Security questions
Oct. 31st, 2013 12:36 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jackRecently, someone was ranting again about how most "security questions" still suck.
Seriously, banks can spend millions sending out dongles to all their customers, and disabling "right click", but can't afford five minutes to brainstorm "are these questions ambiguous, insecure, and counter-productive"?
I've seen some reasonable guides for "how to do it right" online. But if you were doing it, how would you do it?
Would you have security questions at all? Is something else better?
If you did, what questions would you use?
What are the salient features? I'd say an ideal question would have: doesn't change (eg. no "what is your favourite" if it might change over time); not ambiguous (eg. don't have to guess the capitalisation); not easily googleable; not easily social-engineered; not personal or offensive[1]; not necessarily known by close relatives[2].
Other than making sure our mothers maiden names[3] and first pets names are at least 8 characters long and include both a number and a letter...
[1] This one didn't even occur to me until I saw how you can screw it up.
[2] This may be impossible, but you can at least try.
[3] For instance, is an example of a question which works great with 20th century gender roles...
Seriously, banks can spend millions sending out dongles to all their customers, and disabling "right click", but can't afford five minutes to brainstorm "are these questions ambiguous, insecure, and counter-productive"?
I've seen some reasonable guides for "how to do it right" online. But if you were doing it, how would you do it?
Would you have security questions at all? Is something else better?
If you did, what questions would you use?
What are the salient features? I'd say an ideal question would have: doesn't change (eg. no "what is your favourite" if it might change over time); not ambiguous (eg. don't have to guess the capitalisation); not easily googleable; not easily social-engineered; not personal or offensive[1]; not necessarily known by close relatives[2].
Other than making sure our mothers maiden names[3] and first pets names are at least 8 characters long and include both a number and a letter...
[1] This one didn't even occur to me until I saw how you can screw it up.
[2] This may be impossible, but you can at least try.
[3] For instance, is an example of a question which works great with 20th century gender roles...