Let's kill inane "(in)security questions"

Originally published at: http://boingboing.net/2016/09/28/lets-kill-inane-insecuri.html

…

I have been answering with lies for years now.
I will state again what would be awesome is a usb stick type dongle (or similar smart chip thing) that is issued by a trusted cert authority and you have to enter a passphrase to go along with the dongle being inserted.

Or just use something like Google Authenticator (TOTP).

Yes, your phone can be lost or stolen, but so can a dongle, and you’re far more likely to notice your phone going missing.

I would do that, but i have a hard enough time remembering the truth (and how i typed it).

That’s why I use a password manager - so I can store my non-sensical answers there.

dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle

dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle dongle

I’ve also been answering security questions with random words, but I try to remember to plug them into my password manager. IIRC, CMD-Shift-4 on the mac will allow the user to screenshot a chosen portion of the screen–that makes entering them into Lastpass all that much easier (of course, don’t forget to delete the relevant screenshot).

I have three specific lies which are sufficient to respond to any stupid security question. You usually get three chances, so you don’t even have to remember which lie goes with which question.

Yeah, I put 64 character hashes in the security questions and just store those in my password manager.

Those questions are really horrible.

I answer with neither truth nor lies, because I am not paid to be a person, nor have personal information.

You don’t have to do the impossible.

Well that’s a relief.

Heck if you could make smart card readers standard it could easily be just another card in your wallet but that wouldn’t work well for tablets/phones.

Hey, Apple has NFC now, so all we need is to make the card an NFC-enabled device like a YubiKey Neo.

That’s smart - I have to remember that. I sometimes lie, but even when I tell the truth, I can’t necessarily remember the exact form. The result being that I either forget my security questions or have to list them all in plain text files I store locally.

It’s worse when they take questions from public record. That means anybody can get the information necessary to answer them. It’s especially troublesome when there is an information loss. For example:

Information loss basically reduces this question to “what does this person do for a living”, which is a far easier question to answer. I come across this question far more than I should, and I should never run across it because it’s such a shitty question.

This. If it’s an automated system online, then forget it. Even if the system uses regex and doesn’t require exact string matching (some do for God knows what reason), I still can’t remember exactly how I phrased the security answer.

Except apple eliminated the “secure delete” function and deleted standard image files are easy to recover if they haven’t been overwritten. Not saying I haven’t used screengrabs to capture passwords. But I so think it is a problem in terms of bad security hygiene.

I’m more worried about email/cell phone recovery.

The problem with TOTP and most similar dongle/smart chip devices is that they still require some authority to store a secret that can be lost. In the TOTP case the code issuer, Google in the Google Authenticator case, has to keep a copy of the same seed value as was transmitted to the phone. The system works by taking the current time and combining it with the seed to produce a 6 digit code. Both sides need the seed, you (via your phone) to type in the code, and Google to verify that it is a code supplied is one that was recently generated.

This still leaves Google, or any other TOTP vendor with something it is capable of loosing to hackers or insiders. There are was to mitigate that like crypto hardware that has one-way entry of those secrets, but can still verify a code. I would hope Google has done this, but I know that when my employer looked into it it was too costly for the small benefit it would give us (not a large enough user base to cover costs).

There are other options like SQRL that don’t rely on sites or third parties storing your secrets that they could loose, but most of them have not yet gotten traction.

Well for the dongle I am thinking more like the badges where I used to work. We had a smart chip in them. To log into the PC/Network you put it in the card reader and had an 8 at least digit PIN. So to break an account you had to have the card AND know the PIN and add in a lockout policy after 3 failed attempts it was pretty awesome. Security by now is probably starting to beat on the apps used internally that require userid/password to work and if you do need it which I did when I built servers all day as the image tool required it we got a temporary random generated string for 10 hours at the most. So something you know + something you have of course that won’t stop a pipe wrench to the knees but it could stop a lot of common things.

The problem I see with that solution is you could end up with one for amazon, one for your bank/credit union, one for target, etc. Which is a mess as well.

BBBRAPPPP
Mom: Woah…

Me: Mom!

Mom: “Mom”? Who are you? And what is that box you just stepped out of?

Me: I’m your son from the future and this is my time machine. I need a huge favor! My Yahoo account has been hacked!!

Mom: I don’t know how I should feel about that…

Me: It’s a catastrophe! All of my Flickr photos have been replaced with goatse images!

Mom: Yeah…what’s up with the future? Are you guys ok? Do you need me to come up there?

Me: Please, mom! There’s no time to explain.

Mom: You’ve got a time machine…

Me: Mom!

Mom: Ok, ok. What is it you need, dear?

Me: I need you to change you last name.

Mom: …seriously?

Me: Yes. Nefarious hackers know it was “Jones” and now they are pwning me.

Mom: Do I drop you on your head or something?

Me: Please, if you don’t do this for me my life will be RUINED!!

Mom: Ok! Sheesh. What do you need me to change it to?

Me: “duHP6&+hE8dm”