Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags

June 5th, 2008

unixronin: Closed double loop of rotating gears (Gearhead)
Thursday, June 5th, 2008 07:25 pm

So, LiveJournal just added a "secret question" authentication option in case you lose your password or lose access to your registered email account.

Please treat the secret question and its answer as the extra key to your journal.  Anyone who has this key (or guesses your answer), will be able to access your journal.  If you want to write your own question, make sure that nobody knows your answer to it and that it has too many possible answers to guess.  Questions like "What is my favorite color?" or "What is my mother's maiden name?" are not a good choice, because the former has too few possible answers, while the answer to the latter can be found through available databases.

(Emphasis mine.)

Now if we could just get this simple concept through the thick skulls of the infernal BANKS!  To date, I have seen exactly one bank allow you to specify your own secret question with a true answer that is NOT a matter of public record, and that bank stopped doing it several years ago.  On most bank web access sites, ALL of the available "secret" questions are matters of public record.  A few offer one or two answers that would require a little more work for a random stranger to find out, but could probably be obtained by social engineering from anyone who knows you well.

Yes, you can supply a known false answer.  But then you have to keep a list, somewhere, of what false answers you used where.  I've occasionally pondered just picking a question at random from the list but always answering with the same stock answer — "That is a really stupid choice for a security question", perhaps, or "What imbecile thought that would be a good security question?"  And just to make matters worse, a lot of times they only allow you fifteen or twenty characters for your answer.

What's worse, every time I've brought this issue up with a bank, it seems they're unable to understand why it's a problem.

Tags:
unixronin: Very, very silly. (Goonish)
Thursday, June 5th, 2008 09:43 pm
Tags: