Let's kill inane "(in)security questions"

Am I the only one freaked out about the use of password managers? We already had one hacked this year. Having a single source of failure of millions of people’s credentials seems pretty horrible compared to only one individual’s.

I guess the only solution is to answer those recovery questions with Quantum Truth™. Answers that are in a truthful superposition, neither true nor false, and change every time they’re examined (for MaXXimum Security!™). Oh wait, that’s getting into politics. My bad.

2 Likes

Why do I have an image in my head now of Calvin trying to convince his mom of this?

5 Likes

Yeah, I’d rather have a password manager on my phone with a backup on a USB stick than have to carry around a backpack full of 150 dongles, and have to constantly dig through it to find the right one before the login timed out.

I wouldn’t use one of those for personal use. Some are local and don’t sync or keep a backup anywhere online unless you explicitly set that up. While it’s possible that I might lose my USB stick or phone, and someone who finds it might hack the password manager data file, it’s a lot less likely than an always on cloud service with millions of people’s valuable passwords getting hacked.

On one occasion, I did leave a copy of my personal password manager open on a computer, but I realized it right away and was able to reset all the important passwords before I got home; did the rest of them later that evening.

Dongles were a big enough pain when every high end piece of software on my Mac required a separate one to be actively connected to the computer - and those were dongles I didn’t have to carry around with me.

mummy needs a drink

the fido key is a simple usb dongle that does the job
but first might make it clear …if it does not get a bluetooth
connection it is rendered ambiguous …if someone can tell apple
they may be able to force quit does not work in reverse

blue pill

1 Like

What is already public can’t be leaked.

The CA DMV has a series of 5 non-optional “security” questions required to set up the on-line accounted needed to use the service.

Given that I now never give real answers since they are all un-changable fact, 5 security questions means a big PIA to store in my password locker.

That’s my problem. Also, we’ll start seeing things try to compromise the clipboard, because all anyone does using password managers is cut & paste. Get access to the clipboard, you have the keys w/o ever having to crack an account.

2 Likes

They’re common enough (many branches of the US Federal Government require smart card logins) that some manufacturers like Dell even make models (even laptops) with smart card readers built in.

1 Like

Hell, Facebook is always showing me my clipboard contents and trying to suggest I post any link in it publicly to FB!!! I did not paste into FB!!! FB has no legitimate business pulling strings out of my clipboard unless I use the paste command. Someday I’m going to slip and accidentally post some embarrassing URL. Grrrrrr. (“I swear, I was just looking at Breitbart.com for opposition research! Really!”)

1 Like

I am fond of, and have actually used, Eugene Merman’s security question of:

Q: What are you wearing?
A: That is highly inappropriate!

Even better, after some credit card fraud I set it up over the phone with a rep on my account. Had to start with, “OK, please bear with me here…”. She was very amused!

3 Likes

So, something I’ve also wondered about (and feel free, security folks, to fork to a new topic):

Biometrics. Let’s call it fingerprints, handwriting, mouse gesture patterns, brainwaves, etc. My fingerprints have been changed slightly by accidents fishing (probably not enough to fool fingerprint ID’s, though), but still it got me thinking.

Catastrophic damage to your body can alter those things, rendering you unable to access your accounts in addition to being potentially disabled.

A question I don’t see being asked (let alone answered): How do we develop identity management solutions that are secure, and uniquely identify us, but have contingency plans for the parts of us that can change in a tragic instant? (Or are resistant to such changes?)

2 Likes

I agree. But if someone wants to get into my computer so badly that they’re willing to hack my local machine, intercept the trashbin, look through all of the recovered screencaps in order to get security question answers so that they can then hack that account…well…I don’t know that there’s a great deal more I might be able to do to protect myself.

I mean, I’m typing this from behind, like, the fourth or fifth firewall…

1 Like

Maybe a more aggressive pushback is necessary…

Q: What is your first car?
A: Chevy’); DROP TABLE Passwords;–

https://xkcd.com/327/

3 Likes

That shows one of the big problems with biometrics. You can easily create unique passwords for each system, but you can’t easily create a new retina for each system. That means if any system gets compromised, they’re all compromised. Fingerprints are even worse because you leave copies of them everywhere in the real world. And while you can easily go in and change your password if you need to, you can’t easily change your retinas. But as you mentioned, they may change without you intending to change them.

Because of their drawbacks, they aren’t intended to be used instead of passwords, but people are doing that. They’re also no good for pseudonymous accounts.

Public-private key pairs with web-of-trust and revocation certificates generally hit on the necessary problems (and can be used for group identities and role identities, as well as allowing multiple identities). It’s not perfect though - still seems awkward and confusing to non-techies, web of trust is a difficulty, and certificate revocation isn’t sufficiently guaranteed (until the recipient receives the revocation, they still think the key is valid). Identity and security are the easy parts, it’s trust and communication that are difficult.

3 Likes

Doesn’t scale well and has all sorts of breaking points IRL.

3 Likes

I think we should switch over to McSweeny’s Nihilistic Password Security Questions:

What is the name of your least favorite child?

In what year did you abandon your dreams?

What is the maiden name of your father’s mistress?

At what age did your childhood pet run away?

What was the name of your favorite unpaid internship?

In what city did you first experience ennui?

What is your ex-wife’s newest last name?

What sports team do you fetishize to avoid meaningful discussion with others?

What is the name of your favorite canceled TV show?

What was the middle name of your first rebound?

On what street did you lose your childlike sense of wonder?

When did you stop trying?

10 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.