Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags
Wednesday, August 10th, 2011 05:38 pm

XKCD starts the whole thing off.

There is an appalling amount of misconception about identification security out there today.  And the real underlying problem is that far too many people who use or build sites or services either don't think in terms of security in the first place, or don't understand enough about security to get it right.

But you know one of the things I hate the most about the whole subject?

"Security questions".

Why do I hate security questions?

Because without a single exception that I am aware of, sites that use security questions will not let you define your own questions.  They make you pick from a list of preselected "security" questions. And virtually without exception, the correct answers to anywhere from about 60% up to all of the questions you get to choose from are matters of public record.  Anyone trying to conduct a serious social engineering attack against you has probably researched you enough to gather all of those answers in advance, and it probably only took a couple of hours at most.

What on earth is the point of using SSL, applying password rules that at least rule out the most trivial passwords, and then FORCING me to pick one or more of a list of "security" questions, the answers to every last one of which are public record?

I've complained in the past to people who work in banking security about this, and had it explained to me in reply that the trouble with letting people choose their own security questions is they can't make people choose good questions.

You know what?  I DON'T FUCKING CARE.  The answer to some people choosing weak security questions is NOT "Force everyone to use weak security questions".  If you force me to have weak security questions that I can identify myself with in the event that I "forget" my password, you have just made it pointless for me to use a strong password, because any potential social-engineering attacker will simply bypass my password.  So now, I have to use deliberately false answers to all of my security questions.  And THAT means that now I have to write them down, or I'll never remember which false answers I used to which questions on which sites.

Wells Fargo USED to let you choose your own security question. They don't do it any more.  "Because we can't stop people from choosing bad questions."

No, but you can for damned sure prevent them from picking GOOD ones.

Wednesday, August 10th, 2011 10:39 pm (UTC)
FWIW, I feel under no obligation whatsoever to provide a true (or even vaguely relevant) answer to any given security question. I treat them as an invitation to engage in Secret Spy Conversations where I give a seemingly meaningless answer in response to the apparently meaningless question, so that Secret Spy Stuff can then happen. (And typically I'll give different answers to the same questions at different sites.)

Obviously this means that I also need to "remember" the nonsense answers that I gave to various security questions at various sites, but fortunately 2000 years of civilisation has provided means to do that without taxing my powers of mental recall. (It also helps that I very rarely need to reset passwords or otherwise use security questions.)

I've been doing this for years. Very very few sites/people have ever commented on it, let alone objected. So I suggest you pretend that "what was the name of your first pet?" is an invitation to imagine a possible world where you had the Coolest First Pet Name Ever (tm). Lather, rinse, and repeat.

Ewen

PS: I used to just provide completely random strings (pwgen 20, etc), but having had to supply some of these over the phone I gave that up as Too Much Like Hard Work. So I just do the XKCD thing and supply more (nonsense) words, rather than random strings.
Wednesday, August 10th, 2011 11:03 pm (UTC)
It's also less effort for the developers to provide a drop down list of questions (stored in the database by question id), than allow random strings to be entered. Which I suspect is a major motivating factor in this "race to the bottom".

I too have a lousy memory for "Random Made-Up Shit", but a good memory for "how to find things out again". And very little concern about writing stuff down in reasonably secure locations -- some encrypted, some not, depending on value. Banking I care about security. Random web forums, not so much.

Ewen
Wednesday, August 10th, 2011 11:08 pm (UTC)
My own preferred proposal: let people devise their own security question. Tell them, "if you forget this, then you'll have to write us a letter that includes a statement from a notary public attesting they've seen two forms of ID from our approved list confirming your identity. The letter has to be sent from your notary's office, composed on your notary's letterhead."

Notary publics are great resources. We have a lot of legal infrastructure in place for them: it's crazy to not use them.

Of course, the flip side of this is you'll inconvenience a lot of your customers... who will then leave in droves for your competitors, who are nowhere near as considerate.

I am normally allergic to government regulation, but I am considering whether this is an area where I find government regulation to be tolerable. Saying, "yes, we have good standards and we enforce them universally!" is a great thing: but keeping politicians from promulgating bad standards and murdering them by the Death-From-A-Thousand-Special-Interest-Exemptions is a giant unsolved problem.