![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
XKCD starts the whole thing off.
There is an appalling amount of misconception about identification security out there today. And the real underlying problem is that far too many people who use or build sites or services either don't think in terms of security in the first place, or don't understand enough about security to get it right.
But you know one of the things I hate the most about the whole subject?
"Security questions".
Why do I hate security questions?
Because without a single exception that I am aware of, sites that use security questions will not let you define your own questions. They make you pick from a list of preselected "security" questions. And virtually without exception, the correct answers to anywhere from about 60% up to all of the questions you get to choose from are matters of public record. Anyone trying to conduct a serious social engineering attack against you has probably researched you enough to gather all of those answers in advance, and it probably only took a couple of hours at most.
What on earth is the point of using SSL, applying password rules that at least rule out the most trivial passwords, and then FORCING me to pick one or more of a list of "security" questions, the answers to every last one of which are public record?
I've complained in the past to people who work in banking security about this, and had it explained to me in reply that the trouble with letting people choose their own security questions is they can't make people choose good questions.
You know what? I DON'T FUCKING CARE. The answer to some people choosing weak security questions is NOT "Force everyone to use weak security questions". If you force me to have weak security questions that I can identify myself with in the event that I "forget" my password, you have just made it pointless for me to use a strong password, because any potential social-engineering attacker will simply bypass my password. So now, I have to use deliberately false answers to all of my security questions. And THAT means that now I have to write them down, or I'll never remember which false answers I used to which questions on which sites.
Wells Fargo USED to let you choose your own security question. They don't do it any more. "Because we can't stop people from choosing bad questions."
No, but you can for damned sure prevent them from picking GOOD ones.
Security questions
Obviously this means that I also need to "remember" the nonsense answers that I gave to various security questions at various sites, but fortunately 2000 years of civilisation has provided means to do that without taxing my powers of mental recall. (It also helps that I very rarely need to reset passwords or otherwise use security questions.)
I've been doing this for years. Very very few sites/people have ever commented on it, let alone objected. So I suggest you pretend that "what was the name of your first pet?" is an invitation to imagine a possible world where you had the Coolest First Pet Name Ever (tm). Lather, rinse, and repeat.
Ewen
PS: I used to just provide completely random strings (pwgen 20, etc), but having had to supply some of these over the phone I gave that up as Too Much Like Hard Work. So I just do the XKCD thing and supply more (nonsense) words, rather than random strings.
Re: Security questions
This is a little beside the point, though; said point being that the simple fact that many people, given the opportunity, will use poorly-chosen security questions is a really shitty reason for forcing EVERYONE to use the same equally poorly-chosen security questions.
Re: Security questions
I too have a lousy memory for "Random Made-Up Shit", but a good memory for "how to find things out again". And very little concern about writing stuff down in reasonably secure locations -- some encrypted, some not, depending on value. Banking I care about security. Random web forums, not so much.
Ewen
no subject
Notary publics are great resources. We have a lot of legal infrastructure in place for them: it's crazy to not use them.
Of course, the flip side of this is you'll inconvenience a lot of your customers... who will then leave in droves for your competitors, who are nowhere near as considerate.
I am normally allergic to government regulation, but I am considering whether this is an area where I find government regulation to be tolerable. Saying, "yes, we have good standards and we enforce them universally!" is a great thing: but keeping politicians from promulgating bad standards and murdering them by the Death-From-A-Thousand-Special-Interest-Exemptions is a giant unsolved problem.
no subject