Comments on: Tighten the Security of "Security Questions" https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/ Linux. GNU. Freedom. Mon, 09 Oct 2017 10:42:05 +0000 hourly 1 https://wordpress.org/?v=4.9-alpha-41547 By: Aaron Toponce https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116483 Tue, 06 Mar 2012 18:49:01 +0000 http://pthree.org/?p=2338#comment-116483 This doesn't fall apart at all. It just makes it slightly more difficult to read over the phone.

]]>
By: Steve Spigarelli https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116482 Tue, 06 Mar 2012 15:48:40 +0000 http://pthree.org/?p=2338#comment-116482 Of course, the only time this falls down is when you need to provide a valid representative with your security question's answer. For password recovery and such this makes a lot of sense.

]]>
By: Alan Pope https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116481 Tue, 06 Mar 2012 15:36:37 +0000 http://pthree.org/?p=2338#comment-116481 I just lie when asked security questions. Much easier 🙂

]]>
By: Aaron Toponce https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116480 Tue, 06 Mar 2012 13:18:52 +0000 http://pthree.org/?p=2338#comment-116480 I wouldn't recommend using your password as the answer to these forms, for two reasons. First, the point of these forms is in the event that you have forgotten your password, you can recover it. Second, the password SHOULD be hashed with a salt on disk by the provider. The answer to the security questions probably isn't. So, providing your password in all fields could potentially open your account up for attack by the site administrators. Further, because these form fields are not encrypted, providing answers in the clear could build up an identity about yourself. Best to hash the answers, IMO.

]]>
By: Ricardo N Feliciano https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116479 Tue, 06 Mar 2012 12:38:27 +0000 http://pthree.org/?p=2338#comment-116479 Curious, how would you say your idea stacks up against using the password. I usually use my password, or maybe my previous password (I change them every 6 months), as the answer to security questions.

I ask because using a salt, and keeping it private, is sort of like having a password anyway.

In my opinion, sites that force security questions, (usually banks for me), actually weaken the security on my account, as in the example you provided.

]]>
By: Aaron Toponce https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116478 Tue, 06 Mar 2012 03:58:43 +0000 http://pthree.org/?p=2338#comment-116478 Richard- Good point. I guess you'll have two hashes to choose from then, if you can't remember whether or not your mother's maiden name starts with an uppercase 'S' or a lowercase one.

]]>
By: Richard https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116477 Tue, 06 Mar 2012 00:26:59 +0000 http://pthree.org/?p=2338#comment-116477 Websites usually handle the answers to these security questions case-insensitively. So by using a hash-based answer be mindful that you're forced into case-sensitivity with your plaintext (including the salt), i.e. the words "Smith" and "smith" are no longer equally acceptable answers.

]]>
By: tensai https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116476 Tue, 06 Mar 2012 00:19:44 +0000 http://pthree.org/?p=2338#comment-116476 I just do the same thing I do for all passwords: generate them randomly (or semi-randomly, as seems appropriate) and write them down in a password database. I just make sure to note which of the questions I gave an answer to.

]]>
By: Christer Edwards https://pthree.org/2012/03/05/tighten-the-security-of-security-questions/#comment-116475 Mon, 05 Mar 2012 23:44:58 +0000 http://pthree.org/?p=2338#comment-116475 Get someone to write a browser plugin to automate this.

]]>