 rcdaileyDragoonflyPremium
join:2005-03-29
Rialto, CA | reply to Name Game
Re: Secret Security Questions Are a Joke My wife told me that every cat has a secret name. If you knew your cat's secret name, you could use that as a hint, but your cat won't tell you.
--
It is easier for a camel to put on a bikini than an old man to thread a needle. |
|
 SpyPremium
join:2001-09-22
NE | reply to antdude
they should just make the questions better, like how many times do you use plastic see through gloves when you use the toilet in a week or something like that.  |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | reply to antdude
"What was your first pet's name?"
pIZZA
"Where was your bother born?"
pIZZA
"What is your maternal grandmother's first name"
pIZZA
"What is you favorite food?"
eLENORE
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law. |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
United State
kudos:4 | reply to antdude
I just put random answers and do write these down, encrypted. |
|
| reply to Name Game
said by Name Game:The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ? Once again, I'm totally at a loss where you're coming from concerning my words and now my thoughts. But ok, I'll play along..... No, that's not what I wanted to hear. I guess if I wanted to hear anything it would have been something acknowledging that you didn't realize you weren't in the Apple/Matt thread and therefore didn't realize you were crapping antdude's thread and a decent conversation on the general topic of password questions that was in progress. I say that only because you asked.
said by Name Game:And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
[snip]
I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.
*Sigh* - I am editing out what I would have said to minimize my reply here in respect to the thread, the OP, and the other posters.
Honestly, Name Game. Your replies to me confused me not only here but previously (even sans edits). They attribute words and thoughts to me I don't understand how you got. I even questioned that you didn't have me confused with someone else. Adding to that the additional postings you added which are a follow up the Apple/Matt thing (google 2-step) and not about the topic here but seemed to me were intended for that topic thread. My only explanation was thinking you were making an honest mistake. I understand now your intent is clearly to be here.
I hope you'll allow the conversation about how password questions in general are weak to continue at this point.
-Jim |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Don't be silly..you can talk about what you wish..I posted about what was found in the link..don't know if you read all the comments in that link..but I will tell you..the person who started that discussion at that link..then associating it even remotely with Mat made the same mistakes others have by not reading his own account of exactly what really happened and have no understanding on Apple's security questions. Mat has even made that clear on his twitter. What they have read is other bloggers accounts of what they think happened.
»twitter.com/mat
The link contained this statement "But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers."
To that I say bullshit again.
The rest of the stuff you just posted..I have no idea what you are talking about..but it seems you do..so have a great day
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to JALevinworth
BTW this is the actual full article that blogger cut and pasted without the link posted at slashdot forum thingie...
»www.theatlantic.com/technology/a···/260835/
Rosen article not only was about Mat..she tried to spin it into something that had nothing to do with the event.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to hortnut
said by hortnut:My take on this is mirrored in other's answers.
I happen to like the questions.
But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.
I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.
For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.
For a pet's name, sometime will give best friend's from high school dogs name.
I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?
If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.
Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Reviews:
 ·WestNet Broadband
1 edit | reply to AVD
I don't use a lot of sites with security questions......do they allow lower case and higher case letters as such?
--------------
Back to my thoughts:
To me it starts to go back to how many sites, how many passwords, etc etc. While I understand this is about security questions, it is still relevant to some extent with passwords or any other form of authentication on the Internet...that is:
The more sites we visit with some form of authentication, the more we have to remember..for instance, our work on on tool has so much restriction on re-using passwords within a certain time frame, that it is weakening the password structure and as such I'm now answering with words for passwords not so dissimilar to answers for security questions to make it easy for my memory.
Security questions to me are very weak. Generally speaking, the general public will use legitimate answers, and hence they generally become a weak link.....half a dozen security experts can say they use obscure wording for these answers, and it is good, it helps educate us on the possibilities; however if the vast general public does not, then it is flawed, extremely flawed to start with - its no different in the discussion I have on facebook - you can use tools or you don't - the mass general public do not, and this needs to be addressed.
As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mix them all up, you end up with Mat and Apple/Amazon.....as an example.
Edit:grammer/spell
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
 ·Comcast
| reply to Mele20
I graduated in 1970, just after Woodstock, the Summer of Love, the Riots, Height of Vietnam, Sit ins, etc.
Anyway I just made something up in my head based on my Friend's older brother's features.
Yep it seems dumb, but no one is going to guess my answer.
Worked at the turn of the Century for a Telco ISP and we had two factor authentication then [only those with that Telco could have a Dial up Account]. Came across some pretty silly and strange names. |
|
|
|
| reply to norwegian
Well said, norwegian 
-Jim |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
·RoadRunner Cable
 ·Clearwire Wireless
| reply to norwegian
said by norwegian: and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.
Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains. |
|
 KilroyPremium,MVM
join:2002-11-21
Ann Arbor, MI | reply to antdude
The real problem I see is that people close to you probably know the answers. Sure they may keep people you don't know out, but people who know you can cause issues. Normally not an issue, but ask anyone who has gone through an ugly divorce how nasty things can get.
The other thing is some of the questions have answers that change, "Who is your favorite author/band/etc.".
Personally I don't think that "security questions" should even be an option. I don't have a better solution, other than don't forget/lose your password. Maybe a two e-mail verification system. Don't know your password, we send a four digit code to two different e-mail addresses and you have to enter both to access your account.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales |
|
Reviews:
·WestNet Broadband
| reply to Snowy
said by Snowy:Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains.
True, however it is only a layer, and my comments still stand, your reply has only multiplied (to the power of itself) of the problem we face. You may not have realized just how much you have confirmed my words with that statement, intended or not.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to norwegian
As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.
You do end up with Mat's problem if you do not heed his words on the mistakes he made..which he wants everyone to know..but the blogger only read the first part of his story and then start going off on their own tangent. 
This is the lesson in his own words:
I had done some pretty stupid things. Things you shouldn’t do.
I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.
But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.
After all, as a reporter, often on the go, my laptop is my most important tool.
But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.
When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.
A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up. If this were the case, someone who was able to get into an iCloud account wouldn’t be able to remotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a remote wipe in progress.
But that’s not how it works. And Apple would not comment as to whether stronger authentification is being considered.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to norwegian
said by norwegian:True, however it is only a layer, and my comments still stand, your reply has only multiplied (to the power of itself) of the problem we face. You may not have realized just how much you have confirmed my words with that statement, intended or not.
You're dead on with that.
Calling mitigation a 'layer' is an intelligent way of looking at it.
I wish I had said that 
My post was an extension of yours, not intended to impeach your post reply at all. |
|
Reviews:
·WestNet Broadband
| reply to Snowy
said by Snowy:The lesson is about not sharing passwords or very similar passwords between domains.
Another note on your comment - using the same passwords or similar passwords when relative to the security questions most sites use; I believe some of it has been posted here already:
Security questions tend to fall victim for the use of the same questions across domains and ultimately the same answers become used across those domains. It does highlight the inherent weakness of the authentication system.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to Snowy
Sorry about that - I tend to come across a little strong a times, I am a humble person, just a little passionate on the Internet and it's methods. |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to norwegian
said by norwegian:... It does highlight the inherent weakness of the authentication system.
Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain. |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to norwegian
The fierceness of the attack was unparallelled in DSLR history...
LOL
Were cool. |
|
