Absurd "Security Questions"
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
I have one standard answer for when I can't specify the prompt and one standard prompt/answer for when I can specify the prompt. Of the latter, I did have to answer it on the phone once. :-D Unfortunately, my wife doesn't understand the security implications so she always answers with the "real" answers. :sigh:
-
This is going to sound like a vent (and maybe it is, to a degree), but I really want to go beyond just complaining and DO something about it. I am absolutely fed up with the deluge of inane and ridiculous “Security Questions” that have inundated the web world. I’m speaking, of course, of the ubiquitous websites that require you to answer harebrained trivia questions like “Who was your first Little League coach?” or “Where did you get your first turtle?” or “What kind of apple do you like to juggle with?” These preposterous questions are intended to provide a layer of “security” to my account, in the event that I forget your password. But they are ludicrous because they are useless. They provide virtually no real security – just aggravation to the hapless users who are forced to come up with meaningful but memorable answers. They are either too easy to guess or too hard to remember. The latter must be written down – an intolerable inconvenience that also opens up a huge security hole to anyone who stumbles across your post-it notes. This problem has been around for a long time. Josh Levin complained articulately about it back in 2008. Google acknowledged the absurdity of the strategy in a security document published just last year. I particularly love Dustin’s parody. Nevertheless, the gabberflasting problem remains, darkening our society and threatening to snuff out any remaining sanity in our civilization. What can be done? Where can we protest? Who can be held responsible for these abominations that pierce my spleen like a poison-laced javelin every time I try to register for an online bank account or foosball tournament? Can anything be done to save humanity? Seriously, though. Is there any way we can join together and make our voice be heard? UPDATE: This is especially frustrating because there is a perfectly reasonable alternative: Simply let the user write his/her OWN question and answer. It is easy to think of a question with a single unambiguous answer known only to me. THAT's a system that is both secure AND convenient. ( Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". But the whole system shouldn't be gro
-
sry, not a direct answer, just a link, fwiw: Choosing and Using Security Questions Cheat Sheet - OWASP[^]
-
Another solution is to use KeePass[^], and store your answers in there. At least that way they are encrypted, relying only on one password to remember. It doesn't address your fundamental complaint, but is a method of dealing with the madness.
My CodeProject Articles :: Our forgotten astronomic heritage :: My website.
"Sorry, buddy, but this mission counts on everyone being as silent as possible, and your farts are just too much of a wildcard." - Korra to Meelo, "Kuvira's Gambit"And backup your keepass file to dropbox/box/google drive so that you can - access it from anywhere - have a copy when your computer crashes beyond all repair