixteen a council I break in I mean it's like but maybe they have maybe there's thinking of something I don't quite understand that anyway so I went to looking for some some examples here I went to a government website Medicare which which obviously affects large numbers of people and and this is the this is the they presented me with a series of security questions just to try and establish an account and I just I just said to make them a little bit more legible from the back of the room these

are the questions they asked what are your favorite vacation spot in what city did you meet your spouse what country would you most like to visit what is the title in our favorite book what did the name of the first Street you lived on what was the name of your first pet and what is your best friend's last name so already there clearly not following the NIST guidelines but again right now they're just a draft anyway we'll see when they come out of Medicaid Medicare changes their practices which I doubt so going back in each of these in each of these in each of these items there's there's there's a question and then there's a target space so what what are

the kinds of information they're looking for so forgetting about first the last or favorite or least favorite or one you hate the most your time a vacation spots cities countries books streets pet names and last names and the point here is that if you're trying to figure out what the answer is you don't really need to know that what the question is if you're trying to decode the answer all you need to know is what answer space they are so here's another site there's a site that called called good security questions comm and this person for $20 PayPal they you can get a list of 200 suggested security questions of what she's done research on in terms of

both evaluating house how could they are security questions and also done some surveying from members of the public to see how much people like them and you know from my perspective twenty bucks for that kind of information it seems like a fair price so I don't want to you know spoil his thunder this is this is just the sample questions he has on his on his webpage and again his targets are first-name lastname wedding hall what was what was your wedding hall when you got married us your school in your city and I also looked at his top forty questions again I don't want to give these away but of them first the middle name was was accounted for thirteen

questions last name nine questions City five and Street three so there are lots of lots of ways to come up of a question that that produces one of these answers but the space of answers is actually much more limited here's a one third example this was from the last night that that they had a reception I what firm mission took this woman's a picture hurt her her t-shirt and again these are hackers small talk questions what was your childhood pet's name what street did you grow up on what was the make of your first car which is actually one of the ones that miss specifically said don't do that and your mother's maiden name and and is your voice your passport

the last one actually being one of the nice alternatives to security questions okay so the question is the sort of meat of this talk is you know so how many answers are there right and and I've tried to come up with some bounds on this so in terms of the you know and again I'm focusing here on the United States a similar Allison would would take place for different countries and for the most part you know when you're attacking a website in a particular country you know you would use the names and the typical names in a typical cities and so on in that country so the United States population on July 4th this year was 323 million

people and that's a lot so there's at most 323 million first and last names in the United States if you look at that in terms of entropy the way we you know measure strength so basically you can think of entropy as of some random number as how many coin flips you'd have to make to get something that was as random as that as that number so for 323 million that's about 28 bits of entropy although it's a cool picking one person out of the United States is equivalent to flipping a coin 28 or 29 times and I also on these charts they've also tried to to make it a little bit more intelligible what would be an equivalent

password so when our little lowercase a refers to one letter out of the 26 26 possible letters so this would be like a 6 character random password but you can also look at the census data has an analysis to those last names and they're only about 3.9 million last names in the United States as of 2010 if you look at that from the entropy put viewpoint it's only 20 22 bits and that's more like a four-letter password plus one digit now if you look at again they've done this analysis if you look at names that occur more than 50 times in the census that accounts for ninety two point eight percent of the population so you can get

the vast majority of Americans with only two hundred and seventy six thousand last names and that's roughly equivalent to a three-letter plus one digit password now first names I haven't found anybody that actually the Census Bureau does not analyze first names that veil they do things like the most popular names and stuff like that the best site I could find lists five thousand common names the United States and that gets you down to like a two letter and digit password places again there's a National Board of geographic names in the United States the US government that comes up the official names for maps and stuff like that they track 2.2 million names in the United States and six million names

worldwide so that would include streets cities beaches all the sorts of things that that a security question asks about a place and again if you only look at if you're looking at cities you're only looking at cities with at least 2,500 people which accounts for 81 percent of the US population there's only 3500 of those so again we're back down to the equivalent of a two-letter plus a digit passwords one of the security questions is what country would you like to visit there are 196 countries in the world even if you count Taiwan which you know you know the political questions about and that's a cool little one letter plus one digit password roads there are a lot

more of those again there's about 2.3 million of those but if you look at states with if you know what state the person is in for some reason that cuts it down again by more than a factor of 10 pets the SPCA says they're about 1 point is about 16 million homes are 163 million cats and dogs in the United States who knew that that's actually a pretty large number by our standards but if you look at common pet names again there's a my dog's name at night my cat's name calm and they seem to be different companies but anyway it's back down to thousands these are two cats I'm associated with one has a low-security

named Reuben the other has a higher security name sucia unless you know Spanish in which case it's not such a high security okay other types of answers colleges worldwide there are about 40,000 Institutes of higher and higher education there's about 100 31,000 k-12 schools the United States accounting public and private 40 3000 zip codes there are 38 million books in the Library of Congress that includes I think 470 languages if you look at the there's a found the best books ever lists and there was only about 50,000 on that okay oops okay so basically they're not enough possible answers and this the first chart here I'm taking the highest numbers this is the this is the the population United

States a total number of pets all that geographic names in the world all the books in the Library of Congress he entered it up that's 539 million and that's a cool to about a six word password with one letter randomly capitalized and again remember the the the hash hardware we have can do billions of guesses a second where note knowing or not basically have about half a half a billion here if you look at a prio suspenseful that the look at the the answers that account for the vast majority of things we're we're talking about like last names greater than 50 people or urban areas greater than 2500 or more common names or the more common

schools and so on your bet you take that list which will probably get you the vast maybe I don't pick a number 60 70 percent of the the password guesses you're really down out only about four hundred and four thousand it's worse than that in that many of these categories you can order them in terms of probability so again this is a another census table this is the surnames last names based on how many in the first column how many people have the same first name so there's a lot 11 first names that each have more than a million people and you go down there and you can see that if you go down even

to get to to get their half of the population you only need something like 3200 lastname so in terms of if you're searching for last names in in this kind of database you would start with the most common names and work your way down and your likelihood of getting a hit you wouldn't have to get me anywhere near halfway through those names the search order wins first and pet names by popularity you could probably scrape that from Facebook or something cities and counties you might as well order them by population books movies albums and stuff like that by unit sales TV shows buy ratings and so on so for most of these security answers unlike

passwords where yeah okay there are some lists of common passwords but they don't they don't account for most people's passwords and in fact nowadays better systems actually look up the name you want to use for your password and if it's on one of these frequent lists they'll just so you pick something else unlike passwords where there's no natural order to sort in most of these categories for security question answers there is a natural order okay so we'll talk about the possible attacks on hashed passwords first of all the worst case would be when they just hash the password without any salt in that case you can using these again on the theory that you only need to know the answers

you don't really know you don't really know how they asked you for a last name all you need to know is that looking at last names you can do parallel searches or do build a rainbow table pretty much any conceivable answer and store it away and search that in second so hopefully these days nobody's is dumb enough not to use salt but even he is per-user salt if they have several questions you can search them all in parallel and one defense that against that which should be you start pretty simple but I'm not sure that anybody does it is to hash the question along with the answer again that doesn't cost very much you know

what the question is so you might as well put that on a hash as well and that at least breaks up that attack again there's the whole question of order dancers or refine dancers if I know where you were born I have a lot better ability to guess what your public school was but even again even trying every category and every answer is still much faster than password recovery so the mere fact that security techniques that sort of works for passwords does not in any sense means it will work for security question answers so let's talk about solutions first solution is to use one of these resources of intentions resource intensive hashes or key derivation functions such as s script

and argon too and again you want to use the salt and include the core glue the question in the hash just to break up those attacks you want to choose parameters on these resources intensive hashes so that they can't be executed on common GPUs that's a big win for the attacker if they can and again I would suggest you can't canonicalize answers get rid of spaces get rid of capitalization get rid of punctuation just to keep the ants the answers as likely to be guessed correctly even okay so that's that's one solution but even if you tune one of these intensive hashes to require one minute of CPU per hash per calculation which is expensive

well if we go back to our most common passwords four hundred five thousand of them and an attacker who can get a ten thousand CPU botnet to work on this attack which is a very modest botnet by what's out there it will take about 20 minutes on average per hash so it's still breakable and again if you go to one second hash you replace minutes of seconds we're talking about 20 seconds per hash and again I'm even taking the account the fact that you can order these searches so that most of them are execute even more quickly so solution number two is to instead of hashing to encrypt the answer and again the the this has other advantages

specifically somebody that helped us could look at the answer once it's decrypted and see if it's close enough to the question even though the hash failed one thing you need to do is you need to include some random Pat random padding in the in the record that you're encrypting because otherwise again the attacker could encrypt if you're public here whatever it whatever a few you're using you you could still get some things to trial but if you put in some random bit that's sort of like salted you you you know have to store that with the users record it's just junk and that stuff that want to decrypt you just ignore it my analogy is if you're if

you're allergic to potatoes if you get by corned beef hash you have a hard time eating it but if you get corned beef and fried potatoes you can just push the potatoes out of the way so side benefits of encryption is that encourages more complex answers because the user doesn't have to worry about the fact that if they get it slightly wrong it'll be rejected and unions or even artificial intelligence to verify non-exec non exact matches but simple encryption has some issues one of which is the encryption keys can be stolen now you can there are things called hardware security modules that are designed to make it much more difficult to do that and that's one good solution

but even their amount of somebody who can get a virus or some piece of malware implanted in the enterprise's computer can that that that piece of malware can send security question answers to the hardware security module and ask it to decrypt them even though it doesn't have the keys but the biggest issue which is this legal issue is that the insiders who work in a company still can see the security question answers because they are they are accessible on the main computer okay so this brings us to the questions the solution I propose to recommend here which is to use a asymmetric architecture where first of all the answers and whatever random padding is encrypted with a

public key so you have a public key that's stored on the enterprise's computer but the private key isn't stored there and when there's a desire to check an answer a message is formatted to a separate isolated computer where that separate isolated computer has the private key it can decode the answer it can also have would also be given the submitted answer by the person who's trying to reset the password and can do the comparison on this isolated computer and send the no ghost no ghost signal back and the point is go or no-go signal back and the point is that there's no need for this isolated computer to even have access to the user ID right because the user ID

can be replaced by some ticket number some other non identifying number that is just sent back with this message and as returned with the go/no-go signal you get some idea of the volume if you assume the this enterprise has 100 million users that their each does two resets per year that works out to be six point four reset reset per second on average at you know there's surge loads because different times a day when people log in so even at a 10 X surge that's still 64 resets per second that says that even a modest-sized single server could could handle this kind of volume given the speed of public key encryption and decryption you probably

do want more than one for backup but it's a very modest sized endeavor this again I'm saying there's no need to have this research server have any access to the user ID all this stuff can be done in an isolated setting here's here's a sort of a block diagram the little red line represents the sort of the Enclave where the regular operations of the of the system are in the upper quadrant their user logs in there's a login server there's a database that has the encrypted answers that were created when the person law set up the account but when they want to when they forgot their password you only send to this Uncle Leon clay below that

red line the encrypted answers and the users responses and you get back a go/no-go signal another thing you can do is use I've talked about this in a previous talk using specialized computers to very to limit what comes back and forth on this communication channel so that there's no possibility to send messed up messages that that bed some sort of an attack or caused a buffer overflow you make everything fixed format okay so really the big question is with all these different things will lawyers like it and that's that's something I don't know that the purpose of this talk is to really document why why the hashing approach is a bad idea and why this is a reasonable idea that

will in fact protect the legal concerns they have as well as providing better security in the interim some some recommendations for for enterprises is again a trip down hash select questions that will encourage more complex answers in other words things like firsts and like first and last name not just last name or first name a street and house number pet name and breed and so on and avoid the simplest answer categories like countries or cities or car models where there's only a few thousand recommendations for users well you know for those of you who aren't in a position to influence how your enterprise handles these things again I recommend writing down picking strong passwords and writing them down using

password managers if you do have to give it a security question answer develop a personal practice to give a more complex answer if they ask your teachers last name given first and last names like that for the other thing is to develop stronger practices for accounts that really matter like your email which is the channel that will switch all these password reset techniques come through banks and so on add something special maybe even create answers random answers of dice Wars and write them down and of course use two-factor authentication where it is available bottom line okay I hope I made the point cryptographic hashing cannot adequately protect security question answers and we should not allow less than strong

security measures just because the legal apartments don't understand how this stuff works any questions

I haven't looked at say it's true they they have a security question they have a whole suite for that do you know they stare their answers I mean you know if they if they hash him mm-hm if they don't hatch them hmm the question was what do I think about the RSA product and I don't know much about the RSA product so I'll look into it for me the the problem life I've noticed with the the security questions is twofold the first one is that I'm married like a lot of people and so our joint bacon count that's asking which your first car really is it depends you know anything that's individual specific and a joint account is already a problem

for me my wife I'm sure for anybody who does have a joint account and so it's so I'm wondering what the standard is gonna say about that and so yeah well you know if you look at any of these lists and security questions you find at least I find a lot you know if you weren't married what were your wedding hall was is not an appropriate question right or you know if you've never driven a car you know that's the first court so a lot I think one response for that for for companies is to provide enough questions that even though some of the questions may be totally inappropriate all this are appropriate yeah so there's

no way and then I think for users you really have to start thinking about you know years ago when I was taking you know standardized tests in school somebody told me the very useful advice which was you're not answered you're not trying to come up with the right answer to the question you're trying to come up the answer to the question that the person who wrote the question was looking for and they're not always the same thing so when somebody says what was your first car they probably mean you personally not Leslie you and your wife okay so I mean you know you have to start thinking that way but this whole thing is is is you know it's bad okay

and the problem is there's nothing out there that's much better in terms a solution that doesn't require is showing people special ID cards or putting chips in their wrists or you know I mean there's there's that there's no really good answer out there for something that replaces it and I agree with you that a lot of these questions are ambiguous and so on and from a user point of view eager your best bet is to come up with some mental mental rubric for yourself that that will provide the same answer each time how about inappropriate answers to the questions what was your first car yesterday morning well I again I think that's a great item

that's a good solution but the thing is you need to come up with something you know when you're in Costa Rica on your vacation and your wallet gets stolen and you you need to get money to pay for the hotel bill and you need to get back in your bank account and you know they asked you what was your first car and well I you know I tell some really clever answers but I don't remember what it is you know you can trick yourself so it's a it's a you know if you can it's a like everything else having to do a passwords if you're really clever about it you can you can solve the problem but

man it's hard to be clever all the time you want to follow up on that

IIIi put that it's exactly what I have here on that they're not in there which is adds something special I agree with you completely and that's a great solution how do you get most people you know how they get happy get your how do you get to how do you get your mother and father who is 80 years old to do that you know this is this is what makes all this stuff tricky gets back to even making passwords you know there are a lot about if you you know take the first letter of the second word and the third sentence of the book you don't like you know or whatever if you if you have the

self difficult self discipline and consistency to do that it works but most of us don't and our security depends often on people who aren't ourselves who have to make these decisions so coming up with methods that you can train everybody to do is what's more and getting them to do it is what's hard

let me yeah check push there thank you yeah suddenly everybody could hear me before that is a comparison of password storage to security question answer storage password storage is already well studied with hash salted strengthen was a pbkdf2 it seemed to me like the main advantage that you would have with this approach is that help desk could provide some sort of judicial review of hey this this answer is close enough so therefore we'll let you go on that seems this seems good from a usability perspective also it seems a little bit like a weakness so I'm wondering why why choose this approach rather than what people are suggesting with passwords just what I personally do is to use a password

manager and I also store all of my security question answers which are just created just like a random string of characters just like I create my passwords and store them in a password manager well I think again I think that's a great solution again I'm not even I have maybe the more people who know more about different than what's out there in terms of password managers but the couple I've looked at don't have me nicely they actually had a security question answer feature to them you know that would be really helpful to do exactly what you're saying and that would be a good solution but again to get back to you know I mean I a few

weeks ago I was on a I was trying to get into a canoe and I fell off and fell in the water and I drown my an iPhone right and you begin to realize just how much stuff is on your iPhone right and that happens and your also need your password you know you had some some accidents or some mishap or your stuff got stolen in some foreign country and you need to you need to re-establish your your counsel you can get home or you can pay the bills or you can get out of jail right you know you may not be able to use your password manager so so it's tricky stuff you know and again if you have the

self-discipline like the gentleman said to have a really good rubric in your mind that whenever they this question I'm gonna tack on my friend Steve's license-plate number you know something like that that that will get that will get you pretty far but most of us you know don't have that discipline any more questions or we we're done so if you have anybody who wants to catch me out of a hole I'd be happy to talk about this some more thank you all for coming [Applause]