Google: Your Password Security Questions Are Terrible - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Google: Your Password Security Questions Are Terrible
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:41:53 PM
Re: This can still work
@moarsauce: your idea is pretty good, except for the fact that google's question bank can easily be revealed, suppose if someone asked a basic question on Quora "What are the type of questions Google ask in order to make something more secure?" and you'll get a myriad of answers and there you have it. Similarly answers may be revealed as well. After that its all a game of mix and match until the right couple of question and answer is found.
yalanand
50%
50%
yalanand,
User Rank: Ninja
5/23/2015 | 1:34:34 PM
Re: This can still work
That can only happen if someone is close to you and knows the answer to your security questions or some terific hacker who has targeted you to aquire your information (like which school you went etc) which is pretty rare. 
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:38:04 AM
Re: This can still work
Many of them don't allow people to make up their own question. But even still, if you're making up real questions with real answers, it leaves you vulnerable to a targeted attack.
stevew928
100%
0%
stevew928,
User Rank: Ninja
5/23/2015 | 11:35:20 AM
Re: The smarts with the user have to be
Exactly, using the correct answer is part of what makes it insecure. While this article is focused on guessing (which is bad enough), with a bit of research, the security could be lowered even farther for users who use this method *as intended*.
stevew928
50%
50%
stevew928,
User Rank: Ninja
5/23/2015 | 11:32:34 AM
Worst ever... insecure BY DESIGN!
This is one of the most idiotic account authentication methods devised... yet widely used. That said, you can actually make them pretty sucure if you just ignore what they are and make up your own rules. Just pick one of the questions and have your *password manager* (You're using one of those, right?) fill in some random text as the answer. The annoying thing is you need to remember to copy this into your password manager, as otherwise you won't know the answer either. (So, copy both the question and random answer into your password manager for future reference.)
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
5/23/2015 | 10:14:31 AM
This can still work
The key here is that the user needs to provide both the question and the answer. Yes, the user can still pick the question "What is my favorite food?" with the answer "Pizza". Hackers do not know if that question is asked and what the answer is. Of course, when requesting the additional information the user has to provide both the question and the answer.
pabbott782
50%
50%
pabbott782,
User Rank: Apprentice
5/23/2015 | 9:11:24 AM
The smarts with the user have to be
Who said the answer has to be right? Does Google check whatever you enter to make sure you're being honest? Of course not. Favourite food? Elephant-ear-on-a-bun, obviously. MOther's maiden name? TheBolivianNavyOnTheHeadOfAPin. what brings success initially? WBSI? WIth care your question can contain the answer. but I never put in the "right" answer. Unless I do.
JustinK779
50%
50%
JustinK779,
User Rank: Apprentice
5/22/2015 | 4:27:29 PM
MFAshould be required at this point
Been saying it for years now:  ever since as a society we started buying more cell-phones than computers we have been in a prime position to require MFA authentication.  There's abosultely NO reason not to do this now with a soft token or text request so accessing a webpage is a combination of what you know and what you have.  Suddenly individual identity theft is basically stopped cold and the only exploits you have to worry about are those where they manage to fundementally hack the hosting system.

Seriously:  if you are n't using MFA on at least your primary e-mail address you are asking for it.  Your e-mail is like the keys to the world (everyone lets you reset passwords using that).
TimC216
50%
50%
TimC216,
User Rank: Apprentice
5/22/2015 | 3:32:23 PM
Re: Balancing security and memory
My solution to security questions was to always answer them with answers that I would remember but that have nothing to do with the question...
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
5/22/2015 | 3:28:12 PM
Balancing security and memory
Sadly this is a great example of why even though online services try to make things secure by using a security question as a form of secondary authentication, it's never going to be safe enough.  And while I like the idea of using more random knowledge, such as a library card number or frequent flier mile number, anything that doesn't use alphanumeric answers will still find risks like current methods today.

Personally, I like when sites use a combination of "here's an image you designated" plus random text that you enter as a form of secondary authentication, but as bots get smarter, even those might see increased risks.

So is the solution to just overhaul the password methodology and look at new ways of authentication which will hopefully reduce the number of password resets that seem to increase at the same rate of the complexity requirements?
<<   <   Page 2 / 2


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll