"Security" indeed.
Jun. 10th, 2007 12:43![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
torquillMy credit union ran me through setting up a captcha image and security questions yesterday.
Unlike some people I've heard from, I don't consider that to be a huge hassle, given that more security is good and it took me only about five minutes. I'm a very visual person, so the image thing works for me. I'll probably remember that picture when I'm sixty and the current credit union website has long ago crumbled to its component electrons.
What bugs me, as it does with all sorts of places that use this now, is the "challenge questions". Are these always written by idiots?
They seem to come in three flavors: "What is your favorite [...]", hard facts about your background, and personal history.
Asking about your favorite book/movie/song/actor etc. is inane. Unless I'm only going to need to remember this for six months tops, the odds of finding a new movie/book/song/actor that I like better (always assuming I could come up with one in the first place) are very high. I don't know what my favorite song was three years ago, but I can guarantee it wasn't the same one as my current favorite.
Hard facts about your background -- what city you were born in, mother's maiden name, street you grew up on -- has the obvious flaw that I've seen pointed out elsewhere: anyone who wants to spend a little time scouting can get that stuff easily. It's like the last four digits of your social security number. This information is everywhere, including public records. Questions like those deter very casual hackers, the ones who come up to a library kiosk where you forgot to sign out (shame!)... but then, so does simple password authentication.
The only questions that I consider to be halfway worthwhile are the personal history ones. I'm never going to forget the name of my first friend in school, and it won't change, either... but only a very few, trusted people know who it was. It's not something you hand out to strangers, because why on earth would they need to know? Ditto the name of your favorite pet as a kid, or your first boy/girlfriend, or the make or color of your first car. These are significant landmarks in peoples' lives which they aren't likely to forget, but which get shared only with close acquaintances if at all.
Unfortunately, most of the questions tend to be of the first two categories. I should probably make an arbitrary list of "favorite blah" and stash it somewhere, because I'd rather use those than background facts. It annoys me that I have to work so hard at filling in the gaps in their security protocols, though.
Unlike some people I've heard from, I don't consider that to be a huge hassle, given that more security is good and it took me only about five minutes. I'm a very visual person, so the image thing works for me. I'll probably remember that picture when I'm sixty and the current credit union website has long ago crumbled to its component electrons.
What bugs me, as it does with all sorts of places that use this now, is the "challenge questions". Are these always written by idiots?
They seem to come in three flavors: "What is your favorite [...]", hard facts about your background, and personal history.
Asking about your favorite book/movie/song/actor etc. is inane. Unless I'm only going to need to remember this for six months tops, the odds of finding a new movie/book/song/actor that I like better (always assuming I could come up with one in the first place) are very high. I don't know what my favorite song was three years ago, but I can guarantee it wasn't the same one as my current favorite.
Hard facts about your background -- what city you were born in, mother's maiden name, street you grew up on -- has the obvious flaw that I've seen pointed out elsewhere: anyone who wants to spend a little time scouting can get that stuff easily. It's like the last four digits of your social security number. This information is everywhere, including public records. Questions like those deter very casual hackers, the ones who come up to a library kiosk where you forgot to sign out (shame!)... but then, so does simple password authentication.
The only questions that I consider to be halfway worthwhile are the personal history ones. I'm never going to forget the name of my first friend in school, and it won't change, either... but only a very few, trusted people know who it was. It's not something you hand out to strangers, because why on earth would they need to know? Ditto the name of your favorite pet as a kid, or your first boy/girlfriend, or the make or color of your first car. These are significant landmarks in peoples' lives which they aren't likely to forget, but which get shared only with close acquaintances if at all.
Unfortunately, most of the questions tend to be of the first two categories. I should probably make an arbitrary list of "favorite blah" and stash it somewhere, because I'd rather use those than background facts. It annoys me that I have to work so hard at filling in the gaps in their security protocols, though.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-06-10 22:10 (UTC)no subject
Date: 2007-06-11 06:54 (UTC)Um. That was his name. I'm sorry it wasn't longer, but I'm kinda stuck at this point.
Alex
no subject
Date: 2007-06-11 18:51 (UTC)Personally, I've picked a few of the very common questions ("what was the name of your first pet", etc) and I've made up completely non-sequitur, but consistent, answers I always use for them. This guarantees that even if somebody out there with malicious intent does know the answer to the question, it still doesn't do them any good, because that's not the answer I'm using.
But then if they go and use some question like "best friend in high school" and then tell me "sorry, you can't use numbers", that really annoys me, because there's no reason for the restriction and it just makes life harder for those of us who actually want to be more secure...
On some sites I just enter some gibberish answer and resign myself to having to call them up if I ever forget my password.
no subject
Date: 2007-06-12 02:59 (UTC)I wish more sites would let me pick my own questions. I have oblique in-jokes that only myself and maybe one other family member would understand, and I find it easy to remember how the answer was phrased when I see the question phrased a particular way...