dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6097
share rss forum feed


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
reply to Name Game

Re: Secret Security Questions Are a Joke

My wife told me that every cat has a secret name. If you knew your cat's secret name, you could use that as a hint, but your cat won't tell you.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



Spy
Premium
join:2001-09-22
NE
reply to antdude

they should just make the questions better, like how many times do you use plastic see through gloves when you use the toilet in a week or something like that.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

2 recommendations

reply to antdude

"What was your first pet's name?"
pIZZA

"Where was your bother born?"
pIZZA

"What is your maternal grandmother's first name"
pIZZA

"What is you favorite food?"
eLENORE
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law.



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to antdude

I just put random answers and do write these down, encrypted.



JALevinworth

@embarqhsd.net
reply to Name Game

said by Name Game:

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

Once again, I'm totally at a loss where you're coming from concerning my words and now my thoughts. But ok, I'll play along..... No, that's not what I wanted to hear. I guess if I wanted to hear anything it would have been something acknowledging that you didn't realize you weren't in the Apple/Matt thread and therefore didn't realize you were crapping antdude's thread and a decent conversation on the general topic of password questions that was in progress. I say that only because you asked.

said by Name Game:

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
[snip]
I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link.

*Sigh* - I am editing out what I would have said to minimize my reply here in respect to the thread, the OP, and the other posters.

Honestly, Name Game. Your replies to me confused me not only here but previously (even sans edits). They attribute words and thoughts to me I don't understand how you got. I even questioned that you didn't have me confused with someone else. Adding to that the additional postings you added which are a follow up the Apple/Matt thing (google 2-step) and not about the topic here but seemed to me were intended for that topic thread. My only explanation was thinking you were making an honest mistake. I understand now your intent is clearly to be here.

I hope you'll allow the conversation about how password questions in general are weak to continue at this point.

-Jim


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Don't be silly..you can talk about what you wish..I posted about what was found in the link..don't know if you read all the comments in that link..but I will tell you..the person who started that discussion at that link..then associating it even remotely with Mat made the same mistakes others have by not reading his own account of exactly what really happened and have no understanding on Apple's security questions. Mat has even made that clear on his twitter. What they have read is other bloggers accounts of what they think happened.
»twitter.com/mat

The link contained this statement "But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers."
To that I say bullshit again.

The rest of the stuff you just posted..I have no idea what you are talking about..but it seems you do..so have a great day
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to JALevinworth

BTW this is the actual full article that blogger cut and pasted without the link posted at slashdot forum thingie...

»www.theatlantic.com/technology/a···/260835/

Rosen article not only was about Mat..she tried to spin it into something that had nothing to do with the event.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to hortnut

said by hortnut:

My take on this is mirrored in other's answers.

I happen to like the questions.

But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.

I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.

For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.

For a pet's name, sometime will give best friend's from high school dogs name.

I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?

If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.

Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback

1 edit

1 recommendation

reply to AVD

I don't use a lot of sites with security questions......do they allow lower case and higher case letters as such?

--------------

Back to my thoughts:

To me it starts to go back to how many sites, how many passwords, etc etc. While I understand this is about security questions, it is still relevant to some extent with passwords or any other form of authentication on the Internet...that is:

The more sites we visit with some form of authentication, the more we have to remember..for instance, our work on on tool has so much restriction on re-using passwords within a certain time frame, that it is weakening the password structure and as such I'm now answering with words for passwords not so dissimilar to answers for security questions to make it easy for my memory.

Security questions to me are very weak. Generally speaking, the general public will use legitimate answers, and hence they generally become a weak link.....half a dozen security experts can say they use obscure wording for these answers, and it is good, it helps educate us on the possibilities; however if the vast general public does not, then it is flawed, extremely flawed to start with - its no different in the discussion I have on facebook - you can use tools or you don't - the mass general public do not, and this needs to be addressed.

As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mix them all up, you end up with Mat and Apple/Amazon.....as an example.

Edit:grammer/spell
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



hortnut
Huh?

join:2005-09-25
PNW
kudos:1
Reviews:
·Comcast
reply to Mele20

I graduated in 1970, just after Woodstock, the Summer of Love, the Riots, Height of Vietnam, Sit ins, etc.

Anyway I just made something up in my head based on my Friend's older brother's features.

Yep it seems dumb, but no one is going to guess my answer.

Worked at the turn of the Century for a Telco ISP and we had two factor authentication then [only those with that Telco could have a Dial up Account]. Came across some pretty silly and strange names.



JALevinworth

@embarqhsd.net
reply to norwegian

Well said, norwegian See Profile

-Jim



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to norwegian

said by norwegian:

and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.

Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to antdude

The real problem I see is that people close to you probably know the answers. Sure they may keep people you don't know out, but people who know you can cause issues. Normally not an issue, but ask anyone who has gone through an ugly divorce how nasty things can get.

The other thing is some of the questions have answers that change, "Who is your favorite author/band/etc.".

Personally I don't think that "security questions" should even be an option. I don't have a better solution, other than don't forget/lose your password. Maybe a two e-mail verification system. Don't know your password, we send a four digit code to two different e-mail addresses and you have to enter both to access your account.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales



norwegian
Premium
join:2005-02-15
Outback
reply to Snowy

said by Snowy:

Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains.

True, however it is only a layer, and my comments still stand, your reply has only multiplied (to the power of itself) of the problem we face. You may not have realized just how much you have confirmed my words with that statement, intended or not.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to norwegian

As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.

Yes well if you are Mat..you did not complain about security questions.

You do end up with Mat's problem if you do not heed his words on the mistakes he made..which he wants everyone to know..but the blogger only read the first part of his story and then start going off on their own tangent.

This is the lesson in his own words:

I had done some pretty stupid things. Things you shouldn’t do.

I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.

But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.

After all, as a reporter, often on the go, my laptop is my most important tool.

But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.

When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.

A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up. If this were the case, someone who was able to get into an iCloud account wouldn’t be able to remotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a remote wipe in progress.

But that’s not how it works. And Apple would not comment as to whether stronger authentification is being considered.


--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to norwegian

said by norwegian:

True, however it is only a layer, and my comments still stand, your reply has only multiplied (to the power of itself) of the problem we face. You may not have realized just how much you have confirmed my words with that statement, intended or not.

You're dead on with that.
Calling mitigation a 'layer' is an intelligent way of looking at it.
I wish I had said that
My post was an extension of yours, not intended to impeach your post reply at all.


norwegian
Premium
join:2005-02-15
Outback
reply to Snowy

said by Snowy:

The lesson is about not sharing passwords or very similar passwords between domains.

Another note on your comment - using the same passwords or similar passwords when relative to the security questions most sites use; I believe some of it has been posted here already:

Security questions tend to fall victim for the use of the same questions across domains and ultimately the same answers become used across those domains. It does highlight the inherent weakness of the authentication system.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback

1 recommendation

reply to Snowy

Sorry about that - I tend to come across a little strong a times, I am a humble person, just a little passionate on the Internet and it's methods.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to norwegian

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to norwegian

said by norwegian:

Sorry about that -

The fierceness of the attack was unparallelled in DSLR history...
LOL
Were cool.


norwegian
Premium
join:2005-02-15
Outback
reply to Snowy

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

Okay, I will play along with this.

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

You can take a horse to water but you can't make it drink.

This is the dilemma faced.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by norwegian:

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

Ok, but the incurable weak link is the user.
Shouldn't the system be held accountable for a weak point that's 100% certain to fail?
There is a system check that would eliminate the common password weak point at a critical stage.
If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.


norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

Yes well if you are Mat..you did not complain about security questions.

Funny you should say that, in this case especially in regards to security questions:

quote:
When hackers broke into Mat Honan's Apple account late last week, they couldn't answer the security questions designed to verify his identity.
What could he/her answer then? I have read the full story and it seems quite relevant. I will say I've had an issue not relative to security questions, but the end result was just as scary:

Let me elaborate;
I had a new bank card lost/stolen twice, the second time it had the new pin with it, because it turned up on a Friday and I had no time to deal with changing it to something I'd remember, the end result was.
1. $800 was taken before I notified the bank to seize all transactions until Monday when I would present myself in person.
2. There was a phone call placed to reopen the funds by a third party, lift the daily limit to $2,000, which factually had to be processed on paper with your signature according to the rules they had in place, and by the end of the weekend a vast sum had disappeared.
3. I went into the bank Monday and to my surprise, there was very little left in this account. Luckily the manager was understanding and I wasn't rude, but I did get back every penny after I made that first call to close the account.

quote:
No matter, Apple issued them a temporary password anyway setting off a chain of hacks that laid waste to Honan's digital life.
The Apple support - user to keyboard interface virus has infected the Internet?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



JALevinworth

@embarqhsd.net
reply to Snowy

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

That's exactly my take on it and is at the heart of these problems. After all, the system is built by people as well. Development should always include the human factor. It's not how a product is intended it to be used that's important - it's how it IS used in reality that needs to considered in design and re-design.

After all it is the developers who are tasked with making it secure - I'm not taking a swipe at developers, btw. Used to be one myself. So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.

Granted, there is a lacking of security training and adherence by end-users - But, they will do what they are asked for the most part (ex: answering honestly a security question).

-Jim


norwegian
Premium
join:2005-02-15
Outback

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.

So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.

Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?

For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to antdude

In regards to the Apple support person who bypassed the security questions in Mat's case. In his or her defense, I have seen it numerous times for me, so how they do it for the mass is beyond me.

When authenticating your account, what ever means required, security questions and the like, as in this case, if you can not remember the correct login details for the phone conversation or online transaction, and remember you are not allowed to write them and store in your wallet, you quite often find your birth date, address etc become the next line of clearance, similar to the credit card's last 4 numbers in Mat's case. If your wallet is stolen or somewhere on the Internet your credentials are freely visible, say for argument's sake a google search gave you enough for the process, then you are already had your accounts hacked, cracked by social engineering (sorry Kilroy See Profile couldn't help it).

The support person can not be blamed for this also inherent weakness in the systems process and sorry I don't have a magical answer to it all either.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



JALevinworth

@embarqhsd.net
reply to norwegian

said by norwegian:

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.

So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.

Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?

For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.

To the first part; Exactly. Couldn't have said it better myself.

As to the second; allowing a free-form question is a better alternative but how many end users (now already trained with the standard type questions) would just create one that could be answered with publicly available or easily socially engineered info anyway? Probably many.


JALevinworth

@embarqhsd.net
reply to norwegian

said by norwegian:

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

Okay, I will play along with this.

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

You can take a horse to water but you can't make it drink.

This is the dilemma faced.

Exactly. Not having seen this, I just finished posting the same point (sorry in advance to Snowy too for the unintended duplicity)


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

Account recovery is really the issue and that is broken.

»www.oneid.com/thoughts/epic-acco···dnt-help


MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to antdude

Apple Hires Former NSA for Security Post

»www.cultofmac.com/78455/apple-hi···ty-post/

Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud