Tuesday, March 20, 2007

Why You Should Fake Your Mother's Maiden Name

Most folks see "CSI" and think "CSI Miami", as in "Crime Scene Investigation" in a city not too far south of where I'm writing this. However, security software folks look at "CSI" and think "Computer Security Institute", which publishes a much-read annual report and a dozen sample policy summaries through the year.

I opened the March copy of the Computer Security Institute today and spotted an article by Charles Cresson Wood entitled "Using Mother's Maiden Name to Authenticate Anybody". I thought he raised an interesting new way of approaching the maiden name non-dynamic password problem.

First of all, let's just agree on one thing: Using your actual mother's maiden name to authenticate anything or anyone is crazy. It took me about ten seconds to find the maiden name of one of my friends based here in FL using Intelius - and about fifteen minutes of refining searches in Google to track down a friend's MMN in a non-US jurisdiction.

This knowledge, however, will not set us free: many of the alternatives to "mother's maiden name" suck for other reasons, ranging from the logistics associated with distribution to the costs associated with management and support. For those, and a host of other reasons involving too much to do, certification, and fear of stepping away from the known, that "Mother's Maiden Name" text box on the bank's PIN reminder form is unlikely to be uncoded anytime soon.

Assuming this to be the case, Cresson Wood has a great suggestion for us. He suggests the next time you sign up for anything that asks you to submit your mother's maiden name, you make one up. Make sure it's memorable, of course, then offer this fake maiden name in place of your mother's real name.

"Franzappa" will not exactly resist a serious attack, but it will stop casual password hunters from finding our your mother's real maiden name using online tools, and using it against you. Remember, it's the low-hanging fruit that hits the ground first - so go up the tree.

Follow this simple trick and you'll reveal less information about yourself during sign-ups, and deposit less valuable information into databases.

No comments: