| reply to antdude
Re: Secret Security Questions Are a Joke said by »it.slashdot.org/story/12/08/09/1···e-a-joke :
"...But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you."
As per: "Part of the problem is that a good security question is hard to design" - IMHO the real problem is not the question, but the answer to which most are trained to answer truly.
Most either assume or feel required to give the correct and honest answer to these questions - as if there is some way for an authority to validate those answers legally somewhere down the road if challenged.
There is no authority that presently can/will validate true answers to these questions (SSI nor DMV nor Birth Certificates, nor issuing banks that use them) if so challenged - but many/most people feel compelled to give the correct answers as if that may be true.
The solution is that individuals need to use alternative answers only known to them. Of course one needs to remember these answers, but consistently done it's just as easy as using the true, honest answer - but far, far more secure This is what I have always done and teach others to do also.
Ex: What's your mother's maiden name? - Use your pets name, or use your middle name, or your grandmother's middle name or use something random - as long as you can remember what that is (consistency helps), and most importantly that only you know what your alternative answer is.
-Jim |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
 ·RoadRunner Cable
 ·Clearwire Wireless
| said by JALevinworth :Ex: What's your mother's maiden name? - Use your pets name, ...
Absolutely.
Mix it up & keep'em guessing.
I'll frequently borrow a pet's name when it comes to online verifications.
My user name on this site is actually one of my cats names.  |
|
 CylonRedPremium,MVM
join:2000-07-06
Bloom County | reply to JALevinworth
Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.
I have this issue with my birthplace - once I used the city my family lived in when I was born instead of the city name in the hospital (where I really was born). I continually locked myself out of the website because I could not remember which one I used. I figured the one I switched to would be easier to remember - I was wrong.
--
Brian
"It drops into your stomach like a Abrams's tank.... driven by Rosanne Barr..." A. Bourdain |
|
| said by CylonRed:Problem is remembering what was used - that is why people answer them 'honestly' and truthfully. Many have to use the questions to begin with that by the time it is needed - people do not remember the one they used.
I totally agree that it's easy to forget, and that's why consistency is key to remembering what these alternative answers are. That way when you do have to use the reminder it's not that hard to remember the alternative set - Far less hard than remembering passwords which always should be unique and not consistent.
Even more secure is mixing them up, as Snowy suggests too, but still using consistent alternate answers is still a far better system to have something else, anything else, than data that can be found elsewhere such as public records or even through social engineering.
-Jim |
|
