Mythic Monday – The Sphinx

“Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”

That was the riddle asked by the Sphinx, a creature sent to Thebes to by Hera (or Ares).  When the riddle was answered incorrectly, the Sphinx would strangle and devour the challenger.  This went on for a while until Oedipus, who answered “man” and explained that the “time of day” was a metaphor for “time of life” and that the question refers to the stages of life: baby crawling, man walking, old man with a cane.  After this, the Sphinx (being unable to come up with another clever riddle) promptly killed herself.

Today’s myth is fairly transparently about password security.  The Sphinx made three basic errors that we can learn from:

Question/Answer Pairs

We’ve all seen the “security question” prompts.  They often ask about pets or parental surnames.  Sometimes they ask about special anniversaries.  In any event, if you are moderately findable online, a quick search of genealogy databases or photo-sharing sites can turn up answers to such questions.  To combat this, you can either hide all information relating to you, search it out online and remove it, visit public libraries and burn all the public records and brain-wipe all your friends… or you can answer the question nonsensically.  Just because the field says “mother’s maiden name”, doesn’t mean that you have to put that in there.  Maybe put in your favorite fruit instead.

Suppose the answer to the Sphinx’s riddle wasn’t “Man”, but was “Kiwi”?  Sure, the myth wouldn’t make much sense, and Oedipus would have become dinner rather than king, but the riddle would have much less guessable.

Short Answer

You know how irritating it is to have to have a password that is “at least 8 characters”?  Well, the reason is that there are people that can try all sorts of different words until they get in.  It’s as if someone in power (like, say, Oedipus) were sending numerous peasants to the Sphinx with random answers.  It would have gone something like this:

  • Sphinx: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
  • Peasant 1:  Umm, (checks list) an apple!
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 2: How about an eagle?
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 3: (looks about warilly) man?
  • Sphinx: Close, but we just changed the answer in the previous section.  (strangle) (OM NOM NOM NOM)
  • Peasant 4: (reads the previous section).  Kiwi!
  • Sphinx: Drat!  (strangles self and throws body over cliff)
  • Peasant 4: Yay!  I win.
  • Oedipus: (strangles peasant 4) (looks around warilly) Yay! I win.

So, the Sphinx manages to survive a bit longer, but is still undone because the answer is short and guessable.  Let’s protect against that by changing the answer from “Kiwi” to “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”  That’d be a lot harder to guess.  Hard enough the Oedipus might even run out of peasants before he gets to it.

Only One Question

Ah, but what if you have an exceptionally smart guesser.  Suppose they know something about the person choosing the password.  Even incredibly long passphrases have to be remembered, so odds are that a little bit of social engineering can be of use.  If we fully embrace anachronisms and have a Sphinx that is a Star Wars fan, odds are that the pass phrase would appear on the list of 30 Most Memorable ‘Star Wars’ Quotes. Similarly, if the Sphinx were known to enjoy Shakespeare, 200+ Famous Bardisms might be a good place to start. The point here is to pre-load the disposable peasants with likely answers, so that Oedipus can hit upon it while there is still a peasant to kill and claim the credit.

A clever Sphinx can protect herself by coming up with multiple riddles. In the security field, we’d call this multi-factor authentication, which we shorten to “know/have/are”. To extend our horribly-mistreated metaphor, the Sphinx would be highly secure if she:

  1. Something you know:
    • Q: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
    • A: “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”
  2. Something you have:
    • Q: “Do you have the key that unlocks this super special box that I borrowed from Pandora?
    • A: (peasant offers a herring that has been painted plaid)
      • Remember, the answer should be nonsensical and nontrivial.  A plaid herring covers both requirements in most instances.  Besides, it’s generally best to leave Pandora’s box closed.
  3. Something you are:
    • Q: “How do I know that you are truly you?”
    • A: (peasant shows the Sphinx that birthmark that Oedipus painted on his arm)
      • It’s very difficult to forge the “something you are” check, but it can be done if the verification technology is flawed, be it a fingerprint scanner that doesn’t check body temperature or a stupid Sphinx.

Thus, the only person that could get past the Sphinx would be someone that managed to prove their identity three different ways, which makes it extremely likely that the person allowed is the one authorized… or someone that has privileged information as to which questions will be asked and which answers are expected.  So, make sure that your questions and answers are reasonably secure, but also make sure that you don’t let anyone else know that they are.  Secrets are only good so long as they are kept secret.

That’s why the Sphinx had to kill herself, you know.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.