Secret Security Questions Are a Joke 408
Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"
Re:Simple solution (Score:3, Interesting)
Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care. And security is only as good as you care about it. It is impossible to force people to use security despite the attempts.
Re:Simple solution (Score:5, Interesting)
Hell I did it with Blizzard for what, $30 and I got a plush toy.
This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.
My solution to bad security questions? Answer unasked questions. What's your mother's maiden name? Pepperoni pizza. What street did you live on? Empire State Building. Then use different answers for different sites, like you should your passwords. Just be sure you can keep track of them--either an encrypted file or a password manager program.
Then make it simple... use an algorithm! (Score:5, Interesting)
Use an algorithm.
Use real answers, but replace vowels with the letter Q. (for example)
Mother's maiden name: Smith => SmQth
First pet: Spot => SpQt
Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember. Then you can apply that rule to any password.
Like switch the first and last letters. Smith = hmitS, Spot = tpoS. Or use numbers. Or a combination. It quickly looks like nonsense, but if you use a rule then you can apply it. Or change it. If you have to change a password, then switch from using Q to W, then E, then R, then T, etc.
You can even write down your rule in plain site. If I wrote down "flip Q" as a reminder, it would remind me to flip the first and last letters, then replace vowels with Q.
And I just came up with this one for this post. The one I actually used is based on something nobody could guess, and has been altered over the years so that I am the only one that knows it. And it works! I still remember an intern at my first job left to go back to school in 1994, and he told me his unix password in case I needed to get into his account. It was CIrpotb, (Clearly I remember picking on the boy,) from Pearl Jam's song Jeremy.
Re:Simple solution (Score:5, Interesting)
I do similar, but with a wildcard subdomain so user@something.mydomain.com, the reasons for this are:
1, spammers will try to brute force common email account names once they get a domain to target
2, i can override the wildcard by creating specific mx records for a given hostname, and thus lose the spam without my mailserver having to process it at all, usually i redirect it to the mx records of the server that sold me out.