People may be accepting that security questions are a bad idea

December 18, 2016

Maybe, once upon a time, security questions made a kind of sense. If so, it was back in a much more innocent time before a ton of information about people was available to be found and searched through. These days, almost any question that's easy for people to remember the answer to is also too easy for other people to find out. None of this is news to security researchers, but people keep using security questions (and security conscious people keep making up random answers and then having to record them somehow). However I've now seen a hopeful sign that that may be changing.

Yahoo recently forced me to change my Yahoo account's password (which I only have because of my Flickr account). When I went through this process, I discovered something interesting: Yahoo very strongly urged me to disable my security question.

(I left it turned on for now because it's got a random answer.)

Also of interest to me was that Yahoo didn't seem to feel any need to explain why disabling my security question would be a good idea; they just asked me to. I assume that either they think it's obvious to people or they don't think they can write enough documentation to matter.

If a large place like Yahoo is pushing away from security questions (and for all I know, may have been doing so for some time now), I can hope that this is going to spread. Not having to record several random passwords for various sites certainly would make my life easier.

(Of course I'm sure that sites will come up with equally annoying alternatives. Maybe some of them will start absolutely insisting on some form of two-factor authentication.)

Written on 18 December 2016.
« Some conference spammers mutate to show they're definitely spammers
The great thing about using Let's Encrypt is the automation »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 18 01:46:03 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.