Working with external teams on this new project involving pretty sensitive stuff like bank transactions.

Talking about user flow and how to handle authentication, like 2-factor and stuff.

Newish guy on external team (though experienced) says they have a proposal.

Security Questions.

... like "What was you first car" security questions...

awkward silence in room...

  • 1
    What about renaming security questions to secondary (and so on and so forth) passwords?

    I'm not kidding, I'm using 4 passwords and 3 of them are kinda insecure as most websites only allow [A-Za-z0-9]{1,14}.
  • 0
    Any form of security questions is even weaker than passwords - and attacks against passwords work the same or better against security questions.
    Additionally some questions are not even legal ("mother's maiden name") and they are absolutely inconvenient if a secure answer (e.g. not trivially possible to lookup for the most people) is wanted. Also some answers may change ("favourite animal/colour").

    Why would anyone want them!?
  • 0
    @PublicByte You know about password managers, don't you?
    Anyway, "secondary" passwords are bad:
    1. People (on average) are bad at choosing passwords - they will do for secondary (or tertiary or ...) as well.
    2. The idea of two factor authentication is to not allow the same attacks against the factors.

    Example: For a bank transaction I have to submit a password and a transaction code that is only valid once for this specific transaction generated on an independent device.
    Even if the attacker knows my password with any attack (guessing, phishing, depending how the transaction code is generated even malware on the device) the attacker can't do anything with it.
  • 0
    @sbiewald well, what about downloading a list of 1000 most popular pet names? I think security questions are, ironically, more insecure than letting a human decide on a second password.
  • 3
    security questions are obsolete.

    Force everyone to 2FA.

    Don't you guys have phones ?

    (Ok, I know where the door is)
  • 0
    Questions are still valid for password reset, but only when hooked to services like westlaw's identity cube and only if there's regulation requiring it.
  • 0
    @PublicByte Both are bad. Security questions don't provide a good any good security but secondary password won't either.
    Alternatively we could just enforce longer passwords, it would have the same effect but they are more convenient.
  • 1
    @sbiewald one of my friends once used the password DasIstEinGutesPasswort09 (translated ThisIsAVeryGoodPassword09). I mean, it's not completely ideal, but it's actually secure compared to other passwords.
  • 1
    I switched completely to passwords I can't remember at all using a manager. 30 characters, upper and lower case, alphanumeric, symbols... And then there is my bank... Slowing no special characters and it can't be longer then 8...
  • 0
    Some German banks only allow 8 digit numeric passwords...
    Luckily two factor authentication is mandated by law.
  • 1
    @sbiewald well... #neuland
  • 1
    @sbiewald I mean, you should be happy for 8 digit "passwords." My bank only supports 5.
Add Comment