unixronin: Galen the technomage, from Babylon 5: Crusade (Default)

December 2012


Most Popular Tags

Expand Cut Tags

No cut tags

August 10th, 2011

unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
Wednesday, August 10th, 2011 05:38 pm

XKCD starts the whole thing off.

There is an appalling amount of misconception about identification security out there today.  And the real underlying problem is that far too many people who use or build sites or services either don't think in terms of security in the first place, or don't understand enough about security to get it right.

But you know one of the things I hate the most about the whole subject?

"Security questions".

Why do I hate security questions?

Because without a single exception that I am aware of, sites that use security questions will not let you define your own questions.  They make you pick from a list of preselected "security" questions. And virtually without exception, the correct answers to anywhere from about 60% up to all of the questions you get to choose from are matters of public record.  Anyone trying to conduct a serious social engineering attack against you has probably researched you enough to gather all of those answers in advance, and it probably only took a couple of hours at most.

What on earth is the point of using SSL, applying password rules that at least rule out the most trivial passwords, and then FORCING me to pick one or more of a list of "security" questions, the answers to every last one of which are public record?

I've complained in the past to people who work in banking security about this, and had it explained to me in reply that the trouble with letting people choose their own security questions is they can't make people choose good questions.

You know what?  I DON'T FUCKING CARE.  The answer to some people choosing weak security questions is NOT "Force everyone to use weak security questions".  If you force me to have weak security questions that I can identify myself with in the event that I "forget" my password, you have just made it pointless for me to use a strong password, because any potential social-engineering attacker will simply bypass my password.  So now, I have to use deliberately false answers to all of my security questions.  And THAT means that now I have to write them down, or I'll never remember which false answers I used to which questions on which sites.

Wells Fargo USED to let you choose your own security question. They don't do it any more.  "Because we can't stop people from choosing bad questions."

No, but you can for damned sure prevent them from picking GOOD ones.

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Wednesday, August 10th, 2011 06:05 pm