Topic 'Secret Security Questions Are a Joke' in forum 'Security' - dslreports.com

Re: Secret Security Questions Are a Joke

Mon, 13 Aug 2012 08:35:55 EDT

AVD posted :

said by Kilroy:

I don't have a better solution, other than don't forget/lose your password.

Lose you password, go to a local agent (bestbuy, apple store, dell store) and show your state issued photo ID or passport.

Edit: actually a local bank would probably do nicely as "local id agent".
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law.

Re: Secret Security Questions Are a Joke

Sun, 12 Aug 2012 10:08:56 EDT

dave posted : I feel fairly safe since I didn't grow up in this country and am not famous, so the average hacker would have a hard time finding out where I went to 'high school', or even if I ever went to anything called a high school.

The only risk is that the pool of possible questions seems a little small, so the 'high school' question is apt to show up on multiple sites; it's therefore got the same risk factor as username-and-password reuse.

Re: Secret Security Questions Are a Joke

Sun, 12 Aug 2012 07:44:30 EDT

Mele20 posted : Why not answer them truthfully? No one would know my mother's maiden name or my father's astrological sun sign, etc. Maybe for you tons of people know your mother's maiden name and your father's astrological sun sign but that doesn't mean this would necessarily be true for other folks. Common sense needs to be applied by each person answering security questions. It is not a blanket deal.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Secret Security Questions Are a Joke

Sun, 12 Aug 2012 07:31:45 EDT

anon posted : You should NEVER make the answers to security questions "real" or true.

Some sites allow you to create your own question, make sure the answer doesn't make any sense related to the question.

Hey we still have people that use the same password for everything, enter all their personal information responding to an email from their "Bank", and give their bank information so their "winnings" can be deposited into their account .

Re: Secret Security Questions Are a Joke

Sun, 12 Aug 2012 06:46:12 EDT

norwegian posted : Post your passwords to facebook, they should be safe there for when you forget - even list the site they are for in categories.

/sarcasm :)

Re: Secret Security Questions Are a Joke

Sun, 12 Aug 2012 01:18:19 EDT

Snowy posted :

said by Name Game:

:D He did give me the answers to all his security question. ;)

He messed with your head till the end, goodhearted trooper that he was.
Here's the answers to 3 of my security questions that I can recall.
1. Alice
2. Rust
3. nowayjose

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 23:57:58 EDT

Name Game posted :

said by Snowy:

said by dave:

And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account.

We are talking about security/account hijacking.
Looks good to me.

Friend of mine was going to do that last week..but alas we lost him...was a good man..we all knew him well :D He did give me the answers to all his security question. ;)
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 21:27:27 EDT

Mele20 posted : That customer code on the bill is NOT my pin number. Plus, Oceanic has a sign now (where the line starts) when you go into pay your bill that you need to know your pin number because the CSR will ask for it (although they don't ask me for it...but then they all know me). That is the same as with my bank and the security question. The bank asks for it when you are there IN PERSON. Photo ID is not acceptable by itself. PIN must be supplied at the bank and (according to their new sign) at Oceanic customer service desk. Your PIN for Oceanic is 4 numbers but not what is on your bill. Your PIN wouldn't be on your bill for anyone who had access to your bill to see. Besides, your pin would be chosen by you not assigned by Oceanic which is how that customer code is arrived at...it is assigned by Oceanic.

That Customer code is for those who have TWC phone service which I do not have. The FCC regulation of CPNI applies to phone service not to internet service. So, I still don't know why SOMETIMES Oceanic has asked for my pin when I have called about a Road Runner problem. I don't get the point of the FCC's requirement if it also applies to something like internet service. You can change your internet service via email and no pin number is asked for. Seems to me the FCC regulation is to protect from outside parties getting access to the phone calls you have made. Another reason to keep a landline (with unpublished and unlisted number even though the monthly fee for that has more than doubled starting next month). Bundling things is never a good idea privacy wise.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 20:28:03 EDT

Cheese posted : such a beautiful cat!

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 15:47:21 EDT

workablob posted :

said by antdude:

http://it.slashdot.org/story/12/08/09/1410231/secret-security-questions-are-a-joke

My company just gave us all access to our payroll info online and the company that provides it asks you to set a reminder phrase for your password.

Like if your password is your dogs name they say "use My Dog".

No need for stinkin' complex passwords on a payroll site.

Just...WOW! Really? :o

D'Ave
--
I may have been born yesterday. But it wasn't at night.

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 13:39:58 EDT

DrDrew posted :

said by Mele20:

What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is.
...

Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.

The "extra" security is required by companies providing phone service (including cable companies) due to a 2007 FCC regulation of CPNI. You can usually find your initial PIN code on your billing statement although it may not specifically be called a PIN code. They don't need the codes when conducting transactions in person because they should be checking ID instead when making account changes or asking for certain account info.

On your Oceanic bill the code is listed as your "Customer Code":
»www.timewarnercable.com/Hawaii/s···e-and-ho
»www.oceanic.com/help/about_your_···ead_bill

Examples of from other cable companies requiring PIN codes:
Charter: »www.myaccount.charter.com/custom···eid=1955
Cox: »ww2.cox.com/residential/centralf···00000000
Comcast: »forums.comcast.com/t5/Voice-Serv···p/863267
--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 04:59:14 EDT

Mele20 posted : I was in grad school at the Ohio State University in 1970 and got tear gassed by the National Guard more than once. I was just trying to teach my speech communication class that happened to be in Derby Hall where all the Administration's records were housed in the basement...I wasn't trying to destroy the records. The student riots and then Kent State got OSU shut down for the rest of that spring semester.

Making up a name is good...IF you can remember it!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Secret Security Questions Are a Joke

Sat, 11 Aug 2012 04:49:10 EDT

Mele20 posted :

said by Name Game:

I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?

If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.

Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.

My local bank has been requiring a graphic I chose and must confirm each time I login since about forever....well, not that long, but a for a long time now. This is nothing new ....but then my local bank was the FIRST bank in the nation to have online banking. I got an invitation to join the beta many years ago. I was doing online banking when the percentage of those doing it was very tiny. This bank has won many awards (especially back in the beginning of online banking) as being the best banking site (along with being the best bank in America now for three straight years according to Forbes and others).

This same bank uses those questions you mentioned and also questions like "Where was your mother born"? "What is your father's astrological sun sign"? They have really good questions. Usually, I am asked two questions. They also request to register your personal computer and have been quite responsive the couple of times, over the years, that I have noticed something not as secure as should be. This bank also practices proper privacy/security by asking for User ID on the first secure page and then collecting your password on the next secure page.

What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is. I don't know what triggers the teller/CSR asking for that as it has happened rarely. They won't tell me what the security question is and, when this happened the first time many years ago, and then years later again, at both places I
didn't even remember ever setting a security phrase on the phone or bank account. It took me several days to remember because I had no clues at all to help me remember. When I finally recalled it, I was proud of myself because I had used a question (made up by me) and answer that no one but me would know the answer to.

Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 23:18:23 EDT

Snowy posted :

said by dave:

We are talking about security/account hijacking.
Looks good to me.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 22:04:40 EDT

Spy posted :

said by MaynardKrebs:

Apple Hires Former NSA for Security Post

»www.cultofmac.com/78455/apple-hi···ty-post/

Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud

shit not the NSA again, my plastic gloves and garter belts need repairing so i will be forced to buy more blow up dolls with puckered lips if you keep mentioning that agency. :(

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 20:39:30 EDT

Name Game posted : You must only use sites that give you the pledge. :D

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 20:24:04 EDT

StuartMW posted :

quote:
Bridgekeeper: Hee hee heh. Stop. What... is your name?
King Arthur: It is 'Arthur', King of the Britons.
Bridgekeeper: What... is your quest?
King Arthur: To seek the Holy Grail.
Bridgekeeper: What... is the air-speed velocity of an unladen swallow?
King Arthur: What do you mean? An African or European swallow?
Bridgekeeper: Huh? I... I don't know that.

Didn't work out so well for the Bridgekeeper ;)
--
Don't feed trolls--it only makes them grow!

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 19:34:42 EDT

dave posted :

said by Snowy:

If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 19:32:27 EDT

dave posted : My Amazon Web Services security questions are:

Security Response #1?
Security Response #2?
Security Response #3?

(this is one of the choices offered by AWS, not something I made up)

which gets round the public-records aspects of the matter, but it means now I have to remember a three-part password that I never use, just in case I forget the password that I use more frequently. So while this seemed like a good idea at the time, now I'm not so sure.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 18:38:50 EDT

MaynardKrebs posted : Apple Hires Former NSA for Security Post

»www.cultofmac.com/78455/apple-hi···ty-post/

Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 16:59:15 EDT

Name Game posted : Account recovery is really the issue and that is broken.

»www.oneid.com/thoughts/epic-acco···dnt-help

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 16:37:17 EDT

anon posted :

said by norwegian:

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

Okay, I will play along with this.

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

You can take a horse to water but you can't make it drink.

This is the dilemma faced.

Exactly. Not having seen this, I just finished posting the same point (sorry in advance to Snowy too for the unintended duplicity)

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 16:36:58 EDT

anon posted :

said by norwegian:

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.

So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.

Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?

For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.

To the first part; Exactly. Couldn't have said it better myself.

As to the second; allowing a free-form question is a better alternative but how many end users (now already trained with the standard type questions) would just create one that could be answered with publicly available or easily socially engineered info anyway? Probably many.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 16:22:14 EDT

norwegian posted : In regards to the Apple support person who bypassed the security questions in Mat's case. In his or her defense, I have seen it numerous times for me, so how they do it for the mass is beyond me.

When authenticating your account, what ever means required, security questions and the like, as in this case, if you can not remember the correct login details for the phone conversation or online transaction, and remember you are not allowed to write them and store in your wallet, you quite often find your birth date, address etc become the next line of clearance, similar to the credit card's last 4 numbers in Mat's case. If your wallet is stolen or somewhere on the Internet your credentials are freely visible, say for argument's sake a google search gave you enough for the process, then you are already had your accounts hacked, cracked by social engineering (sorry Kilroy couldn't help it).

The support person can not be blamed for this also inherent weakness in the systems process and sorry I don't have a magical answer to it all either.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 16:03:47 EDT

norwegian posted :

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:46:45 EDT

anon posted :

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

That's exactly my take on it and is at the heart of these problems. After all, the system is built by people as well. Development should always include the human factor. It's not how a product is intended it to be used that's important - it's how it IS used in reality that needs to considered in design and re-design.

After all it is the developers who are tasked with making it secure - I'm not taking a swipe at developers, btw. Used to be one myself. So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.

Granted, there is a lacking of security training and adherence by end-users - But, they will do what they are asked for the most part (ex: answering honestly a security question).

-Jim

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:45:38 EDT

norwegian posted :

said by Name Game:

Yes well if you are Mat..you did not complain about security questions.

Funny you should say that, in this case especially in regards to security questions:

quote:
When hackers broke into Mat Honan's Apple account late last week, they couldn't answer the security questions designed to verify his identity.

What could he/her answer then? I have read the full story and it seems quite relevant. I will say I've had an issue not relative to security questions, but the end result was just as scary:

Let me elaborate;
I had a new bank card lost/stolen twice, the second time it had the new pin with it, because it turned up on a Friday and I had no time to deal with changing it to something I'd remember, the end result was.
1. $800 was taken before I notified the bank to seize all transactions until Monday when I would present myself in person.
2. There was a phone call placed to reopen the funds by a third party, lift the daily limit to $2,000, which factually had to be processed on paper with your signature according to the rules they had in place, and by the end of the weekend a vast sum had disappeared.
3. I went into the bank Monday and to my surprise, there was very little left in this account. Luckily the manager was understanding and I wasn't rude, but I did get back every penny after I made that first call to close the account.

quote:
No matter, Apple issued them a temporary password anyway setting off a chain of hacks that laid waste to Honan's digital life.

The Apple support - user to keyboard interface virus has infected the Internet? :)
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:41:52 EDT

Snowy posted :

said by norwegian:

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

Ok, but the incurable weak link is the user.
Shouldn't the system be held accountable for a weak point that's 100% certain to fail?
There is a system check that would eliminate the common password weak point at a critical stage.
If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:26:58 EDT

norwegian posted :

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:23:37 EDT

Snowy posted :

said by norwegian:

Sorry about that -

The fierceness of the attack was unparallelled in DSLR history...
LOL
Were cool. :)

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:20:41 EDT

Snowy posted :

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:16:22 EDT

norwegian posted :
Sorry about that - I tend to come across a little strong a times, I am a humble person, just a little passionate on the Internet and it's methods. :)

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:14:45 EDT

norwegian posted :

said by Snowy:

The lesson is about not sharing passwords or very similar passwords between domains.

Another note on your comment - using the same passwords or similar passwords when relative to the security questions most sites use; I believe some of it has been posted here already:

Security questions tend to fall victim for the use of the same questions across domains and ultimately the same answers become used across those domains. It does highlight the inherent weakness of the authentication system.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:14:31 EDT

Snowy posted :

said by norwegian:

True, however it is only a layer, and my comments still stand, your reply has only multiplied (to the power of itself) of the problem we face. You may not have realized just how much you have confirmed my words with that statement, intended or not.

You're dead on with that.
Calling mitigation a 'layer' is an intelligent way of looking at it.
I wish I had said that :)
My post was an extension of yours, not intended to impeach your post reply at all.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 15:05:45 EDT

Name Game posted :

As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.

Yes well if you are Mat..you did not complain about security questions.

You do end up with Mat's problem if you do not heed his words on the mistakes he made..which he wants everyone to know..but the blogger only read the first part of his story and then start going off on their own tangent. ;)

This is the lesson in his own words:

I had done some pretty stupid things. Things you shouldn’t do.

I should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first year and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn’t have used the same e-mail prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that’s only used for recovery without being tied to core services.

But, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose your iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue recovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the update to its Lion operating system last year, I added that to my iCloud options too.

After all, as a reporter, often on the go, my laptop is my most important tool.

But as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it makes less sense for computers. You are almost certainly more likely to have your computer accessed remotely than physically. And even worse is the way Find My Mac is implemented.

When you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so that the process can be reversed. But here’s the thing: If someone else performs that wipe — someone who gained access to your iCloud account through malicious means — there’s no way for you to enter that PIN.

A better way to have this set up would be to require a second method of authentication when Find My Mac is initially set up. If this were the case, someone who was able to get into an iCloud account wouldn’t be able to remotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a remote wipe in progress.

But that’s not how it works. And Apple would not comment as to whether stronger authentification is being considered.

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:58:02 EDT

norwegian posted :

said by Snowy:

Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:57:51 EDT

Kilroy posted : The real problem I see is that people close to you probably know the answers. Sure they may keep people you don't know out, but people who know you can cause issues. Normally not an issue, but ask anyone who has gone through an ugly divorce how nasty things can get.

The other thing is some of the questions have answers that change, "Who is your favorite author/band/etc.".

Personally I don't think that "security questions" should even be an option. I don't have a better solution, other than don't forget/lose your password. Maybe a two e-mail verification system. Don't know your password, we send a four digit code to two different e-mail addresses and you have to enter both to access your account.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:50:13 EDT

Snowy posted :

said by norwegian:

and if you mis them all up, you end up with Mat and Apple/Amazon.....as an example.

Passwords, 2 step verification, secret questions, bogus answers etc...
Just to be sure, that's not the lesson.
The lesson is about not sharing passwords or very similar passwords between domains.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:46:00 EDT

anon posted : Well said, norwegian

-Jim

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:44:17 EDT

hortnut posted : I graduated in 1970, just after Woodstock, the Summer of Love, the Riots, Height of Vietnam, Sit ins, etc.

Anyway I just made something up in my head based on my Friend's older brother's features.

Yep it seems dumb, but no one is going to guess my answer.

Worked at the turn of the Century for a Telco ISP and we had two factor authentication then [only those with that Telco could have a Dial up Account]. Came across some pretty silly and strange names.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 14:21:32 EDT

norwegian posted : I don't use a lot of sites with security questions......do they allow lower case and higher case letters as such?

--------------

Back to my thoughts:

To me it starts to go back to how many sites, how many passwords, etc etc. While I understand this is about security questions, it is still relevant to some extent with passwords or any other form of authentication on the Internet...that is:

The more sites we visit with some form of authentication, the more we have to remember..for instance, our work on on tool has so much restriction on re-using passwords within a certain time frame, that it is weakening the password structure and as such I'm now answering with words for passwords not so dissimilar to answers for security questions to make it easy for my memory.

Security questions to me are very weak. Generally speaking, the general public will use legitimate answers, and hence they generally become a weak link.....half a dozen security experts can say they use obscure wording for these answers, and it is good, it helps educate us on the possibilities; however if the vast general public does not, then it is flawed, extremely flawed to start with - its no different in the discussion I have on facebook - you can use tools or you don't - the mass general public do not, and this needs to be addressed.

As I said, the more sites we visit or need, the problem is intensified, be that Mat/Apple, Bill/Bank, Harry/Online Newspaper or Harriett and her online art store. We are venturing into a need for being on line, having a plethora of sites we need to log into and a system with no basic standard, no basic sense of security and if you mix them all up, you end up with Mat and Apple/Amazon.....as an example.

Edit:grammer/spell
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 13:17:50 EDT

Name Game posted :

said by hortnut:

My take on this is mirrored in other's answers.

I happen to like the questions.

But no one is going to know the High School I graduated from, nor the first street name, first pet name and so on.

I pull some information from over 150 years ago, some is from imaginary cities or cities I would like to live in and such other ilk.

For me it is consistent, but not sure how someone could deduce it from any public records. Not even friends know cities I would like to live in. When bored, use Google Maps to visit these places.

For a pet's name, sometime will give best friend's from high school dogs name.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 12:26:01 EDT

Name Game posted : BTW this is the actual full article that blogger cut and pasted without the link posted at slashdot forum thingie...

»www.theatlantic.com/technology/a···/260835/

Rosen article not only was about Mat..she tried to spin it into something that had nothing to do with the event.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 12:11:46 EDT

Name Game posted : Don't be silly..you can talk about what you wish..I posted about what was found in the link..don't know if you read all the comments in that link..but I will tell you..the person who started that discussion at that link..then associating it even remotely with Mat made the same mistakes others have by not reading his own account of exactly what really happened and have no understanding on Apple's security questions. Mat has even made that clear on his twitter. What they have read is other bloggers accounts of what they think happened.
»twitter.com/mat

The link contained this statement "But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers."
To that I say bullshit again.

The rest of the stuff you just posted..I have no idea what you are talking about..but it seems you do..so have a great day
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 11:28:39 EDT

anon posted :

said by Name Game:

The questions are secure enough..they are not a wasted security step..if anything you should be calling them second, third and even in some cases fourth passwords. Is that what you wanted to hear ?

Once again, I'm totally at a loss where you're coming from concerning my words and now my thoughts. But ok, I'll play along..... No, that's not what I wanted to hear. I guess if I wanted to hear anything it would have been something acknowledging that you didn't realize you weren't in the Apple/Matt thread and therefore didn't realize you were crapping antdude's thread and a decent conversation on the general topic of password questions that was in progress. I say that only because you asked.

said by Name Game:

And this is about Apple since they just bypassed that whole process and gave up the farm for Mat. I call blogs and posting like the OP found nothing but copycat blog.
[snip]
I read the Title..it is the same stupid title used by the person who blogged the stuff and nothing to do with antdude.
It is a weak title this week for the info at the link. :D

*Sigh* - I am editing out what I would have said to minimize my reply here in respect to the thread, the OP, and the other posters.

Honestly, Name Game. Your replies to me confused me not only here but previously (even sans edits). They attribute words and thoughts to me I don't understand how you got. I even questioned that you didn't have me confused with someone else. Adding to that the additional postings you added which are a follow up the Apple/Matt thing (google 2-step) and not about the topic here but seemed to me were intended for that topic thread. My only explanation was thinking you were making an honest mistake. I understand now your intent is clearly to be here.

I hope you'll allow the conversation about how password questions in general are weak to continue at this point.

-Jim

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 11:02:15 EDT

antdude posted : I just put random answers and do write these down, encrypted.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 09:06:17 EDT

AVD posted : "What was your first pet's name?"
pIZZA

"Where was your bother born?"
pIZZA

"What is your maternal grandmother's first name"
pIZZA

"What is you favorite food?"
eLENORE
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 08:50:53 EDT

Spy posted : they should just make the questions better, like how many times do you use plastic see through gloves when you use the toilet in a week or something like that. :D

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 08:41:15 EDT

rcdailey posted : My wife told me that every cat has a secret name. If you knew your cat's secret name, you could use that as a hint, but your cat won't tell you.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.

Re: Secret Security Questions Are a Joke

Fri, 10 Aug 2012 08:38:27 EDT

rcdailey posted : I think they are more like hiding a key in a glass jar under the bushes next to the back door.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.