Comments on: “Secret” Questions http://afongen.com/blog/2008/08/30/secret-questions/ Sam Buchanan's weblog Fri, 11 Sep 2009 21:36:51 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: Ian http://afongen.com/blog/2008/08/30/secret-questions/comment-page-1/#comment-27975 Ian Thu, 19 Feb 2009 19:09:48 +0000 http://afongen.com/blog/?p=1006#comment-27975 It's worse than that. If I was a bad guy, I'd be loving the current exhibitionist trend on FaceBook and other sites, of the "25 things about me" which are FULL of secret question answers. In fact, you could phish someone pretty easy with one of those... 1. Guess one of your "friends" bank. 2. Write down the questions you have to choose from when creating an account. 3. Insert into the "25 things .." list. 4. PROFIT!!! It’s worse than that. If I was a bad guy, I’d be loving the current exhibitionist trend on FaceBook and other sites, of the “25 things about me” which are FULL of secret question answers.

In fact, you could phish someone pretty easy with one of those…

1. Guess one of your “friends” bank.
2. Write down the questions you have to choose from when creating an account.
3. Insert into the “25 things ..” list.
4. PROFIT!!!

]]> By: delia ayon http://afongen.com/blog/2008/08/30/secret-questions/comment-page-1/#comment-27902 delia ayon Thu, 12 Feb 2009 09:21:44 +0000 http://afongen.com/blog/?p=1006#comment-27902 My problem with my "secret question" is that instead of asking a question, it reads "Question: question". so I do not know what to answer. I have tried all the answers I can think of but I have been locked out several times. My problem with my “secret question” is that instead of asking a question, it reads “Question: question”. so I do not know what to answer. I have tried all the answers I can think of but I have been locked out several times.

]]> By: Sam http://afongen.com/blog/2008/08/30/secret-questions/comment-page-1/#comment-26533 Sam Thu, 04 Sep 2008 04:05:03 +0000 http://afongen.com/blog/?p=1006#comment-26533 Sorry you wasted your time. As I said at the outset, I hesitated to write this post, in part because of what may be perceived as the obviousness of the problem. But in the past couple months, I've had several conversations with developers to whom this is all completely new. A couple of those conversations happened just last week. So I decided to write it and wreak suffering upon the unsuspecting. Solutions? Read those last two paragraphs again: * choose good questions. Nope, no guidance on that right now. * multiple questions, although that just adds a speed bump by making it a trifle harder to crack with brute force. * Expect demonstrated control of a resource. * closely related to that, multi-factor authentication, although man-in-the-middle attacks render it less than ideal. * Lock accounts for failed password retrieval attempts, or at least treat them the same way as failed logins. Silver bullet? No. Just small design considerations that make small improvements. I'm not trying to suggest a good password retrieval system in this post, although maybe I should another time. Sorry you wasted your time.

As I said at the outset, I hesitated to write this post, in part because of what may be perceived as the obviousness of the problem. But in the past couple months, I’ve had several conversations with developers to whom this is all completely new. A couple of those conversations happened just last week. So I decided to write it and wreak suffering upon the unsuspecting.

Solutions? Read those last two paragraphs again:

* choose good questions. Nope, no guidance on that right now.
* multiple questions, although that just adds a speed bump by making it a trifle harder to crack with brute force.
* Expect demonstrated control of a resource.
* closely related to that, multi-factor authentication, although man-in-the-middle attacks render it less than ideal.
* Lock accounts for failed password retrieval attempts, or at least treat them the same way as failed logins.

Silver bullet? No. Just small design considerations that make small improvements. I’m not trying to suggest a good password retrieval system in this post, although maybe I should another time.

]]> By: Sy http://afongen.com/blog/2008/08/30/secret-questions/comment-page-1/#comment-26515 Sy Tue, 02 Sep 2008 06:36:04 +0000 http://afongen.com/blog/?p=1006#comment-26515 Thanks for wasting my time. We already know this. I thought you had solution. Thanks for wasting my time. We already know this. I thought you had solution.

]]>