In which LiveJournal Gets It

[unixronin]

So, LiveJournal just added a "secret question" authentication option in case you lose your password or lose access to your registered email account.

Please treat the secret question and its answer as the extra key to your journal.  Anyone who has this key (or guesses your answer), will be able to access your journal.  If you want to write your own question, make sure that nobody knows your answer to it and that it has too many possible answers to guess.  Questions like "What is my favorite color?" or "What is my mother's maiden name?" are not a good choice, because the former has too few possible answers, while the answer to the latter can be found through available databases.

(Emphasis mine.)

Now if we could just get this simple concept through the thick skulls of the infernal BANKS!  To date, I have seen exactly one bank allow you to specify your own secret question with a true answer that is NOT a matter of public record, and that bank stopped doing it several years ago.  On most bank web access sites, ALL of the available "secret" questions are matters of public record.  A few offer one or two answers that would require a little more work for a random stranger to find out, but could probably be obtained by social engineering from anyone who knows you well.

Yes, you can supply a known false answer.  But then you have to keep a list, somewhere, of what false answers you used where.  I've occasionally pondered just picking a question at random from the list but always answering with the same stock answer — "That is a really stupid choice for a security question", perhaps, or "What imbecile thought that would be a good security question?"  And just to make matters worse, a lot of times they only allow you fifteen or twenty characters for your answer.

What's worse, every time I've brought this issue up with a bank, it seems they're unable to understand why it's a problem.

Comments

[bikergeek.livejournal.com]

Have you ever noticed a lot of those quiz-type memes like "What's your Hollywood stage name?" actually consist of answers to things that are typically used as "secret questions" by various websites? Things like the street you grew up on, the name of your first pet, your first-grade teacher's name, etc., etc.

[perspicuity.livejournal.com]

yup. and they cross-correlate too over time. niceeeee.

the end all beat all though is the guys who only allow a-zA-Z0-9 as passwd characters. you can't even always use 0-9. uhm, what? no other magic characters. just normal words that can be looked up and chained.

at least one VLF i know of lets you choose not only your username (up to some stupid long string), and an even long passwd, but use pretty much the full character set. hah.

#

[unixronin.livejournal.com]

I don't tend to do most of those memes. But frankly, if I did one that asked questions like those, I'd, er .... answer imaginatively anyway.

[therealocelot.livejournal.com]

Thank you. This is one of my favorite rants.

My online banking requires a security question that is both a matter of public record and hard to remember ("What is your grandfather's birthplace?" or some such nonsense). Of course, I made up an "easier to remember" answer and then forgot it.

[janetmiles.livejournal.com]

My credit union's authentication process requires you to choose your own three questions, and randomly asks one of them each time you log in. If you lose your password, you have to physically go to the office and show ID to change it.

[unixronin.livejournal.com]

Good for them. Sounds like they're taking customer security seriously.

[bunrab.livejournal.com]

Oh, I always use the "What is your mother's maiden name" question - but I don't give her real name, so the answer is not anything someone could get from my birth certificate or anything.

[9thmoon.livejournal.com]

I have standard fake answers for all the standard questions. The one time I had to use my fake answers, the people on the phone thought I was crazy, because when asked for my mother's maiden name, I said "It's either Jones or Smith". But they unlocked me anyway. Some great security.