Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are 'Secret Questions' Secure?

Posted by ryuzaki0 on from the security-versus-usability dept.

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

2 of 116 comments (clear)

  1. You just have to ask yourself the question... by Joff_NZ · · Score: 5, Funny

    What is delicious?

    --
    The revolution will not be televised. It won't be on a friggin blog either
  2. Funny secret question situation... by Hamster+Lover · · Score: 5, Funny

    I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

    Question: How do I masturbate in the shower?
    Answer: With my SpongeBob SquarePants friend.

    Question: What is the most sexually satisfying farm animal?
    Answer: The Llama.

    I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.