Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Secret Security Questions Are a Joke

timothy posted more than 2 years ago | from the totally-true-thesis dept.

Crime 408

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

cancel ×

408 comments

Sorry! There are no comments related to the filter you selected.

Simple solution (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40931583)

Let people design their own question.

Re:Simple solution (2, Insightful)

MightyYar (622222) | more than 2 years ago | (#40931693)

But the lazy will make questions like "What is 2+2?" or other such nonsense.

Re:Simple solution (5, Insightful)

fredprado (2569351) | more than 2 years ago | (#40931799)

And they are within their rights to do so and suffer the consequences for it.

Re:Simple solution (5, Insightful)

Isaac-1 (233099) | more than 2 years ago | (#40931847)

And as long as you always answer 42, or 416 what is the problem with that?

Re:Simple solution (4, Insightful)

MightyYar (622222) | more than 2 years ago | (#40931909)

I don't think that would fly. If a person's bank account gets hacked, the bank usually (always?) picks up the tab. It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers. If I were on the hook for security flaws at the bank, I'd never bank online.

Re:Simple solution (2)

zero.kalvin (1231372) | more than 2 years ago | (#40932141)

Happened to me a week ago! My contact on the bank told me that it will take at least a month for the bank to pick up the tab but I checked my account last night and they gave me back the money ( about 1400 euros or 1700 USD ). If people wind up thinking that banks are not secure and you don't get reimbursed then who in their right mind will ever use one again ?

Re:Simple solution (3, Interesting)

Anonymous Coward | more than 2 years ago | (#40931897)

Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care. And security is only as good as you care about it. It is impossible to force people to use security despite the attempts.

Re:Simple solution (3, Insightful)

MightyYar (622222) | more than 2 years ago | (#40932051)

At the same time, expecting people to be security experts is not going to be successful. You might have a good grasp of it, but chances are you have some exposure to it. It might not occur to your proverbial grandma that people can track down her mother's name.

Re:Simple solution (1)

bluefoxlucid (723572) | more than 2 years ago | (#40932183)

I usually put garbage in my security questions. And forget it. "Where were you born?" "In the back seat of a greyhound bus rollin' down highway 41." "What high school did you go to?" "Blowjob High." "What is your mother's maiden name?" "*@^*@G*UHU

Please answer your security question: where were you born? Uh. Somewhere? Hospital? Chicken? Dokoka ...

Re:Simple solution (5, Insightful)

NeutronCowboy (896098) | more than 2 years ago | (#40931707)

Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.

Re:Simple solution (4, Insightful)

Hognoxious (631665) | more than 2 years ago | (#40931795)

The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.

On trick is to give true answers, but for someone else, i.e. you answer as if you were Linus Torvalds or Queen Victoria. But then you still have to remember who ...

Re:Simple solution (2, Funny)

Anonymous Coward | more than 2 years ago | (#40931837)

Yup. I had an embarassing phone conversation with my state's tax department because a year earlier I set the secret question to "What is the password?" and a year later I had naturally forgotten the answer.

Re:Simple solution (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40931797)

So now you have to remember nonsensical answers to every important site you use, in addition to a password. You can't use the same answers everywhere, because when one gets hacked, all other account security questions are vulnerable.

In other words, passwords aren't secure, so lets use even more of them! This is like saying credit card numbers get stolen, so the solution is to add some more to the back of the card.

Re:Simple solution (5, Funny)

PerfectionLost (1004287) | more than 2 years ago | (#40931825)

I had a friend who built an entire fake persona that she used to answer her security questions. Address, parents, pets, you name it.

In hind site she was probably a little schizophrenic.

Re:Simple solution (1)

cpu6502 (1960974) | more than 2 years ago | (#40931875)

I use my GRANDmother's maiden name. Since she hasn't used it since circa 1925 I figure it will be very difficult to locate.

Re:Simple solution (1)

shadowrat (1069614) | more than 2 years ago | (#40931953)

Hmm, i never thought i would have to give the answer to my security questions over the phone. I always fill them in with an 8 - 12 char alphanumeric jumble.

Re:Simple solution (1)

Anonymous Coward | more than 2 years ago | (#40932073)

User made questions are awesome until your a customer service rep who has to ask to a woman "what you would never do" knowing the answer will be "take it in the rear". It happened to a colleague at a past job.

Re:Simple solution (3, Informative)

Sqr(twg) (2126054) | more than 2 years ago | (#40932163)

Or go to passwordmaker.org [passwordmaker.org] , and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.

Re:Simple solution (1)

mkraft (200694) | more than 2 years ago | (#40931725)

That's actually being done by a number already by some companies. That still doesn't help though if someone enters a question with an easy answer.

The "best" thing people can do is put in wrong answers to their security questions. Unfortunately if someone does so and forgets the answer, then that person can't get access to his or her account. Unless of course that person has an account with Apple or Amazon in which case the secret answers aren't needed. Hence the problem with the entire password system.

I'm not sure what the solution to this problem really is. Gaining access to an account without a password should be difficult, but not impossible since what is a spouse needs access to an account of someone who has died. Maybe password resets should require a court order if the person can't answer the security questions.

Re:Simple solution (1)

Krneki (1192201) | more than 2 years ago | (#40931821)

NO

Security questions are completely pointless. They were implemented because idiots used the same username / email adress and passwords across different websites. So once a hacker got all the info from a poorly secured website he was able to access all the user accounts.

All you need is a username and password, if you want a 2nd security check use the email you can't replace in 5 min within the account (put a 2 months delay). If the user is so stupid to use the same password on the email let him pay the price, don't force people who use secure logins to suffer the mandatory secure questions as it is not needed.

Re:Simple solution (4, Informative)

Qzukk (229616) | more than 2 years ago | (#40931831)

I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.

When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.

I never managed to recover my password.

Re:Simple solution (1)

taustin (171655) | more than 2 years ago | (#40931961)

Why do people always assume that they answer to the security question has to be correct? Or even remotely connected to the question, for that matter? Do all the internet searches you want, you'll never figure out that my high school was "Never give guns to ducks."

Re:Simple solution (4, Insightful)

Hythlodaeus (411441) | more than 2 years ago | (#40932043)

The purpose of security questions is not security - its reducing customer service workload due to forgotten passwords.
In most implementations its an overall reduction in security, since the security questions constitute a backdoor to the password, rather than an additional factor of authentication.

BYO (4, Insightful)

wstrucke (876891) | more than 2 years ago | (#40931589)

I find the security questions I like best are the ones I can make up myself. I typically use nonsense phrases that only I know the answer to. Unfortunately most sites would prefer you pick one of several 'standard' questions like the examples OP provided.

Re:BYO (0)

Anonymous Coward | more than 2 years ago | (#40931635)

.... but you don't have to give "standard" answers. You can use any word or words you want.

Re:BYO (1, Insightful)

bcoff12 (584459) | more than 2 years ago | (#40931651)

Exactly. I make up ridiculous answers and store them in my password manager.

Re:BYO (3, Insightful)

nedlohs (1335013) | more than 2 years ago | (#40931787)

Making them completely pointless, since you'd only need them if you lost the password which would presumably also be in the password manager.

Re:BYO (0)

Anonymous Coward | more than 2 years ago | (#40931817)

You don't seem to understand what a password manager is.

Re:BYO (1)

PPH (736903) | more than 2 years ago | (#40932115)

Its an app. on the computing device of your choice that stores passwords. In reality, the storage is in your iCloud account. Which is about to be hacked since some Apple CSR is a moron.

Re:BYO (1)

kat_skan (5219) | more than 2 years ago | (#40932099)

They were already pointless. A backdoor password into my account that is REQUIRED to be something people can just Google about me? Genius.

Re:BYO (1)

joeadmin (679217) | more than 2 years ago | (#40931845)

I do the same thing, fairly effective.

Re:BYO (1)

zero.kalvin (1231372) | more than 2 years ago | (#40931801)

If you give a standard answer then you are an idiot who deserv to be hacked! If half of your town knows your mother maiden name, what is the hell are you doing by picking that as a question and answer!

Re:BYO (1)

Isaac-1 (233099) | more than 2 years ago | (#40931943)

The problem here is often lack of good choices like:

Paternal Grandfather's name? for someone who is John Smith III

Or name of city you grew up in, when it is your current city?

At this point Mother's maiden name looks good when given 3 choices

Re:BYO (1)

Bork (115412) | more than 2 years ago | (#40931753)

Does not work - the general populace is unable to generate a secret question that is any better. They feel that it would not be used anyway so use nonsense questions and answers. Questions that I have seen when a user is allowed to create their own "Who did I F**K last", "What color is cheeze", "Why do I need a secret question", ....

Without knowing who the person is on the other end, I have about a 50% guess rate on the answers to most secret questions used.

Re:BYO (1)

zero.kalvin (1231372) | more than 2 years ago | (#40931779)

Exactly! But even with standard ones you can make it secure enough. For example I never had a pet when I was kid, and for that reason I pick that one out and fill it with a name that mentally means something for me, but something that not even my best friend of 21 years can tell! Really the problem is not with the security measures it is with the end users. If you pick that question above and you had a pet that half of the world knew you had. Well then don't nag on how bad the the security is.

Re:BYO (1)

Cro Magnon (467622) | more than 2 years ago | (#40932189)

I "borrow" someone else's pet for that question. The people who know me might guess whose pet I use, but even they'd have trouble figuring which of the dozens of pets this person had is the answer.

Re:BYO (5, Funny)

HawkinsD (267367) | more than 2 years ago | (#40931827)

My favorite make-up-your-own pair, which a CSR at a bank was once forced to read to me over the phone:

Q: "You're not going out dressed like that are you?"

A: "You can't tell me what to do! You're not my real father!"

Re:BYO (0)

Anonymous Coward | more than 2 years ago | (#40931859)

And nothing usually prevents you from entering your "preferred" answer, regardless of what the question is. As long as you can remember your answer it works great. At least in my cases it always did.

Re:BYO (5, Insightful)

X0563511 (793323) | more than 2 years ago | (#40931865)

I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.

My problems with these "secret questions" are:
1. They are obviously stored cleartext
2. They can be used to "substitute" for your non-cleartext password
3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.

That's Not Possible (4, Funny)

MightyMartian (840721) | more than 2 years ago | (#40931593)

I'm sorry. Apple cannot make mistakes anymore. Clearly this is just anti-Apple-types trying to give the greatest, most wonderful, most lauded, most glorious company that has ever or will ever exist.

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Re:That's Not Possible (1)

CanHasDIY (1672858) | more than 2 years ago | (#40931665)

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Didn't they remove that function, in order to protect you from yourself?

Re:That's Not Possible (0)

Anonymous Coward | more than 2 years ago | (#40931773)

They removed the option to turn it on.

Re:That's Not Possible (0)

Anonymous Coward | more than 2 years ago | (#40932049)

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Didn't thJOBS BE PRAISEDtion, in orJOBS BE PRAISED you MOST HOLY NAME OF JOBS BE PRAISED IN THE HIGHEST?

I'm sorry, I couldn't hear you over the helpful, calming sounds of my iPads. Did you say something? Oh well, if it were important, I'm certain Apple, in their infinite wisdom, would allow me to hear it.

Re:That's Not Possible (0)

Anonymous Coward | more than 2 years ago | (#40931689)

It's not a mistake...it's a feature.

Re:That's Not Possible (1)

alen (225700) | more than 2 years ago | (#40931745)

they admitted that one of their CSRs didn't follow the rules

everyone here writes bugs with code and works it out over time. lots of times in production. but someone else makes a mistake and its time to burn them at the stake.

Re:That's Not Possible (2)

Isaac-1 (233099) | more than 2 years ago | (#40932025)

Part of the problem is the CSR had the option to not follow the rules, they should have a box to type the challenge response, and the computer should have enough logic to only accept a close match, not counting capitalization or minor spelling differences. If they can't get it right, escalate the call to a supervisor level who may then have more leeway.

Re:That's Not Possible (1)

cpu6502 (1960974) | more than 2 years ago | (#40931963)

>>>Clearly this is just anti-Apple-types

I consider Apples to be like Chryslers, Lexuses, and Acuras. Severely-overpriced for what you get. BUT in this case you are being unfair. It wasn't Apple that dropped the ball but one of their minimum wage employees.

Apple should fire the employee and any other employees who hand-out new passwords w/o proper authentication by the caller (answering the secret questions). If Apple fails to do that, THEN you can vilify them.

What is Your Favourite Colour? (5, Funny)

Jeremiah Cornelius (137) | more than 2 years ago | (#40931597)

What is your quest?

What is the air-speed velocity of a coconut-laden swallow?

Re:What is Your Favourite Colour? (0)

Anonymous Coward | more than 2 years ago | (#40931733)

African or European?

Re:What is Your Favourite Colour? (2)

Jeremiah Cornelius (137) | more than 2 years ago | (#40932077)

I don't kno.... (Insert "Wilhelm")

Re:What is Your Favourite Colour? (0)

Anonymous Coward | more than 2 years ago | (#40932133)

African or European?

African of course, If it were European, it would be a "sugar-beet laden" swallow.

Coconut laden? (1)

Okian Warrior (537106) | more than 2 years ago | (#40931811)

I don't know much about coconut-laden swallows, but an unladen swallow [style.org] flies along at roughly 10 meters per second (9.9 mps, per rough calculation).

Where did you get the thing about coconut-laden swallow anyway? Was that a line from a movie or something?

Re:Coconut laden? (1)

Jeremiah Cornelius (137) | more than 2 years ago | (#40932131)

I'm sorry, Lad.

1975 was a long time ago [imdb.com] ... Nearly in a galaxy, far, far away....

Re:What is Your Favourite Colour? (2)

saider (177166) | more than 2 years ago | (#40932175)

It would be funny if your answer was a question - "An African or a European Swallow?"

Who answers security questions honestly? (4, Insightful)

BMOC (2478408) | more than 2 years ago | (#40931601)

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli
First Car? Moon Rover
Mother In Laws Name? Dead
etc..etc..

Re:Who answers security questions honestly? (3, Insightful)

imagined.by (2589739) | more than 2 years ago | (#40931647)

I usually just generate additional passwords and save them in KeePass.

Re:Who answers security questions honestly? (2)

Plumpaquatsch (2701653) | more than 2 years ago | (#40931677)

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli First Car? Moon Rover Mother In Laws Name? Dead etc..etc..

Of course people will forget the right wrong answer, without chance to find it ever again. Which is likely the reason why companies have started to allow a way around those questions in the first place.

Re:Who answers security questions honestly? (1)

CanHasDIY (1672858) | more than 2 years ago | (#40931695)

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

This, a million times over.

It's not the questions that are the problem, it's the idiots giving them obvious, straight answers.

Re:Who answers security questions honestly? (0)

Anonymous Coward | more than 2 years ago | (#40931885)

>> It's not the questions that are the problem, it's the idiots giving them obvious, straight answers.

it's designed for obvious, straight answers.

Re:Who answers security questions honestly? (0)

Anonymous Coward | more than 2 years ago | (#40931805)

Shouldn't security answers have at least the security of a password? 8+ characters with one uppercase, one number, one special character, etc.

Re:Who answers security questions honestly? (1)

JohnFen (1641097) | more than 2 years ago | (#40931899)

This completely negates the purpose for me. If I can remember my nonsense answer, I can equally remember the actual password, and using a standard nonsense answer on for all logins is no different than using the same password for all logins, a big no-no.

Recorded preference in tablecloth colors (1)

The Barking Dog (599515) | more than 2 years ago | (#40931609)

Douglas Adams nailed it...again.

Don't Give the Real Answer (4, Insightful)

mikestew (1483105) | more than 2 years ago | (#40931627)

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

Of course, that does no good if Apple simply ignores the security questions.

Re:Don't Give the Real Answer (0)

Anonymous Coward | more than 2 years ago | (#40931679)

Definitely. I guess common sense isn't terribly common.
I give the wrong answers on purpose as well but they're something meaningful to me that's not online and is memorable.

Re:Don't Give the Real Answer (0)

Anonymous Coward | more than 2 years ago | (#40931687)

Or if you post it on Slashdot.

Re:Don't Give the Real Answer (2)

Plumpaquatsch (2701653) | more than 2 years ago | (#40931709)

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

Of course, that does no good if Apple simply ignores the security questions.

So to recover the password for your account you also stored in 1Password, you use a security question, the answer of which you take from 1Password. I can see no flaw in your reasoning.

Re:Don't Give the Real Answer (1)

mikestew (1483105) | more than 2 years ago | (#40932047)

Yes, that would be an accurate summary. Answers are generally required,and I'm not about to give the actual answer. I do not intend to ever use the answers, as I view security questions to be a hole and not a help, but they might as well be recorded.

Re:Don't Give the Real Answer (2)

CAIMLAS (41445) | more than 2 years ago | (#40931879)

Of course, that does no good if Apple simply ignores the security questions.

Everyone here seems to be missing that point.

If they will reset your password over the phone while enabling you to add an email address to the account and without reasonably certainty you are who you say you are, they have thoroughly demonstrated they do not give half a shit about the security of your information. Period. There are banks like this as well. It would be trivial to take over someone's financial and digital life in today's world with a little knowledge of who they are.

An answer to a common security question (0)

Anonymous Coward | more than 2 years ago | (#40931631)

What city were you born in?
Answer: Iwasnotborn in anycity

Don't answer the Security questions "correctly"!!! (1)

EMR (13768) | more than 2 years ago | (#40931637)

When you fill out the "form" to define the security questions, Don't put the correct answers in.. purposely put a false answer, obviously one that only you know.. My dad makes up a "youngest son" to put in those security questions so there is no way someone can "scour" social network sites to find the answers.

Retinal Eye Scans (1)

justcauseisjustthat (1150803) | more than 2 years ago | (#40931645)

Retinal Eye Scans here we come, I'm feeling very Minority Report-ish....
(I'll never give my finger prints or DNA freely, but you can burn my eyeballs out)

Misdirection (0)

Anonymous Coward | more than 2 years ago | (#40931671)

So tricks like misspelling the answer in a manner you can remember, or out right lying is no longer advised? 'Q: What is the name of your first pet? A: Godzilla' ... it REALLY isn't hard folks.

Use the First Girlfriend question (4, Informative)

danbuter (2019760) | more than 2 years ago | (#40931673)

Jokes on them! I've never had a girlfriend!

Doesn't feel all *that* tricky (1)

shilly (142940) | more than 2 years ago | (#40931685)

What is your memorable place? seems to fit all those criteria, for example.

Re:Doesn't feel all *that* tricky (1)

JohnFen (1641097) | more than 2 years ago | (#40931959)

I wouldn't even know how to begin to answer that question. I don't have a single most memorable place, but a small collection of special places that are about equally memorable. How would I remember which one I used?

This is no different than "what's your favorite..." questions. My favorite anything is not fixed. My favorites change over time, so I still end up having to outright guess what the right answer is.

CNN Admits to being shill for Obama (-1)

Anonymous Coward | more than 2 years ago | (#40931697)

Leftists are all liars all the time.

http://www.youtube.com/watch?v=vcOJkzUrnx0

"Bill Burton at Priorities USA is now claiming that he did not intend to connect Romney to the death of Soptic’s wife. This is obviously a lie. Watch the video. There’s no other conclusion you can draw from it. This ad is so dirty that even the people who made it don’t want to take credit for it."

Lie (1)

Anonymous Coward | more than 2 years ago | (#40931699)

Do not answer your security questions truthfully. Make things up, but be consistent with your lies or you may be out of luck when it comes time to answer the questions. This foils any attempt to impersonate you by using the public record.

Re:Lie (1)

JohnFen (1641097) | more than 2 years ago | (#40931975)

But then you are, in effect, using the same password for all your logins.

Re:Lie (0)

Anonymous Coward | more than 2 years ago | (#40932171)

No difference there than if you were to answer truthfully. Alternatively, you could do what others here have suggested and simply generate passwords as answers, then store them in a manager, but managers come with their own security concerns.

what was the name of your first pet? (1)

alen (225700) | more than 2 years ago | (#40931705)

lots of cartoon animal names you can use

who says you have to use real answers to these questions?

trope: Stock Animal Name (1)

tepples (727027) | more than 2 years ago | (#40931871)

lots of cartoon animal names you can use

Which gives attackers the option to use the rainbow tables [tvtropes.org] .

Think fail (0)

Anonymous Coward | more than 2 years ago | (#40931715)

they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway.

No, a single employee was duped into make an error.

This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously.

Yeah, Tim Cook came right out and said that. #doublefacepalm

This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.

Re:Think fail (2)

thePowerOfGrayskull (905905) | more than 2 years ago | (#40932181)

This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.

Yeah, totally sucks how everybody does that.

Dumbest security questions 1st price: Mizuho bank! (1)

LifeIs0x2A (2615925) | more than 2 years ago | (#40931735)

Anyone else here who has an online banking account at Japanese Mizuho bank? Everytime I change browser or logged in from a different computer in the meantime I have to answer these questions again: What is your favourite drink? What is you favourite fruit? What is your favourite meal? Was it Spagetti Bolognese or did I write meatballs when I first logged in? Did I like lions at that time or was it Zebras? Quite existential questions to ask when you actually just would like to transfer your rent.
It might be safe but it is really an annoying joke. And additionally the Japanese language makes it even more fuzzy. Which alphabet did I use to answer the question? I 1000x prefer two step authentification ala gmail. But for a slower than snails on a tree shop like Mizuho Bank that is going to take decades to implement..

even random questions/answers are a weakness (0)

Anonymous Coward | more than 2 years ago | (#40931737)

"My mother's maiden name is 4dAm3Y3fv9nIks."

Operator: What's your mother's maiden name?
Attacker: My answer was random gibberish, but I forgot what is is.
Operator: Hmmm...seems legit.

simple (0)

Anonymous Coward | more than 2 years ago | (#40931757)

Always answer 42 to any secret question posed.
If the answer must be longer to meet some length rules forty-two or Forty-Two should suffice.
Now if I could just know what the security question was...

You're doing it wrong (1)

macemoneta (154740) | more than 2 years ago | (#40931781)

Security questions are an opportunity for additional long passwords.

Favorite color: ALQbpFcWvvFiJlnEh5uuC0lpJZFHAvIcMuXrOh46L3bc24V39m
Where you grew up: 1t7jpfr7zzp87kOJTMOFw5qf1ReWKoxoeRu8U7vuz5TfPwypkU
First pet: gzcPme09nDYPHXvfvyi8FbpP9hX5cjqMiVi0MWd61sxyCIJjaG

Just use the prompt as the index for the key, which you've saved in your favorite key store, like keepassx.

Re:You're doing it wrong (1)

QuantumPete (1247776) | more than 2 years ago | (#40931931)

Or you just put the SHA1 hash of the question as the answer.

Even so (1)

stevegee58 (1179505) | more than 2 years ago | (#40931783)

Even if Apple had enforced their own policies it's still weak anyway. Recall the hacking of Sarah Palin's yahoo email. The attackers just looked up the answers to her security questions on the interwebs.

Mother's maiden name (4, Informative)

AnalogDiehard (199128) | more than 2 years ago | (#40931823)

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.

Well (2)

ledow (319597) | more than 2 years ago | (#40931851)

Just treat them like I do. Select any "question" and type another password into the answer box (one that you never give out).

Should it come to a password reset password where you're asked for no, NOBODY will ever guess it and you'll be able to reset your password either automatically (if they allow you to), or via a customer service representative (who will be wondering why your mother's maiden name was AH8hfds86, but who cares?).

Just as secure as anything else and requiring you to give out zero additional personal information, and totally UNABLE to be discovered by someone who happens to know you, for instance (unlike DOB, maiden names, etc.)

Security questions: FAIL (4, Insightful)

macraig (621737) | more than 2 years ago | (#40931853)

Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.

What's "mother's maiden name"? (1)

Anderu67 (1179779) | more than 2 years ago | (#40931889)

Oh right, a cultural construct. Bonus points if you force the question on Spanish-speaking users, in which cultures there is no name changing and the person's last name includes what would be considered the mother's "maiden name". Very secure.

One answer to rule them all (0)

Anonymous Coward | more than 2 years ago | (#40931891)

The other extreme are the customers I support. One of them admits his answer to any security question is "snickerdoodle", regardless of what the question is. Easy, memorable, and hard to guess. Which would work great I suppose if he only ever used them on one site. In this climate where weaker sites are compromised and intel harvested, I suppose its a lot like him using the same password for every site.

This whole thing would be so much easier if we just agreed to embed a chip in people's hand.

I'm perplexed (0)

Anonymous Coward | more than 2 years ago | (#40931893)

People actually slap real details into those questions?

REal security (2)

gurps_npc (621217) | more than 2 years ago | (#40931917)

As I have said before (check my posts): Passwords are ways to keep the ignorant out, not the determined or skilled.

We need real security - which comes from an obvious list of last attempts to log in. That way we know when and where (IP address tells all), someone tried to log into our accounts. If we don't recognize the times and places, then we can act.

We certainly can't trust the websites themselves to protect us.

Security Questions are a Joke? (2)

Tarlus (1000874) | more than 2 years ago | (#40931949)

Question 1: Why did the chicken cross the road?
Question 2: Why is six afraid of seven?

* dodges tomatoes *

Say what now? (0)

Anonymous Coward | more than 2 years ago | (#40932001)

Security questions are incredibly effective at stopping a hacker. The problem is, sites need to stop offering the same questions that have existed for years.

Need to get rid of ANY questions that could have answers in the public domain.

Another problem though is companies need to take these questions seriously. If a wrong answer is given twice in a row, lock the account until personal verification can be attained.

Apple should know better and just shows how certain corporations dont give a crap about security.

random strings in a password file (1)

bcrowell (177657) | more than 2 years ago | (#40932165)

There is an easy workaround for this. You go to the trouble of using a high-entropy password for a certain web site, and then their web interface insists on knowing something like your dog's name, which would be a huge security hole. Well, whatever method you use for making a secure password (I use a hash function), just use that to generate your dog's name. So I'll tell google that my dog's name is bHo3HI38, and lolcats.edu that it's QRYh3l34.

Give up on wanting it to be memorable. That's pointless and self-defeating. Just stick it in an encrypted file. It's not an inconvenience, because you're never going to use it. I don't ever expect to have to actually tell lolcats.edu again that my dog's name is QRYh3l34.

Incorrect Answers (1)

Bigbutt (65939) | more than 2 years ago | (#40932169)

I noticed this a while ago. I have a password keeper and record the question and the false answer I provide to the question. Even where I can make up a question, I make up a totally different, unrelated answer and record that.

[John]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?