[OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Jim Manico
Author of Iron-Clad Java, Building Secure Web Applications
Junilu Lacar wrote:I'm not a big fan either. The one choice I hate the most is "What's your mother's maiden name?" because a lot of credit card companies also use that question. I always give a bogus one anyway but then I have to write it down somewhere and keep that safe. I really hate it when I forget the answer to one question and the stupid system only gives me so many chances to get it right. Then when I restart the process hoping to get another security question instead, the randomizer ends up challenging me with the same question. And the try count doesn't reset. If there are only 3 security questions, then there's a pretty good chance (1/3 maybe?) that I'll get the same question when I restart the process.
I actually like USBank.com's approach where they ask me to select a picture then provide a phrase that I would associate with that picture. I suppose this is a defense against phishing in that it would be a way for me to tell if I'm about to become a victim, the assumption being that a phishing attacker would not be able to fake both the picture and the associated phrase that I gave. I wonder if there is any weakness to this type of defense though. Also, does this count as two-factor or is it something else?
Jim Manico
Author of Iron-Clad Java, Building Secure Web Applications
Jim Manico wrote:This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.
Junilu Lacar wrote:
Jim Manico wrote:This defense to protect against phishing is completely useless and many companies are dropping it. A phishing site could take your username, fetch the image, and display it on the phishing site. It's not a good security control.
Huh, now that I think about it, you're right. All an attacker needs to do is steal my username and then he'd still be able to masquerade as the real site and trick me into entering my password.
Jim Manico
Author of Iron-Clad Java, Building Secure Web Applications
When you do things right, people won't be sure you've done anything at all.
Janeice DelVecchio wrote:When I worked in desktop support, there was a guy who had a notebook of all his passwords. In the notebook, he also kept his "answers" to his security questions.
I made a comment that some answers can be guessed. So he said, "why do you think I write them down?" -- implying that he didn't even know the answers, thus defeating the purpose. If his notebook were burned, he'd have no means of recovery.
I have a list of lies I keep in my head. My high school mascot? First car make/model/color? Street I grew up on? Best friend's name? All lies. Always the same lie so I can remember.
Jim Manico
Author of Iron-Clad Java, Building Secure Web Applications
When I was younger I felt like a man trapped inside a woman’s body. Then I was born. My twin is a tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
|