Wordle and security

I am sure all of you have heard of Wordle, the game in which you have to guess a target 5-letter word.  After each guess, you are told which letters are in the right place, in the wrong place and those that are not even in the word.  A few weeks ago, I had an interesting situation - none of the letters were in the target word in my first guess, my second guess AND my third guess.  Now, many people may feel stumped but I was happy.  There were a tiny few possibilities and, after thinking for 2 minutes, I could only come up with one - the winning answer.

So what does that have to do with security?  Well, lack of information is also information.  If a website revealed that person X doesn't have an account, you could create a spoof account and use it to hoodwink X's friends and family.  Many times, innocuous information can become revelatory when combined with other equally harmless information.  For example, an exercise tracking tool company published a map of where its users were using the tool.  And it revealed the locations of secret military bases where soldiers were keeping track of miles walked using that tool!

So, as we build systems to service our customers' needs, we would be well-advised to pay attention to what the responses look like and whether we are revealing much too much.

So, going into the holiday season, make sure Santa keeps his lists on an encrypted drive