On Thu, May 28, 2015 at 03:13:37PM -0400, William Herrin wrote:
On Wed, May 27, 2015 at 1:16 AM, Octavio Alvarez <octalnanog@alvarezp.org> wrote:
I would definitely opt-out from any kind of "secret questions" that I couldn't type by myself.
Many many sites still think this is a good idea.
My first dog's name was a random and unpronounceable 30-character string.
I think this (Bill's) is a very good practice. It's not that difficult to enumerate the name of every pro sports team in the US, the 100 most popular dog names, the 200 most common street names, etc. This attack can be mitigated by limiting attempts...but of course if that's done, then it's possible for an attacker to lock out the real owner by just hammering away constantly using assorted botnet hosts. ---rsk