crypto

Seeing as this is ostensibly a crypto blog, I'd like to comment on a paper from earlier this year: It's no secret-- Measuring the security and reliability of authentication via 'secret' questions, by Stuart Schechter, A. J. Bernheim Brush, and Serge Egelman. This paper looks at the security of 'security questions': those questions about yourself you have to answer to get back into an account when you've forgotten your password. And (shock! surprise!) they find that this sort of mechanism generally sucks from a security point of view-- perhaps even more than passwords do.

After a long period of inactivity, I am pleased to report signs of life for two of my papers-- and a tech report, besides.

It looks like I will be able to attend the 16th ACM Conference on Computer and Communications Security (also known simply as CCS 2009). Will any of my fellow cryptographers also be there? Or, if any my readers have been there before: this will be my first time. What should I expect?

One of the recent USENIX Security papers has been getting quite a bit of buzz: Vanish: Increasing Data Privacy with Self-Destructing Data. It's really a very clever paper, proposing a way to do something apparently impossible: ensuring that data (like email) 'disappears' after a certain period of time.