Tag Archives: password

How to Figure Out Someone’s Mother’s Maiden Name

Something you know…and that someone else knows. It can happen.

Many systems require more than one knowledge-based modality, which is why they sometimes ask for other things like your mother’s maiden name.

This of course is not foolproof. Your sister that hates your guts, for example, obviously knows your mother’s maiden name. And even complete strangers, especially those with nefarious intent, can deduce your personal information.

Let me introduce you to Doug.

How Doug learned Donna’s mother’s maiden name…and more

Assume that Doug wants to hack Donna’s account but needs some personal information to do so. This is somewhat tough, since Donna’s Facebook account is private and can only be seen by her friends. Well, Doug knows that Belle is a friend of Donna’s, and Belle’s Facebook password is “password1.” Problem solved.

Doug uses Belle’s account to read Donna’s posts and finds some remarkably interesting ones. Not that she’s posting her Social Security Number or anything, but what did she post?

  • “Happy birthday to my mom!” (This particular post was loved by Jane Davis, who wrote “Thank you dear daughter.”)
  • “Happy 30th birthday to me!”
  • “Hey, look at this picture of my new driver’s license. My picture actually looks halfway decent.”
  • “Hey, look at this picture of my senior citizen bus pass. Yeah, I’m old.”
  • “I cried when I looked at this old picture of my dog Scamper, taken in front of my childhood home on Mulberry Street.”

If you’re keeping score at home, Doug now knows the following information about Donna:

  • Her mother’s maiden name.
  • Her date of birth (from her birthday post and her driver’s license picture; her senior citizen’s bus pass doesn’t have her birthdate but does have her birthday).
  • Her driver’s license number.
  • The name of her favorite pet.
  • The name of the street she lived on as a child.

More than enough for Doug to impersonate Donna.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

Types of Knowledge-Based Modalities

Something you know.

We know a lot of things, we can tell the system the things we know, and the system can confirm that the person accessing the system knows these same things.

Here are a few examples of knowledge-based information:

  • Passwords.
  • Personal Identification Numbers (PINs).
  • Social Security Numbers.
  • Driver’s License Numbers.
  • Dates of Birth.
  • Employee IDs.
  • Mother’s maiden name.
  • Name of your favorite pet.
  • Name of the street you lived on as a child.

Some of these pieces of personally identifiable information (PII) are more commonly known than others. The, um, secret is to choose a piece of knowledge that ONLY YOU know.

But remember: anything that you know is potentially known by others.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

If Your Passwords Failed, Your Other Factors Could Fail Also

There are all sorts of apocalyptic literature: apes taking over the world is but one example. But the scariest thing I’ve read lately was published by Factonic.

“Imagine waking up one morning and realizing that every password you’ve ever created has suddenly stopped working. Your bank account, social media profiles, and even your email are either completely locked or frighteningly exposed. There’s no reset option, no backup plan—just instant confusion and panic.”

Factonic believes that massive hacks, quantum computing power, and other catastrophic events could eliminate password protections.

“In the first 24 hours after passwords stop working, the digital world would slip into chaos.

“Banking systems could either freeze to prevent unauthorized access or come under heavy attack as bad actors try to exploit the sudden vulnerability, leaving people unable to access their money or complete transactions.

“Social media accounts would be rapidly hijacked, spreading misinformation, scams, or malicious content as users lose control of their profiles.

“Meanwhile, businesses would likely shut down access to their platforms entirely in an attempt to contain the damage, halting operations and cutting off services to millions of users.”

But before you say that the passwords are finally dead and we can move on to other factors of identity verification and authentication

…those same hacks and power could also affect all the other factors. Imagine quantum computing power that could generate matching fingerprints, faces, behaviors, and identity documents in seconds. As I said in 2021:

“But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

“And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

So much for protection. Have a good day.

Unintended Consequences of Age Assurance…and What Happens Next (VPNs vs. Zero Trust)

More and more jurisdictions are mandating age assurance (either age verification or age estimation) to access online services. Perhaps racy content, perhaps gambling content, or in some cases even plain old social media. But in a technical sense these age assurance mechanisms are a network problem…and you can just route yourself around a problem.

Your jurisdiction doesn’t allow you to visit the Sensuous Wildebeests website? Just install a virtual private network (VPN) to pretend that you’re in a different jurisdiction that allows access.

Problem solved…for now.

But Secrets of Privacy indicates what’s next:

“After the Online Safety Act triggered a 6,000+% surge in VPN usage, the House of Lords tabled an amendment to ban children from using VPNs. Under the proposal, VPN providers would have to verify the age of all UK users. The government has said it will “look very closely” at VPN usage.”

For more information on this proposal, see TechRadar.

Google Gemini.

And this is just one of many examples of government examination, and perhaps regulation, of VPN use.

But as Secrets of Privacy points out, there’s one big problem. VPN users aren’t only kids trying to dodge the law, or individuals trying to protect their privacy. There’s one very big class of VPN users who would NOT appreciate government regulation.

“VPNs are fundamental to modern business IT, which makes a “ban” hard to envision. Every corporation with remote workers uses them. Diverse industries, such as banking, law, finance, and ecom giants all depend on VPN technology. You can’t ban VPNs without breaking the backbone of modern IT systems.”

Google Gemini.

Of course, some argue that VPNs are an outmoded security mechanism. Here’s what Fortinet says:

“VPNs were developed when networks were different than they are now. Before the advent of cloud applications, resources were isolated within a secure corporate network perimeter. Now, modern networking infrastructures are being deployed that can quickly adapt and scale to new business requirements, which means applications and data are no longer contained within the corporate data center. Instead they reside across distributed multi-cloud and hybrid data center networks.

“This change has led to a rapid expansion of the attack surface, and in the face of this changing cybersecurity environment, Zero Trust Network Access (ZTNA) has received more attention as an alternative to VPNs for remote access.”

Of course, VPNs will fade away at the same time the password dies…in other words, not any time soon. And while Secrets of Privacy speculates about a two-tier solution in which corporations can use VPNs but individuals cannot…we’ll see.

Do you have trust, or zero trust, that VPNs will be regulated in ALL jurisdictions in the future?

Ask questions.

Is Biometric Authentication Marketing Profitable?

When a company such as Bredemarket promotes itself, often we don’t know who is receiving the marketing messages. Therefore, we have to BROADCAST.

When we do know who is receiving our messaging, we can NARROWCAST.

Hmmm…how could we know this?

Ask TLG Marketing.

“Businesses are rapidly adopting biometric authentication marketing as it serves a dual purpose: enhancing security and providing a customized marketing experience.”

But does it pay? Yes.

“By integrating fingerprint recognition technology, a retail company optimized its app experience, leading to a 20% increase in online sales. In another case, a banking institution used facial recognition for secure and quick authentication, resulting in a customer service rating boost of 25%.”

There are ways other than biometrics to know who your prospects are, but knowledge based authentication (KBA) such as passwords has its weaknesses. With KBA you may not be interacting with your prospects, but with your prospect’s spouse or child.

JOE’S ALCOHOL EMPORIUM: Evelyn, what types of alcohol do you prefer?

EVELYN’S TEENAGE SON WHO KNOWS HER PASSWORD IS HIS BIRTHDATE: 200 proof, man! Let’s get wasted!

Bredemarket has created targeted, segmented content, including individualized content. Let me help you communicate with your individual prospects. Talk to me.

Stop losing prospects! Use Bredemarket content for tech marketers
Tech marketers, are you afraid?

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

  • Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
  • Something you have, such as a driver’s license, passport, or hardware or software token.
  • Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

  • Something you do, such as super-secret swiping patterns to unlock a device.
  • Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

  • Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

  • The person may deserve access if they are an employee and arrive at the location during working hours.
  • That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
  • That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

May 1 is World Password Day

The KnowledgeFlow Cybersecurity Foundation reminds us that the Upland Amazon Fresh grand opening isn’t the only big event this Thursday.

“World Password Day occurs on the first Thursday in May each year. It’s a day dedicated to raising awareness about the importance of password security and promoting good password practices to enhance your online security.”

And even if you belong to the “passwords are dead” movement, you’d better celebrate anyway because passwords will remain longer than you think.

(Imagen 3)

The Courts and Passcode vs. Biometric Access to Your Smartphone: It’s Complicated

(With a special message at the end for facial recognition and cybersecurity marketing leaders)

Years ago, when I was in Mexico City on a business trip, one of my coworkers stated that he never uses biometrics to protect the data on his smartphone.

His rationale?

Government officials can compel you to use your biometrics to unlock your smartphone. They can’t compel you to provide your passcode to government officials.

Ironically, we both worked for a biometric company at the time.

But my former coworker isn’t the only one making this statement. With the recent protests, and with the recent searches of people crossing the U.S. border by plane or otherwise, this same advice is echoed everywhere.

But is it true?

As ZDNET says, it’s complicated.

Passcodes: it’s complicated

ZDNET quotes law firm managing partner Ignacio Alvarez on passcodes:

“But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.”

Note what Alvarez said: the MAJORITY of the courts. So if you end up before the “wrong” court, you might have to provide your passcode anyway.

ZDNET also quotes attorney Joseph Rosenbaum:

“Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”

Notice his “seem to generally be” and “more likely to be” language. Again, you could still be compelled to give your passcode.

But that’s the easy part.

Biometrics: it’s complicated

But passcodes are the easy part. Biometrics are much more of a gray area.

Anything you say.
By NBC Television – eBayfrontback, Public Domain, https://commons.wikimedia.org/w/index.php?curid=33340402.

The rationale behind not giving up your biometric is similar to the rationale behind the Miranda warning. As Dragnet fans know, “Anything you say can and will be used against you in a court of law.” Regarding passcodes, the courts…well, some of the courts, hold that since a passcode can be “spoken,” it’s covered under Miranda and therefore can’t be given without violating your Fifth Amendment rights.

What about biometrics? (Excluding voice biometrics for the moment.)

“…since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.”

Again, note the use of the words “may not.” It isn’t clear here either.

And even these wishy-washy definitions may change.

“This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial.”

In other words, a few years from now lawyers may advise you to use biometrics rather than passcodes to protect your private data on your smartphone.

Or maybe they’ll say both methods protect you equally.

Or maybe they’ll say neither method protects you, and your private data is no longer private.

But most likely they’ll say “It depends.” In the same way that our 18,000 law enforcement agencies have 18,000 different definitions of forensic science, they could have 18,000 different definitions of Miranda rights.

And one more thing…

Bredemarket has two openings!

The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:

  • compelling content creation
  • winning proposal development
  • actionable analysis

Book a call: https://bredemarket.com/cpa/

Knowledge Ain’t Dead

Do you believe in intentional ignorance, stupidity, and idiocy?

Let me put it another way:

Do you believe in the “death of passwords”?

The rationale behind the decades-long death of passwords movement is that passwords do not provide 99.99999% security, therefore NO ONE should EVER EVER EVER use a password, or ANY other form of knowledge (PIN, first pet, what a traffic light looks like, college GPA, favorite RGB value).

I have a different view.

Knowledge CAN be part of a robust multi-factor identity verification or authentication solution.

Just like biometrics CAN be part of a robust multi-factor identity verification or authentication solution. Oh, you think biometrics should be the SOLE (geddit?) factor? I hate to break this to you, but biometrics do not provide 99.99999% security either.

And for the simpler use cases (such as garage sale money boxes), knowledge-based authentication such as a combination lock is a viable security system.

Don’t rely on passwords alone…

…but don’t completely ban them either. Knowledge ain’t dead.

Because advocating for the death of the password is as stupid as advocating for the death of the bicycle.

Make sure your bicycle has a wheel, spokes, seat, and drink holder, and don’t use any of the last six bicycles you previously used. By Havang(nl) – Public Domain, https://commons.wikimedia.org/w/index.php?curid=2327525

(Executioner image CC BY-SA 3.0)