undefined | Better HN

0 pointsraverbashing8y ago0 comments

Yes, I try to make the fake answer sound legitimate though

City you were born? Just pick any (random/unrelated) city instead of 2DXSDGREDV@#!

It's easier if you have to go through a person (which is usually forced to go through a script) also easier on the phone

0 comments

wila8y ago

Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.

As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.

ubernostrum8y ago

As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.

always_good8y ago

>requires the attacker to know you do this

Nah, "well, it kinda looks like random characters" is information a support rep will give you.

Welcome to social engineering and info escalation.

1 more reply

whiddershins8y ago

As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.

The random character thing isn't great for this use, it seems, as a result.

1 more reply

dredmorbius8y ago

The search space for city names is tragically finite.

There are ~35,000 cities and towns in the U.S., but if you start weighting those by populating (and birthing hospitals and centres), you're going to reduce that count considerably.

https://www.reference.com/geography/many-cities-united-state...

llukas8y ago

Why pick name of U.S. city or more general city in country you live/are related to?

There are a lot of lovely and easy to remember names in other countries ;)

raverbashingOP8y ago

Yes but if a system allows you to bruteforce this you probably have bigger problems

dredmorbius8y ago

The overall risk runs a few different ways. One is that you yourself will bee at risk, another is that there will be a high number of compromises.

There are about 300 in the U.S. of over 100k population (corollary: the other 34,700 locations have fewer than 100k people each, or are at most 10% of the population). A 1/300 chance of cracking a security question on any given transaction is pretty good odds. Particularly if the crack is then reusable.

Another 10% of the U.S. population (roughly) lives in the 10 largest cities alone. That's a 1% likely success rate based on just ten values.

The point being that "legitimate sounding but fabricated" may still not be a particularly good option.

apcherry8y ago

I don't even try to make it sound legitimate. e.g. How many sisters do you have? Anyone guessing will be trying a number between 0 and 5. I use a semi-random word, colour or car I associate with my sister(s), eg. Audi. When asked for a number no one guessing will respond with a car make.

bitshepherd8y ago

Someone has the idea behind challenge/response.

You don't have to answer the challenge with a 100% truthful, legitimate, accurate response, because the point is to NOT provide an answer that could be guessed by framing the response in truth, or even reality. So long as you've picked one that matches with what you've preseeded, use a random word/phrase as your response.

q: What is the name of your favorite teacher? a: bumble bees in the desert

cortesoft8y ago

Yeah, but the key is you need to be able to remember it. Sure, you could store it somewhere, but often times the reason you are needing to use it is because you don't have access to your normal system (computer, phone) that you use to login with.

1 more reply

drdaeman8y ago

I believe the general recommendation I saw was to type something in lines of "never accept this answer - it's probably someone trying to impersonate me | 2DXSDGREDV@#!" (although it's probably hard to do so if the maximum acceptable length is too short)

ubernostrum8y ago

This is how you get engraved plaques, or birthday cakes, with the message NO MESSAGE JUST LEAVE IT BLANK on them.

drdaeman8y ago

Haha, true.

Still, if that helps in one case per thousand, it's still better than none.

1 more reply

mjlee8y ago

I doubt this would help, it seems fairly unlikely that whoever answers the phone would be interested in playing logic puzzles.

Cyphase8y ago

I had this thought as well, but figured I'd make sure no one else already posted it. Kudos :). I was thinking something like this:

> Do NOT give ANY hints; only accept an EXACT answer; I will NEVER say I "forgot" this answer. 2DXSDGREDV@#!

Maybe add an "I test you occasionally." :D

If there's a length limit, trim and remove parts of that as you see fit. For example:

> NO hints! EXACT answer! NO exceptions! 2DXSDGREDV@#!

I'm going to do this at a few places, then call to test them :D.

jacquesm8y ago

I do this too, some phone number checks and email checks are surprisingly good.

j / k navigate · click thread line to collapse

0 comments

wila8y ago

Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.

As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.

ubernostrum8y ago

As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.

always_good8y ago

>requires the attacker to know you do this

Nah, "well, it kinda looks like random characters" is information a support rep will give you.

Welcome to social engineering and info escalation.

1 more reply

whiddershins8y ago

As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.

The random character thing isn't great for this use, it seems, as a result.

1 more reply

dredmorbius8y ago

The search space for city names is tragically finite.

There are ~35,000 cities and towns in the U.S., but if you start weighting those by populating (and birthing hospitals and centres), you're going to reduce that count considerably.

https://www.reference.com/geography/many-cities-united-state...

llukas8y ago

Why pick name of U.S. city or more general city in country you live/are related to?

There are a lot of lovely and easy to remember names in other countries ;)

raverbashingOP8y ago

Yes but if a system allows you to bruteforce this you probably have bigger problems

dredmorbius8y ago

The overall risk runs a few different ways. One is that you yourself will bee at risk, another is that there will be a high number of compromises.

Another 10% of the U.S. population (roughly) lives in the 10 largest cities alone. That's a 1% likely success rate based on just ten values.

The point being that "legitimate sounding but fabricated" may still not be a particularly good option.

apcherry8y ago

bitshepherd8y ago

Someone has the idea behind challenge/response.

q: What is the name of your favorite teacher? a: bumble bees in the desert

cortesoft8y ago

1 more reply

drdaeman8y ago

ubernostrum8y ago

This is how you get engraved plaques, or birthday cakes, with the message NO MESSAGE JUST LEAVE IT BLANK on them.

drdaeman8y ago

Haha, true.

Still, if that helps in one case per thousand, it's still better than none.

1 more reply

mjlee8y ago

I doubt this would help, it seems fairly unlikely that whoever answers the phone would be interested in playing logic puzzles.

Cyphase8y ago

I had this thought as well, but figured I'd make sure no one else already posted it. Kudos :). I was thinking something like this:

> Do NOT give ANY hints; only accept an EXACT answer; I will NEVER say I "forgot" this answer. 2DXSDGREDV@#!

Maybe add an "I test you occasionally." :D

If there's a length limit, trim and remove parts of that as you see fit. For example:

> NO hints! EXACT answer! NO exceptions! 2DXSDGREDV@#!

I'm going to do this at a few places, then call to test them :D.

jacquesm8y ago

I do this too, some phone number checks and email checks are surprisingly good.

j / k navigate · click thread line to collapse