Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secret Security Questions Are a Joke

Posted by timothy on from the totally-true-thesis dept.

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

1 of 408 comments (clear)

  1. Re:Simple solution by Bert64 · · Score: 5, Interesting

    I do similar, but with a wildcard subdomain so user@something.mydomain.com, the reasons for this are:

    1, spammers will try to brute force common email account names once they get a domain to target
    2, i can override the wildcard by creating specific mx records for a given hostname, and thus lose the spam without my mailserver having to process it at all, usually i redirect it to the mx records of the server that sold me out.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!