• Borken (unregistered)

    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.

  • Anonymous (unregistered) in reply to anon
    anon:
    Why does everyone on this site constantly perpetuate the myth that security questions are inherently insecure? A poor security question system certainly can be insecure, but the vast majority of sites do not let you log in simply by answering the security question. Most sites, and particularly banking sites, will simply email you a password reset link, so unless your email account has also been compromised, it's a non issue.
    What we hate about it is the perceived security. Exactly like "wish it was 2-factor" authentication - it bastaradises a solid security mechanism whilst making out that it is every bit as secure - which it isn't. Sure, you can argue that a forgotten password question does not compromise a system if implemented correctly - but not all implementations will be correct (I've seen dozens of examples whereby an attacker could get a password simply by knowing the secret question - no e-mail hack required). Forgotten password questions continue the trend of reducing security in the name of improving user experience. It introduces a weakest link that naturally becomes the point of attack for any malicious user.
  • (cs) in reply to Borken
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.

    That's because Linux has no WTFs. Amirite?

  • Borken (unregistered) in reply to frits
    frits:
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.

    That's because Linux has no WTFs. Amirite?

    None. But yes, I know what you're getting at.

  • by (unregistered) in reply to Borken
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.
    Look again, dummy.
  • Herby (unregistered)

    On secret questions:

    On one site I did forget the password. It then put up a select box with LOTS of secret questions. While when I picked the question, I entered the 'answer' and then forgot the question. Now I need to remember the question they I first entered.

    Oh, the agony!

    Maybe the secret question ought to be what is your vehicle's VIN or some such. Handy, but not very convenient! It would take a trip to the car, or I could look at the recall notice that I have hanging around for about a year!

    Now a contest: Good 'secret' questions. A few:

    Your high school GPA? To whom did you lose your virginity? (or did you?) What was the year? When did you decide NOT to kill your younger sibling? What subject did you do the worst in school? Color of you SO's eyes (if you remember!)?

    Any to add?

  • by (unregistered)

    Dear Alex,

    Could you put your hand on the side of the web server and see if it is frozen? It's running pretty slow for me.

    Sincerely, Not Bert Garmstrong

  • by (unregistered) in reply to Herby
    Herby:
    On secret questions:

    On one site I did forget the password. It then put up a select box with LOTS of secret questions. While when I picked the question, I entered the 'answer' and then forgot the question. Now I need to remember the question they I first entered.

    Oh, the agony!

    Maybe the secret question ought to be what is your vehicle's VIN or some such. Handy, but not very convenient! It would take a trip to the car, or I could look at the recall notice that I have hanging around for about a year!

    Now a contest: Good 'secret' questions. A few:

    Your high school GPA? To whom did you lose your virginity? (or did you?) What was the year? When did you decide NOT to kill your younger sibling? What subject did you do the worst in school? Color of you SO's eyes (if you remember!)?

    Any to add?

    Have you signed up for jeopardy.com? They have the answer, and you have to enter a secret question.

  • SeySayux (unregistered) in reply to Borken
    Borken:
    frits:
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.

    That's because Linux has no WTFs. Amirite?

    None. But yes, I know what you're getting at.
    That is because certain parts of Linux are WTFs in themselves.

  • nasch (unregistered) in reply to Herby
    Herby:
    On secret questions:

    Any to add?

    There shouldn't be a select box. You should type in your secret question, and then type in your secret answer. It's difficult or impossibe to come up with questions that are both secure and not too hard to remember for everyone, so the questions aren't very secure. If you can type your own, then it still won't be secure if you don't care about security (so no worse), but if you do you can make it as secure as you want.

    Q Where were you eating when Julie threw up on the floor? A Bennigan's on 19th Street

    Really really secure Q Enter your secondary password A noc33(*#$KT598_.qOE

  • min (unregistered) in reply to frits
    frits:
    Ikea does deliver minimalism to the masses.
    Yeah but in SQL if you do a MIN() function on a column with Null values, the returned value won't be Null, it will be the smallest non-null value.

    CAPTCHA 'minim', what a coincidence!

  • the real king (unregistered) in reply to frits
    frits:
    The Queen of England:
    Larry:
    Anonymous:
    Hacker:
    clicks Forgot my password
    Website:
    What is your favorite food?
    Hacker:
    pizza?
    Website:
    Here is your bank account information!
    I see what you're getting at but you seem to be forgetting one thing - this will only work on the average high-school student, who will have no money in his account anyway. Ask a rich guy what his favorite food is and it sure as hell won't be pizza. It would take a hacker quite some time to stumble on "Pig's Head Terrine with Celeriac Purée".
    FTFY
    WTF are you people doing to my language?

    What, German?

    +1 for historical accuracy
  • Ouch! (unregistered) in reply to Mister Zimbu
    Mister Zimbu:
    - What state were you born in?

    Neglecting to mention the limited domain of possible answers for this question, not to mention that it's not even applicable if you're not born in the US.

    Innocence, nakedness, wedlock, ...
  • JonsJava (unregistered) in reply to The Nerve
    The Nerve:
    I still talk to programmers who don't understand the reason we use a password hash. Anyone reading this that is confused, please look into it immediately.

    I actually use the secret question system on a company-only backup solution I built. I hash the answer to the question, but I let them write their own question. No dropdown with common choices. So, their question could be:

    Pancakes on dog house?
    and their response could be equally odd:
    I'd hate to be mauled by a herd of elephants
  • Steve (unregistered) in reply to JonsJava

    Who's this? I thought we band all the Java folks.

  • saluto (unregistered) in reply to Borken
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.
    No suprise there. It is hard to find anyone that actually uses Linux for anything more than bragging rights.
  • praesent (unregistered) in reply to Steve
    Steve:
    Who's this? I thought we band all the Java folks.
    Is that a rubber band or a rock band?
  • Jellineck (unregistered) in reply to Steve
    Steve:
    Who's this? I thought we band all the Java folks.

    Was it done to track their migratory patterns?

  • (cs)

    I wish that people who code "security question reminder" web pages would get it through their thick heads that you can force a made-up password to be a certain length, but the answer to a question of fact CANNOT be forced to be a certain length.

    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    I don't think security is much enhanced by forcing long answers to questions of fact, unless you assume that anyone trying to crack the page through brute force will try all of the shorter answers first. And I don't think that's generally true.

  • Clone#3 (unregistered) in reply to vtcodger
    vtcodger:
    *** Clearly, those people are not your friends. You gonna ignore the computer and associate with them anyway?

    The Computer is your friend, trust the Computer.

  • Borken (unregistered) in reply to saluto
    saluto:
    Borken:
    Once again: an Error'd with no Linux WTFs. We're on a pretty good run here.
    No suprise there. It is hard to find anyone that actually uses Linux for anything more than bragging rights.
    Right...especially not in Europe.
  • by (unregistered) in reply to Jellineck
    Jellineck:
    Steve:
    Who's this? I thought we band all the Java folks.

    Was it done to track their design patterns?

    FTFY

  • I58an3fwX (unregistered) in reply to Cbuttius

    Clubuttius is a real douce. I never liked him as a child.

  • wlao (unregistered) in reply to Cbuttius
    Cbuttius:
    My childhood best friend in such a situation is usually something like I58an3fwX
    You knew him too? Cool...
  • JohnFx (unregistered)

    Is this some kind of ISO 9000 bakery or something? Because that "Blank Insert", technically isn't.

  • facebooker (unregistered) in reply to English Man
    English Man:
    some guy:
    @Larry Nice try :)
    That doesn't work here, you twit!
    Like
  • Larry (unregistered)

    TRWTF is that I have set up accounts with many places that do not allow more than 8 character passwords.

  • by (unregistered)

    Yes, but how many comments can I store if I go with unlimited storage?

  • The Flaming Foobar (unregistered) in reply to Sam
    Sam:
    Not really a WTF. Obviously a three or four letter answer to a secret question is much more dangerous than a bad password.

    Any system relying on a "secret question" (aka wish-it-were two factor) authentication is not only an instant WTF but also deserves infinite shame and ridicule.

  • all glory to the hypno toad (unregistered) in reply to wlao
    wlao:
    Cbuttius:
    My childhood best friend in such a situation is usually something like I58an3fwX
    You knew him too? Cool...

    Isn't everybody's best friend Hypno Toad?

  • RBoy (unregistered) in reply to Mister Zimbu
    Mister Zimbu:
    - What state were you born in?

    Neglecting to mention the limited domain of possible answers for this question

    No kidding... who wasn't born as a baby?

    Except maybe an erat.

  • (cs)

    They're just displaying southern hospitality... "Log on in, y'alls! Make yerselves at ~!"

  • Tom (unregistered) in reply to The Nerve
    The Nerve:
    Tom is NOT my friend.

    What! I thought we were friends!

    Tom.

  • by (unregistered) in reply to RBoy
    RBoy:
    Mister Zimbu:
    - What state were you born in?

    Neglecting to mention the limited domain of possible answers for this question

    No kidding... who wasn't born as a baby?

    Except maybe an erat.

    Ted Brogan?

  • Luke (unregistered)

    those look more like fritters than bear claws to me...

    ... I probably eat way too many donuts :-(

  • logical.. (unregistered) in reply to Steve
    Steve:
    Who's this? I thought we band all the Java folks.

    what kind of band would that be?

  • logical.. (unregistered) in reply to DWalker59
    DWalker59:
    I don't think security is much enhanced by forcing long answers to questions of fact, unless you assume that anyone trying to crack the page through brute force will try all of the shorter answers first. And I don't think that's generally true.

    well you would be wrong. If not the shortest, which arbitrary char length are you going to start brute forcing with? Of course having longer passwords makes it slower to force.

  • (cs) in reply to logical..
    logical..:
    DWalker59:
    I don't think security is much enhanced by forcing long answers to questions of fact, unless you assume that anyone trying to crack the page through brute force will try all of the shorter answers first. And I don't think that's generally true.

    well you would be wrong. If not the shortest, which arbitrary char length are you going to start brute forcing with? Of course having longer passwords makes it slower to force.

    I think he is referring to questions where an attacker would use a statistical brute force -- they would try the most common ones first, rather than simply starting with "A". For example, if the question seemed to require an answer that is a name, You would try "Christopher" before "abc".

  • dr. cogo (unregistered) in reply to praesent
    praesent:
    Steve:
    Who's this? I thought we band all the Java folks.
    Is that a rubber band or a rock band?
    Band aid.
  • (cs) in reply to Mister Zimbu
    Mister Zimbu:
    The website my apartment uses to do all the maintenance requests and online billing has only two choices for the "Secret Question".
    • What color is your car?

    You mean that thing that's right outside my apartment? No one could possibly guess that!

    And if you don't drive a car... well, you're just out of luck, I guess..

    - What state were you born in?

    Neglecting to mention the limited domain of possible answers for this question, not to mention that it's not even applicable if you're not born in the US. A security question for a website whose members will all be part of a local community? Seriously?

    Also fun if you were born in the same state you're currently living in-- which will probably be every hacker's first guess.

  • the beholder (unregistered) in reply to DWalker59
    DWalker59:
    I wish that people who code "security question reminder" web pages would get it through their thick heads that **you can force a made-up password to be a certain length**, but **the answer to a question of fact CANNOT be forced to be a certain length**.

    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    I saw an app once that didn't allow secret answers of less than five characters. And one of their possible questions was which year did your parents married.

  • (cs) in reply to the beholder
    the beholder:
    DWalker59:
    I wish that people who code "security question reminder" web pages would get it through their thick heads that **you can force a made-up password to be a certain length**, but **the answer to a question of fact CANNOT be forced to be a certain length**.

    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    I saw an app once that didn't allow secret answers of less than five characters. And one of their possible questions was which year did your parents married.

    Nineteen Sixty-Eight. Is that so hard?

  • gravis (unregistered) in reply to the beholder
    the beholder:
    DWalker59:
    I wish that people who code "security question reminder" web pages would get it through their thick heads that **you can force a made-up password to be a certain length**, but **the answer to a question of fact CANNOT be forced to be a certain length**.

    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    I saw an app once that didn't allow secret answers of less than five characters. And one of their possible questions was which year did your parents married.

    Maybe they were expecting year values including A.D. or B.C. at the end?
  • wtf (unregistered) in reply to frits
    frits:
    the beholder:
    DWalker59:
    I wish that people who code "security question reminder" web pages would get it through their thick heads that **you can force a made-up password to be a certain length**, but **the answer to a question of fact CANNOT be forced to be a certain length**.

    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    I saw an app once that didn't allow secret answers of less than five characters. And one of their possible questions was which year did your parents married.

    Nineteen Sixty-Eight. Is that so hard?

    No, not hard. Just dumb. So very, very dumb, in so very many ways. Heartbreakingly stupid, really.

  • Steve (unregistered)

    It's because Bubba Road is in Arkansas, not California

  • (cs) in reply to JuanCarlosII
    JuanCarlosII:
    Mister Zimbu:
    - What state were you born in?
    Solid?
    The same state I plan on dying in: stark naked, soaking wet, and screaming at the top of my lungs.
  • Darth Nuller (unregistered)

    I have nulled the chair. I have nulled the light. Pray I don't null anything further.

  • Darth Storage (unregistered)

    I have limited the unlimited...pray I don't limit anything further.

  • Obi-Wan (unregistered)

    He's more machine now than man. Twisted and evil.

  • (cs) in reply to DWalker59
    DWalker59:
    Sheesh, why is that so hard to understand? And your friend Tom might have really been named Tom, not Thomas (I had a friend whose given name was really Tom). And I had another acquaintance whose first name was U. The letter U.

    Cue Abbott and Costello:

    "Hello, do I have the right number for U?" "Yes, that's right." "I'd like to speak to U." "You are speaking to me." "I know, but I need to speak to U." "Go right ahead." "I will, as soon as someone puts U on the phone." "What are you talking about, anyway?" "That's between me and U."

    (My middle name is Hugh. Close enough on a noisy phone line that I've never felt any inclination to use it instead of my first name.)

Leave a comment on “Logon-ing Off”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article