• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

security questions

 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OWASP has a page on choosing and using security questions. I'm not a fan of security questions. Or insecure questions as the case may be.

Pet peeves include:
1) What's the street you grew up in? Many people know this. I could make something up, but then I'd never remember it.
2) What type of car do you have? I don't have a car. I love when questions about cars are mandatory. I get to remember something that has nothing to do with cars as the answer.
3) Who is your favorite author? This one isn't a bad question although some people would know it. But I managed to spell the name of my favorite author wrong on an important system. I couldn't get in because I didn't realize the typo. (and no, they didn't make me type it twice - that would have caught the problem.)

I do like when you can choose your own security question. And by choose, I mean type one in. Not from a canned list. One of my security questions that I do like is "What was the original Toronto (1 word)." [and I used a different city in the real question in case you are wondering.] This is something that would only mean something to me ad one other person in the whole world. And it isn't something that anyone would guess. And the one word part helps me remember the format I used.

This is more of a discussion than a question. (So I hope to see more replies than just the guest author). Do you have any tips for responding to security questions as a user?
 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I agree with you. Security Questions should never ever be a sole factor for any authentication feature. As one of several steps it MIGHT be ok, but proceed with caution. Kevin Wall wrote the "using an choosing security questions cheat sheet" at OWASP. Also check out the Forgot Password Cheatsheet which discusses security questions as a optional secondary step.

Never depend on security questions is a good strategy.

Aloha,
Jim Manico
@Manicode
 
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not a big fan either. The one choice I hate the most is "What's your mother's maiden name?" because a lot of credit card companies also use that question. I always give a bogus one anyway but then I have to write it down somewhere and keep that safe. I really hate it when I forget the answer to one question and the stupid system only gives me so many chances to get it right. Then when I restart the process hoping to get another security question instead, the randomizer ends up challenging me with the same question. And the try count doesn't reset. If there are only 3 security questions, then there's a pretty good chance (1/3 maybe?) that I'll get the same question when I restart the process.

I actually like USBank.com's approach where they ask me to select a picture then provide a phrase that I would associate with that picture. I suppose this is a defense against phishing in that it would be a way for me to tell if I'm about to become a victim, the assumption being that a phishing attacker would not be able to fake both the picture and the associated phrase that I gave. I wonder if there is any weakness to this type of defense though. Also, does this count as two-factor or is it something else?
 
Jim Manico
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:I'm not a big fan either. The one choice I hate the most is "What's your mother's maiden name?" because a lot of credit card companies also use that question. I always give a bogus one anyway but then I have to write it down somewhere and keep that safe. I really hate it when I forget the answer to one question and the stupid system only gives me so many chances to get it right. Then when I restart the process hoping to get another security question instead, the randomizer ends up challenging me with the same question. And the try count doesn't reset. If there are only 3 security questions, then there's a pretty good chance (1/3 maybe?) that I'll get the same question when I restart the process.

I actually like USBank.com's approach where they ask me to select a picture then provide a phrase that I would associate with that picture. I suppose this is a defense against phishing in that it would be a way for me to tell if I'm about to become a victim, the assumption being that a phishing attacker would not be able to fake both the picture and the associated phrase that I gave. I wonder if there is any weakness to this type of defense though. Also, does this count as two-factor or is it something else?



This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.
 
Junilu Lacar
Sheriff
Posts: 17644
300
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jim Manico wrote:This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.


Huh, now that I think about it, you're right. All an attacker needs to do is steal my username and then he'd still be able to masquerade as the real site and trick me into entering my password.
 
Jim Manico
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:

Jim Manico wrote:This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.


Huh, now that I think about it, you're right. All an attacker needs to do is steal my username and then he'd still be able to masquerade as the real site and trick me into entering my password.



Exactly! The phishing site itself would get your username, go grab the image, and relay it back. It's not that tough to do....
 
Bartender
Posts: 1849
15
Eclipse IDE Spring VI Editor Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When I worked in desktop support, there was a guy who had a notebook of all his passwords. In the notebook, he also kept his "answers" to his security questions.

I made a comment that some answers can be guessed. So he said, "why do you think I write them down?" -- implying that he didn't even know the answers, thus defeating the purpose. If his notebook were burned, he'd have no means of recovery.

I have a list of lies I keep in my head. My high school mascot? First car make/model/color? Street I grew up on? Best friend's name? All lies. Always the same lie so I can remember.
 
Jim Manico
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Janeice DelVecchio wrote:When I worked in desktop support, there was a guy who had a notebook of all his passwords. In the notebook, he also kept his "answers" to his security questions.

I made a comment that some answers can be guessed. So he said, "why do you think I write them down?" -- implying that he didn't even know the answers, thus defeating the purpose. If his notebook were burned, he'd have no means of recovery.

I have a list of lies I keep in my head. My high school mascot? First car make/model/color? Street I grew up on? Best friend's name? All lies. Always the same lie so I can remember.



I would suggest the use of a password manager as well.
 
When I was younger I felt like a man trapped inside a woman’s body. Then I was born. My twin is a tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic