Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secret Security Questions Are a Joke

Posted by timothy on from the totally-true-thesis dept.

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

5 of 408 comments (clear)

  1. Use the First Girlfriend question by danbuter · · Score: 4, Informative

    Jokes on them! I've never had a girlfriend!

  2. Mother's maiden name by AnalogDiehard · · Score: 4, Informative

    I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

    I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.

    --
    Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
  3. Re:Simple solution by Qzukk · · Score: 4, Informative

    I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.

    When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.

    I never managed to recover my password.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  4. Re:Simple solution by Sqr(twg) · · Score: 3, Informative

    Or go to passwordmaker.org, and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.

  5. Re:Simple solution by uniquename72 · · Score: 4, Informative

    And as long as you always answer 42, or 416 what is the problem with that?

    This is pretty much what I do. I have a password that changes based on the question, but isn't actually the answer to the question.