Too Secure

May. 31st, 2016 08:30 pm
dr_tectonic: (Grr! Sunglasses!)
[personal profile] dr_tectonic
Exasperation of the day: We have a new benefits reporting system of some kind at work that I can't use because it is too secure. I honestly don't know what all it does, because I can't register to use it.

The problem is, I literally cannot answer enough security questions to finish the registration.

There are 18 questions to choose from. You need to pick 3.

9 of them flat-out do not apply. I have no children, so I can't use a question about my firstborn.

Of the remainder, there are 2 of them that I have a straightforward answer for. (Though I had to think a bit to recall what it was.)

There are 4 of them for which I could probably come up with an answer, but the odds of me coming up with the same answer several months from now are not good. What was the name of the street I lived on when I was a kid? Well, I remember the name of the street, but was it a Way or Circle? Or nothing at all? And I can't look it up to check, because it no longer exists!

And then there are the 3 questions that I do have an answer for, that I can recall fairly easily, but that I can't use because the correct answer is either too short or too long! Because, oh yes, all the answers must be between 6 and 20 characters long, letters and numbers only, no spaces.

Sure, I could abbreviate one of the too-long answers, or use some variant of "not applicable" for an N/A one, but it's got that same reliability problem: in six months, will I remember exactly how I answered the question with no good answer? Given my lousy track record at remembering how various other infrequently-used passwords are capitalized, I'd prefer not to have to rely on it.

So I think the next time I see the head of the computer security group in the lunchroom, I'm going to sit down next to him and ask him what their process is for password recovery when the user can't get their security questions right. 'Cos that's gonna be me if I ever forget mine.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2016-06-01 02:40 am (UTC)
From: [identity profile] dr-tectonic.livejournal.com
Also: I got a flat tire on the way in to work today. But that was mostly just dirty and time-consuming rather than exasperating.

I just left it in the parking lot of the shopping center at the bottom of the hill and took the shuttle up to work so I wouldn't be late for my meeting. After work, Jerry helped me get the donut spare on and followed me as I puttered home at 40 mph. I'll go get a new tire tomorrow morning, no big.

Date: 2016-06-01 02:42 am (UTC)
dpolicar: (Default)
From: [personal profile] dpolicar
Clearly, the thing to do is write down all your security questions and answers on a web page somewhere you can easily find in case you... oh.

Date: 2016-06-02 04:08 pm (UTC)
dpolicar: (Default)
From: [personal profile] dpolicar
Though TBH, this actually is the strategy I use. All my passwords and etc. are kept in a single password-protected file, and I worry a lot about the security of THAT password file, and I produce random passwords everywhere else that I don't expect to remember, and I look them up.

Except for some sites, for which "I forgot my password!" is just a routine part of how I access the site.

Date: 2016-06-02 04:52 pm (UTC)
From: [identity profile] dr-tectonic.livejournal.com
I think the "put it on a web page somewhere you can easily find" element is a significant difference between those strategies. :)

Date: 2016-06-02 03:05 pm (UTC)
From: [identity profile] dendren.livejournal.com
OMG... the memes that used to go around livejournal and facebook used to drive me crazy... I was always amazed at how many people filled them out and posted them :P

"let's get to know each other meme... tell me the name of your first dog, what street did you grow up on, who was your best friend in school?"
OMGWTFBBQ!!!! these memes are all my security questions. Well played internet thieves, well played.

Date: 2016-06-02 04:04 pm (UTC)
dpolicar: (Default)
From: [personal profile] dpolicar
There was a riff on this going around for a while that asked for the street I grew up on, my pets name, and the last four digits of my social security number.

Date: 2016-06-01 03:24 am (UTC)
From: [identity profile] detailbear.livejournal.com
Some people use a standard word for their security answers so that no one can do social searching to find it.

First pet: armadillo
First street: armadillo
Mother's maiden name: armadillo

or maybe link it to the website. NSFarmadillo

N.B.: mine is not "armadillo".

Date: 2016-06-01 03:52 am (UTC)
From: [identity profile] dr-tectonic.livejournal.com
It's a good strategy, but switching over to it is the hard part. Because until you've switched everything, you have to remember where you used that strategy and where you haven't yet and that's where my brain drops the ball...

Date: 2016-06-02 03:12 pm (UTC)
From: [identity profile] dendren.livejournal.com
I do something similar. I use the real answer if there is a true answer for it but in cases where there are questions and most don't really have a viable answer for me, I just choose one and use a code word like your Armadillo go-to. If my security question pops up like "what is your first child's name", I know I had to have answered Armadillo since I don't have kids.

Date: 2016-06-01 03:50 am (UTC)
From: [identity profile] theoctothorpe.livejournal.com
The whole idea of 'security questions" are bullshit, as in general, these questions (that they prompt you for answers to) are mostly searchable if someone has been following or knows how to search your social media footprint (or other public resources).

For bullshit like this, I tend to use 1Password's ability to give random answers to questions and save them (it saves both the question and the answer) — much like it does with a password.

Seriously though, those that employ these schemes really don't know jack about security. I bet they make you change your password ever 6 months to a year as well. ::sigh::

Date: 2016-06-01 03:59 am (UTC)
From: [identity profile] dr-tectonic.livejournal.com
The problem is that these questions have all been specifically chosen NOT to be searchable via social media footprints. Which is what makes so many of them unanswerable for me.

(Seriously, who has foods they hate ~secretly~ and would never admit to hating? Yeah, that makes it unsearchable, but who ARE you that you live like that?)

I think the root problem is not the questions themselves, it's the decision that this system warrants that level of security.

Date: 2016-06-02 04:05 pm (UTC)
dpolicar: (Default)
From: [personal profile] dpolicar
>who has foods they hate ~secretly~ and would never admit to hating?

And for whom is this a unique descriptor?!?

Date: 2016-06-13 01:56 pm (UTC)
From: [identity profile] goobermunch.livejournal.com
Do you have an iPhone? Try SplashID. It's a password protected password vault. You can put all of this information in your phone and let the portable cyberbrain remember it.

Date: 2016-06-01 04:24 am (UTC)
From: [identity profile] pink-halen.livejournal.com
You will appreciate this sentiment from a Small Town guy. In his essay he laments that security questions don't mean anything in a small town.

And on the other hand, I have this other bank-related thought: Pretty much everyone who works there knows the answers to my online security questions. I don’t mean they have access to them. I mean they know them. What is your paternal grandmother’s first name? In what city were you born? Who was your first girlfriend? So how do I deter identity theft? By keeping my account balance and credit score as low as possible.


http://www.mcsweeneys.net/articles/small-town-living

It sort of fits with my favorite joke.
You don't have to use your turn signals. We already know were you are going.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only