IBitOBear writes: "It seems that every web site these days wants me to provide answers to "security questions". Most of these questions are not that unique (mother's maiden name), some are unlikely (name of the person I went to prom with), more are just unanswerable (mother's youngest sibling if she's an only child), and some sites are just plain broken (one site recently wanted the city of my birth, but wouldn't allow spaces in the response, and I guarantee that when it comes time to answer I'll forget it was all crammed together just on that site). In terms of practical security this seems like a fad with no substance. When one site did it, it was "clever", but now that they all know my mother's maiden name aren't I _LESS_ secure? It seems like these questions really just serve as second and third password prompts, except that if I answer them honestly the resulting passwords are generally something a bad actor could find out pretty easily. There is typically no "opt-out" of these "added security features" and some sites will let you see your previous answers, so if the cracker gets in there he gets bonus information about you. Aside from inventing a fake personal history for each site, what or where are my options? This _feels_ like the web site equivalent of banning hair-gel from airplanes. I know enough about information theory that I feel more exposed under my new Friendly Security Questions overlords. Anybody see any practical solution aside from going all Luddite?"
Submission Summary: 0 pending, 19 declined, 1 accepted (20 total, 5.00% accepted)
IBitOBear writes: A couple days ago I did "the interview loop" at that leading online retailer. Over the course of six hours I was repeatedly introduced to a guy in his early twenties, who would then ask me to write out code on a white-board for a problem that you might find in the study guide for a 200-level computer science class. I have 20 years of experience in programming and systems design. And in several cases the interviewers were vague, semantically incorrect, or self-contradictory. Interviewer blunders included not understanding that non-normal forms in databases can be more correct or efficient when the domain of a data is extremely limited; or choosing a leader amongst N candidates is a byzantine agreement problem. In short, the loop would have been perfect to weed out some guy getting his first job fresh out of school, but it definitely exerted selection pressure towards excluding experienced candidates. So employers, what are you doing to make sure that you are not culling out candidates with the low-ball? And job seekers, what do you do when you find yourself trapped in a sophomore study group?