Comments on: What is my favorite movie?!! http://www.tssci-security.com/archives/2007/04/04/what-is-my-favorite-movie/ top secret/secure computing information Sat, 11 Oct 2008 12:38:01 +0000 http://wordpress.org/?v=2.2.3 By: Scott Roberts http://www.tssci-security.com/archives/2007/04/04/what-is-my-favorite-movie/#comment-304 Scott Roberts Thu, 05 Apr 2007 01:15:11 +0000 http://www.tssci-security.com/archives/2007/04/04/what-is-my-favorite-movie/#comment-304 I say we all move to epic pass poems. Much harder to fake. What attacker memorized all of the Illiad just to steal $20 from my bank account? I say we all move to epic pass poems. Much harder to fake. What attacker memorized all of the Illiad just to steal $20 from my bank account?

]]> By: LonerVamp http://www.tssci-security.com/archives/2007/04/04/what-is-my-favorite-movie/#comment-302 LonerVamp Wed, 04 Apr 2007 16:25:09 +0000 http://www.tssci-security.com/archives/2007/04/04/what-is-my-favorite-movie/#comment-302 Yeah, I'm not sure why people think asking security questions is a good idea. Maybe for very small instances, it sounds ok, but it scales even worse than passwords and usernames and PINs. Bank of America asks a set of 5 questions. Bank of Canada asks another set of 5 questions. If you pick the same one for each, you've done nearly nothing to combat the fraud that still occurs more than people admit: perpetrated by friends/family that know those answers or can get them. I also hate those, "Who was your favorite teacher?" questions. That depends on my mood when you ask me...or what I've been thinking about recently. And when you've been to 12 years of schooling in some good classes and 5 years of college...you get a LOT of choices to muck through! Sadly, the question I typically pick has to do with my pet's name or my first dog's name. I don't have a pet other than fish and have never, myself, owned a dog. I use my parent's dog's name because at least in my mind, that won't even change. (Mother's maiden name doesn't often change either, but I used to get confused because my mom has remarried since I was born, so do I use the original or the second...?) :) But yes, I universally hate challenge questions unless they can give me the same question every time (or let me write my own). But that's just not useful. Yeah, I’m not sure why people think asking security questions is a good idea. Maybe for very small instances, it sounds ok, but it scales even worse than passwords and usernames and PINs.

Bank of America asks a set of 5 questions. Bank of Canada asks another set of 5 questions. If you pick the same one for each, you’ve done nearly nothing to combat the fraud that still occurs more than people admit: perpetrated by friends/family that know those answers or can get them.

I also hate those, “Who was your favorite teacher?” questions. That depends on my mood when you ask me…or what I’ve been thinking about recently. And when you’ve been to 12 years of schooling in some good classes and 5 years of college…you get a LOT of choices to muck through!

Sadly, the question I typically pick has to do with my pet’s name or my first dog’s name. I don’t have a pet other than fish and have never, myself, owned a dog. I use my parent’s dog’s name because at least in my mind, that won’t even change. (Mother’s maiden name doesn’t often change either, but I used to get confused because my mom has remarried since I was born, so do I use the original or the second…?)

:) But yes, I universally hate challenge questions unless they can give me the same question every time (or let me write my own). But that’s just not useful.

]]>