Chris's Wiki :: blog/tech/SecurityQuestionHate Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/SecurityQuestionHate?atomcommentsDWiki2008-11-25T22:25:11ZRecent comments in Chris's Wiki :: blog/tech/SecurityQuestionHate.By Chris Siebenmann on /blog/tech/SecurityQuestionHatetag:CSpace:blog/tech/SecurityQuestionHate:ba9da37a76b851ae4b6aa50eea79afe377bd1f68Chris Siebenmann<div class="wikitext"><p>The security questions I've seen have been used as a password recovery
mechanism, not (effectively) as an additional password. I think I would
have a violent reaction to a rotating secondary password (which is the
only real way of making it even vaguely effective against phishers and
the like).</p>
</div>2008-11-25T22:25:11ZFrom 192.88.212.44 on /blog/tech/SecurityQuestionHatetag:CSpace:blog/tech/SecurityQuestionHate:25aea69b86db367db2735685ef97a4b3627d898aFrom 192.88.212.44<div class="wikitext"><p>I've heard its because the websites in question would like to have two factor authentication but can't really figure out how to do it properly in a cost effective manner. Thus they settle for the cheap, easy, answer this security question style two factor authentication. Which, as anyone here knows, isn't really secure. </p>
<p>I like the idea of taking the md5sum of the question and encrypting it with a hash and then using that as your answer. That way, you only have to remember one answer, and from that one answer you can define the correct answer to any question. 42.</p>
</div>2008-11-25T14:49:20ZBy Chris Siebenmann on /blog/tech/SecurityQuestionHatetag:CSpace:blog/tech/SecurityQuestionHate:636cd0b21b7e2a0d4e2fd0e97c8d0cd0bd1d5cd1Chris Siebenmann<div class="wikitext"><p>My problem with having a consistent set of false answers is that the
questions aren't consistent, and sometimes you have to pick which
questions you'll give answers to. I suppose the solution there is
just to use answers in order and always pick the first N questions
to answer (and then hope that they ask you the questions in order,
and never change the order).</p>
</div>2008-11-23T18:15:20ZFrom 71.65.56.124 on /blog/tech/SecurityQuestionHatetag:CSpace:blog/tech/SecurityQuestionHate:972eca65162d0af617674d226d5f36640786ce74From 71.65.56.124<div class="wikitext"><p>That's why I always lie. I just have a consistent set of false answers.</p>
<p>I suppose it wouldn't be too difficult to work out a pretty simple hash-type solution where your answers were based on the information of the querying party...</p>
</div>2008-11-23T14:10:51ZFrom 60.234.141.149 on /blog/tech/SecurityQuestionHatetag:CSpace:blog/tech/SecurityQuestionHate:b6b29a5b8f165ac9ab3c33faf05368d2139efdd3From 60.234.141.149<div class="wikitext"><p>We use security questions, if you can guess the right answer to the security question, a new password is generated, and it is emailed to you. Thus you need something you know, and something-else-you-have-access-to. The reason for the security question is that it's really really really frustrating to have someone force change your password for you when you didn't want them to, not to protect the account. The email address you registered with us is the primary system to protect the account.</p>
<p>Another good idea that we've not implemented yet, is to disable the "forgotten password" if the user has logged in within the last n days (since, obviously, they haven't forgotten their password!)</p>
<p>-- PerryLorier</p>
</div>2008-11-23T09:51:47Z