Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security

Bill Dog's Journal: what do you think about so-called "security questions"? 3

Journal by Bill Dog

My car ins. is thru State Farm. They've started asking for my mileage periodically, apparently to move away from a two-tier pricing system (regular (avg 12K/yr) or low-mileage (under 7500 mi I think)) to better-matched tiers. (Thankfully they're not yet quite as "Progressive" as to ask to put a device in my car that spies on my driving.)

I've haven't gotten around to making my password manager program (and I don't want to have to trust someone else's, and I am a programmer afterall so I shouldn't have to), so unimportant things like this get put on stickies, which invariably seem to be eaten by my desk like socks by my dryer.

This is no problem as I can just request that login credentials be e-mailed to the address they have on record, like Slashdot does. EXCEPT when they implement those stupid "security questions".

My take on them is that they're a huge security hole in an otherwise fairly secure (if you choose an obscure username and a strong password) system. They typically necessite answers in common words (if you want to be able to remember your answers, that is), and on topics that are susceptible to public records and social engineering techniques.

So I do what I think is the best I can do to mitigate this weakest link in all-too-common login schemes and fill these fields with random garbage characters.

So on State Farm's web site I find a # for "technical support". So I call asking for a password reset, and the lady asks me the same questions as the auto function for doing this on the web site. I explained why I'm incapable of recalling the answers to the security questions, and was told they couldn't help me without them.

Well what good is their so-called tech support dept then? If they're just monkeys reading scripts, and can only type things into the public web site like I can, then that's not "technical support".

I called technical support for their web site because I was locked out of my account. I'm still locked out of my account, because their technical support couldn't offer any actual technical support!

After that I found a comment/suggestion form, and typed in my contact info and the current problem and gave my background explano, and got:

Technical Error

We are unable to complete your request due to technical difficulty.

Please click on any navigation link at the top or you may return to State Farm homepage.

With an organization this technically inept, I don't even want to risk having an online account with them. Now I want to close it, and just do everything thru my agent (a system that's been working fine for around 20 years now).

p.s. I guess from now on I should alter my behavior slightly and type in and write down strong passwords (and record which question I "chose" (in case a given site ever changes the order of which one appears first/chosen by default in the dropdown)) for these fields.

p.p.s. Another consideration in using these fields as intended is that I don't esp. want to give away to companies (and their partnering companies?) answers to some of these kinda personal questions. If I were devious I would've tried to corner the market on security questions way back and urged web sites to outsource them to me like that Discus or whatever for web comments, and then build dossiers on people and sell to Google and other such bastards who only generally know about us by what we give away in our searches and emails.

This discussion has been archived. No new comments can be posted.

what do you think about so-called "security questions"?

Comments Filter:
  • To be horridly inefficient/obsolete.

    Let's face it- in the face of a determined hacker, ordinary privacy is largely obsolete and has been for over 10 years now. The only reason more people don't succumb to ID theft at this point is buyer pattern recognition software is coming very close to simply cutting the ID Thief off with the first purchase. I'm to the point where I can't even go to Fry's- in a city less than 15 miles away- without having to confirm my purchase on my cell phone because I don't go often

    • by Bill Dog (726542)

      I believe "security thru obscurity" means not applying a security measure to something but just having faith in the unlikelihood of its being attempted on. Like instead of buying a house in the city and employing door locks, buying some land out somewhere where no one knows anyone lives and erecting a house on it without any locks. I.e. relying on obscurity instead of (weak or strong) actual security measures.

      I see "security questions" as an actual security measure, just that they're actually weaker than th

  • And my own anecdotal story. Knights of Columbus, after 120 years of operations, is finally moving into the 21st century. They have this wonderful web tool to enable council and state officers to access and manage member information.

    Problem is it's behind a password. One you have to change every four months. One that uses security questions to change a password. One that requires *exact match* for the security questions. One that requires *ONLY* the user to type in remotely to reset the password.

    Their

10.0 times 0.1 is hardly ever 1.0.

Working...