Absurd "Security Questions"
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
Use your own has its own issues. I was working at a company that runs websites for managing retirement accounts. One day the call center manager comes running into room where developers work, waving a piece of paper and yelling to shut everything down. She had a screenshot that had the nav and masthead of the site, but the content area had just one word, "fuck" and a submit button. She and several other people thought the site had been hacked and that we should shut it down immediately to prevent data leakage or damage. So we shut it down. The printout didn't show the text input that would have been on the original page, or the address bar to show the offending page location. Turns out some moron set "fuck" as his security question and forgot about it. Then later he forgot his password and went to HR to figure out how to get into the site. The HR manager attempts to use the password reset feature which of course presents the security question and a box to give the answer. HR managers being highly sensitive types are easily offended by websites being profane, and so she sent an angry email with screenshot (without address bar of course). Yes if we had put some phrase like "Your previously chosen security question:" it would have been more obvious what was going on. But at least it made the day exciting. Oh and his answer to that wonderful security question was "great".
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
Specifically responding to your update: I wish it was that easy. I work at the customer service level of a financial business that recently implemented "build your own" style security questions. The form is as self-explanatory as can be... Password Reset Security Question {input element} Password Reset Answer {input element} This just confuses the hell out of users. I have to walk an average of one person per day through the process, and thoroughly explain that "here you can type out your own question, which will be shown to you when you request a password reset. Below, you put in the answer to that question." This is a basic concept to those of us who have experience in site development and high-level security concepts... but to the average user, it's mind boggling. In some cases, I even end up recommending that the user leaves those fields blank (in that case, they simply cannot self-initiate a password reset, and must call or come in to one of our offices. It's more work for us, but doesn't add a security risk). There are plenty of people who are far too impatient to even attempt to figure it out, and for them, I'm glad our situation has a workaround for the concept. This isn't to say that the concept needs reworking. Security questions as they are typically implemented are appallingly insecure, and depend on essentially public data. This is bad, and needs to be addressed by the industry at large. On that, we are completely agreed.
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
-
Specifically responding to your update: I wish it was that easy. I work at the customer service level of a financial business that recently implemented "build your own" style security questions. The form is as self-explanatory as can be... Password Reset Security Question {input element} Password Reset Answer {input element} This just confuses the hell out of users. I have to walk an average of one person per day through the process, and thoroughly explain that "here you can type out your own question, which will be shown to you when you request a password reset. Below, you put in the answer to that question." This is a basic concept to those of us who have experience in site development and high-level security concepts... but to the average user, it's mind boggling. In some cases, I even end up recommending that the user leaves those fields blank (in that case, they simply cannot self-initiate a password reset, and must call or come in to one of our offices. It's more work for us, but doesn't add a security risk). There are plenty of people who are far too impatient to even attempt to figure it out, and for them, I'm glad our situation has a workaround for the concept. This isn't to say that the concept needs reworking. Security questions as they are typically implemented are appallingly insecure, and depend on essentially public data. This is bad, and needs to be addressed by the industry at large. On that, we are completely agreed.
joequincy wrote:
This just confuses... users
This is just a UI/UX problem caused by a web page designer who thought he was limited to a 4 word label. He could have just as easily labeled those fields with: "Please write a question that only you know the answer to." followed by "Now write the answer to that question." I can't imagine verbage like this would stymie the average loser user. Please, joequincy, I beg you: don't let complaints from your colleagues about extra work from the "build your own questions" implementation motivate your institution to retract that strategy. IT IS THE RIGHT STRATEGY. Just get the web devs to implement it in the RIGHT WAY. If I can influence one institution to do the right thing in this regard, I will have fulfilled one of my life's goals.
-
joequincy wrote:
This just confuses... users
This is just a UI/UX problem caused by a web page designer who thought he was limited to a 4 word label. He could have just as easily labeled those fields with: "Please write a question that only you know the answer to." followed by "Now write the answer to that question." I can't imagine verbage like this would stymie the average loser user. Please, joequincy, I beg you: don't let complaints from your colleagues about extra work from the "build your own questions" implementation motivate your institution to retract that strategy. IT IS THE RIGHT STRATEGY. Just get the web devs to implement it in the RIGHT WAY. If I can influence one institution to do the right thing in this regard, I will have fulfilled one of my life's goals.
You mean please type a question, or else it will get written on a "post-it notes"! ;P
-
You mean please type a question, or else it will get written on a "post-it notes"! ;P
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
I have one standard answer for when I can't specify the prompt and one standard prompt/answer for when I can specify the prompt. Of the latter, I did have to answer it on the phone once. :-D Unfortunately, my wife doesn't understand the security implications so she always answers with the "real" answers. :sigh:
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
-
sry, not a direct answer, just a link, fwiw: Choosing and Using Security Questions Cheat Sheet - OWASP[^]
-
Another solution is to use KeePass[^], and store your answers in there. At least that way they are encrypted, relying only on one password to remember. It doesn't address your fundamental complaint, but is a method of dealing with the madness.
My CodeProject Articles :: Our forgotten astronomic heritage :: My website.
"Sorry, buddy, but this mission counts on everyone being as silent as possible, and your farts are just too much of a wildcard." - Korra to Meelo, "Kuvira's Gambit"And backup your keepass file to dropbox/box/google drive so that you can - access it from anywhere - have a copy when your computer crashes beyond all repair