Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags

January 30th, 2007

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Tuesday, January 30th, 2007 10:12 am

Oyez!  Oyez!  Oyez!  Hear ye, hear ye, hear ye!

Yeah, we're plotting an anti-StuporBowl party for this coming Saturday.  The basic theme can be summed up as Finger Food, Not Football.  Basic no-game plan calls for opening up the doors sometime around noon and having a bring-your-kids session in the afternoon with childrens' games, and then more adult well, less childish entertainments later in the evening.  We'll be providing some food and some drinks, but feel free to contribute; contact us to coordinate so we can try to avoid excessive duplication.  (You do know how to get in touch with us, right?  We'll provide directions via email as needed.)

unixronin: Closed double loop of rotating gears (Gearhead)
Tuesday, January 30th, 2007 11:19 am

There's a growing trend in web e-commerce sites to "improve" site security by adding a "secret question" to the identifying information for the user.  It's well-intentioned, usually.  But it's almost invariably poorly implemented.

You want me to be able to prove my identity by answering a "secret" question to which only I would know the answer?  OK, fine.  Then let me pick the question.

But this isn't what most sites do.  They typically let you pick one question from a list of three to five.  Sometimes, they pre-pick the question; you don't get a choice at all.  ING Direct goes slightly better than the usual run of this; they provide a list of eight possible questions, from which you must pick and answer five.  When called for, they will use one randomly-selected question from the five you chose.

The problem is that, invariably, most — if not all — of the questions offered for your selection are questions to which the truthful answer is a matter of public record.  Your city of birth, for example, or that old standby beloved of banks and credit-card companies, your mother's maiden name.  What's worse, in many cases, if you forget your password, you can gain access to your account by answering the secret question instead.  So anyone who wishes to gain access to your account need only research the answers to those four or five most common "secret" questions — a much easier task than cracking or otherwise compromising your password, since the vast majority of users will answer those questions with the correct answer.  The slightly more sophisticated user recognizes that to answer these non-secret "secret" questions with a truthful answer which can be readily found in public records is a security weakness, not a security measure, and so will provide false answers to the questions; but then there's the problem of remembering which false answer you supplied to which question on which site.  And that means that either you develop a system of some kind (which could be as simple as, say, answering every "secret" question with "Madagascar"), or you write your answers down somewhere accessible.  It's not hard to come up with a system.  But the honest fact is, most security-unaware average users aren't going to even realize they need to do it.

The upshot of it is, the "secret question" tactic, as commonly implemented by 90% of web sites, does not improve security; it weakens it, sometimes drastically.

As noted above, there's an astoundingly simple measure for making the "secret question" gambit an actual, real security improvement:  Let the user pick the question, as well as the answer, and disallow questions to which the answer is likely to be trivially available from public records.

So why don't more sites use it?