|
|
The Creeping Insanity of Security Questions
by Vaughan Merlyn on Jun 16, 2008 - 08:35 AM read 1094 times Source: http://itorganization2017.wordpress.com/?p=256 |
|
Excuse me if I deviate for a moment and go off on a rant, but I’ve had it up to my proverbialeyeballs with the creeping insanity that’s gripped people responsible for protecting us from would be evil-doers on websites.
Due to changes in my home technology set up as well as changes to my company email address, I spent part of the weekend updating my personal details on various websites - airlines, banks, etc. It’s one thing to be asked, “What’s your mothers maiden name?” and similar choices - unequivocal, known and already remembered (for most of us). It’s quite another to ask questions like, “Where did you meet your spouse or partner?”
Take my case - we met at school some 45 years ago. Should I set the answer as “school”, “high school”, “Vyners High School” (the name of the school) or “London” (the place of the high school), etc. All these answers would be correct, but of course the way the system works, I can only provide one answer, and then the onus is on me to remember how I answered a very ambiguous question, perhaps a year or so from now when I have lost my password, or some such catastrophe. Other choices I had were, “The name of my first pet?” (that was 55 years ago, and, with apologies to sentimentalists, I don’t remember), “The name of my first best friend (again, many years ago, and there were several), and, believe it or not, “The first phone number I ever learned and can still recall.”
Please, designers of security questions, come up with questions that are unambiguous, to which the answers are memorable, and which are not completely silly! Protecting our identities is important stuff - and deserves to be treated as such!
-
re: The Creeping Insanity of Security Questions
a reply to The Creeping Insanity of Security Questions
by Steve Elmore on Jun 16, 2008 - 11:49 AM read 75 timesExcellent observation. This brings up another good point which revolves around persona and site vulnerability. Do I want to use the same password, security question responses, user ID, etc. across all of the business, banking and social networking sites that require authentication? If someone hacks one of the more vulnerable sites and gets my user ID and password, chances are they could access some other sites as well. Do I want a different user ID for every social networking site? No, that makes it harder for people to find me. So, do the business Steve and the social Steve share the same user ID & password? No. Do they share the same mother's maiden name & birthplace? Yes. And that is a problem. Can I remember what I use where? Barely.
And then there is the whole issue of password strength... I cannot remember a combination of one cap, one special character, four letters and four numbers for one site, let alone 10, 20 or 30. And God forbid I use a password manager that gets hacked. Perhaps it is time to use our ubiquitous webcams and use a combination of voice and facial recognition software to replace all the silly questions and passwords.
-
re: The Creeping Insanity of Security Questions
a reply to The Creeping Insanity of Security Questions
by Brittain on Jun 16, 2008 - 01:48 PM read 81 timesI couple thoughts on the thread, which raises nothing but reasonable concerns.
- With security questions I always use the same answer no matter what lame question I choose. The asking system doesn't know the difference anyway. In effect, these personal questions become an "Alternative password, please?" question.
- As for SteveE's points, what I've done is create a series of cascading passwords and supporting personal accounts (think of onion peeling).
- At the center is the one account I use to access my actual money (aka my bank accounts). This account has a single e-mail, a very cryptic password and username.
- Beyond that I've a separate username, e-mail, and password; this is used for other important accounts - credit cards, investments, online trading, etc.
- Then there's another username, e-mail, and password for even less important things. This pattern continues until I've a throwaway hotmail account and username with a ridiculously easy to remember password that I use for things like trying out new sights, downloading whitepapers, etc.
I'm not sure if either is very secure, but it makes me think it is...
-
By: Bob Landstrom
a reply to The Creeping Insanity of Security Questions
by Bob Landstrom on Jun 17, 2008 - 08:28 AM read 117 times
Source: http://itorganization2017.wordpress.com/?p=256#comment-292
Hello Vaughan.
A few weeks ago, I was also changing information with my bank, and was put through a number of these verification questions. I was asked about street addresses at which I’ve lived in the past, names of distant relatives, and a number of other things. I have to say, the test was rather difficult to pass. Luckily I made it through, but I felt challenged enough that I commented to the customer care agent that the test was very tough.
Interestingly, just last week I received a call from my ex-wife, on a similar matter. She has recently been assigned the glamorous role of managing customer fraud at a major transportation company. When testing out a prospective verification service, she was subjected to a similar verification process on herself ( sort of the “eat your own dogfood” test ). She called to ask if I can remember having a PO box in a city in which we lived for a total of six months, nearly 20 years ago. Neither of us ever had ( or could recall ) having a PO box in that town, and since there was a box with one of our names on it and mail was put into that box it now shows up as a prior address in her history.
‘just an example of how well-intentioned processes can backfire against the rightful owner of the data.
I know my pets’ names, the color of my first car, but I’m lucky if I can remember what I had for lunch yesterday. I hope they go easy on me in the future.
Bob Landstrom
http://itconsultant.boblandstrom.com -
re: The Creeping Insanity of Security Questions
a reply to The Creeping Insanity of Security Questions
by Tim Bevins on Jun 23, 2008 - 09:39 AM read 230 timesAlthough I tend to use the same login and password for the many opt-in email subscriptions I have for work, I have so many others for more important, personal accounts, subs, etc., I keep them in a file that's protected (sort of) and violates all the principles of keeping that stuff secure. The file now prints out at 7 or 8 pages. I print it out once in a while to make sure I have it in hard copy. Good thing, too, because recently I inadvertently deleted the entire contents of the file.
What I like now is that some financial institutions and, of course, Intacct, require you to change them periodically . . . And, finally, in violation of every security principle, I have Firefox save some of the login / password combos so I don't have to remember anything.
I am password-protected but by no means secure . . .
Tim B
, 
Featured
Author Profile
Subscribe
Feed for nGenera Community:
Public
Secure
Why subscribe? What is RSS?