• Will (unregistered) in reply to Rev. Johnny Healey
    Rev. Johnny Healey:
    Once, when I went to recover a password from a site, I found myself confronted with the security question "What is blue?". I tried all sorts of answers but never managed to figure out what it was that I had entered as the answer originally.

    I assume you tried "my balls"?

  • (cs)

    Q: What's the difference between a duck? A: One of it's legs is both the same.

  • (cs) in reply to L
    L:
    Q: Does your wife have a big butt? A: FileNotFound
    File not found because your big-butted wife is sitting on it, I suppose.

    Edit: Sorry, Thom already did that.

  • Monday (unregistered) in reply to Polar Bear
    Polar Bear:
    Steve:
    Steve:
    Monday:
    My Comment:
    I think...
    I think this is a pretty good...
    I think this is a pretty good time to...
    I think this is a pretty good time to try that...
    I think this is a pretty good time to try that thing you were...

    I think this is a pretty good time to try that thing you were going to put in your...

  • (cs) in reply to KattMan
    KattMan:
    cheers:
    KattMan:
    Someone needs to learn binary math 2^5

    Don't you mean 2^3 + 2^2 I mean, I don't think the answer will be yEsnO

    Oh god! I was just a victim of the Math Axiom to Muphry's Law wasn't I?

    There's a trick to avoiding that:

    You have to stop being a pretentious butthole;)

  • Joe (unregistered) in reply to argh
    argh:
    Q: Does your wife have a big butt?

    A: Yarr!

    A: No, but she has an enormous "howeverr".

  • (cs) in reply to Rev. Johnny Healey
    Rev. Johnny Healey:
    Once, when I went to recover a password from a site, I found myself confronted with the security question "What is blue?". I tried all sorts of answers but never managed to figure out what it was that I had entered as the answer originally.

    I am.

    (For those who didn't get the reference)

  • Disgruntled Postal Worker (unregistered) in reply to Ken
    Ken:
    $query = "SELECT strSecretQuestion,strSecretAnswer FROM tblSecretQA WHERE strSecretQuestion LIKE '" . $secretquestion . "' LIMIT 1;";

    I so bet something like this is the source of the bug. (yes, I know my example is vulnerable to textbook sql injection attacks)

    It's extremely inefficient to fire off a new SELECT ... LIKE for every key pressed! It would have to sequentially scan every record in the table.

    This sort of feature is probably better implemented with map - reduce on a flat file

  • (cs) in reply to L
    L:
    Q: Does your wife have a big butt? A: FileNotFound

    Soon.

  • (cs)

    I'm assuming they did this in order to save space in the database. I'd guess that there's a question table with a question and an ID. Then there's another table that has the user id, question id, and the answer. So rather than have an individual question row for each user, it tries to match the question you want to ask with one that already exists. That'll keep out multiple rows of the same question. They just screwed up how they search for pre-existing questions.

    If you're REALLY concerned about database space, this might be a decent idea to help squeeze our every last inch of space. But you'd have match the questions exactly.

  • (cs)

    I've been through the whole Freemail personal certificate offering from Thawte, including identity assurance and I'm now at notary level. I've encountered numerous faults with their system:

    1. Unable to change personal details between sign-up and first certificate download
    2. Dead email accounts under notary listings
    3. New notaries defaulting to all UK coverage level
    4. Make assertion page points input text box editable and length unrestricted
    5. No central certificate look up facility
    6. Out of date website mentioning features that don't exist
    7. Notary listing order by joining date, rather than something sensible like cost per point, points available, or name
    8. Six days for someone to visually check my details
    9. Their server lost my allowance for detail publication
    10. Changes to notary descriptions remove notary from service for multiple days
    11. Several days (and waiting) to add a new geographic node
    12. Weird XSS validation rules on entering notary summaries preventing things like text enclosed with brackets
    13. Misinformation about hyperlink substitution using things like #AHREF#, when submitting the form gives an error about illegal hash character
    14. Their email support tend not to fully read or understand the emails I've written to them

    They have said that they are reviewing the website, hopefully including some use of mapping techniques. Everyone I've encountered related to the identity assurance side of things seems to have joined around the year 2000, with nothing much happening since. Perhaps that's because VeriSign bought them out in 2002 and now offer a year's digital certificate through a single webpage form for $25.

  • Jeff (unregistered)

    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.

  • (cs) in reply to KattMan
    KattMan:
    cheers:
    KattMan:
    Someone needs to learn binary math 2^5
    Don't you mean 2^3 + 2^2 I mean, I don't think the answer will be yEsnO
    Oh god! I was just a victim of the Math Axiom to Muphry's Law wasn't I?
    No, you were just stupid.
  • (cs) in reply to Jeff
    Jeff:
    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.

    ... and what was your username again?

  • (cs) in reply to icelava

    Q: Does your wife have a big butt? A: WifeNotFound

  • Oh ya! (unregistered) in reply to ID

    C-C-C-Combo Breaker!!!!

  • (cs)
    Q: Does your wife have a big butt?

    I wasn't aware Sir Mix-A-Lot used Thawte.

  • (cs) in reply to Monday
    Monday:
    Polar Bear:
    Steve:
    Steve:
    Monday:
    My Comment:
    I think...
    I think this is a pretty good...
    I think this is a pretty good time to...
    I think this is a pretty good time to try that...
    I think this is a pretty good time to try that thing you were...

    I think this is a pretty good time to try that thing you were going to put in your...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you...

  • markbark (unregistered)

    What is the airspeed velocity of an unladen (european) swallow? Approximately 10 m/s.

    http://www.style.org/unladenswallow/

    --MAB

  • shMerker (unregistered)

    Q: How many cat's does it take to put in a lightbulb? A: One. One to put in the lightbulb, and one to not put in the lightbulb at the same time.

    Also, some of those questions remind me of this: http://www.penny-arcade.com/comic/2006/07/12/

  • diaphanein (unregistered) in reply to Voodoo Coder
    Voodoo Coder:
    You have to stop being a pretentious butthole;)

    Sounds like it's a case of severe rectal/cranial inversion.

  • (cs) in reply to Walleye
    Walleye:
    Q: What's the difference between a duck? A: One of it's legs is both the same.

    No quack.

  • (cs)

    Isn't it ironic that this issue would come out of a company that advertises "a tried and tested way to secure all e-mail communications"?

  • Zach Bora (unregistered) in reply to amischiefr
    amischiefr:
    Monday:
    Polar Bear:
    Steve:
    Steve:
    Monday:
    My Comment:
    I think...
    I think this is a pretty good...
    I think this is a pretty good time to...
    I think this is a pretty good time to try that...
    I think this is a pretty good time to try that thing you were...

    I think this is a pretty good time to try that thing you were going to put in your...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of...

  • Evo (unregistered) in reply to Zach Bora
    Zach Bora:
    amischiefr:
    Monday:
    Polar Bear:
    Steve:
    Steve:
    Monday:
    My Comment:
    I think...
    I think this is a pretty good...
    I think this is a pretty good time to...
    I think this is a pretty good time to try that...
    I think this is a pretty good time to try that thing you were...

    I think this is a pretty good time to try that thing you were going to put in your...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of...

    I think this is a pretty good time to try that thing you were going to put in your ass the night you broke the flow of this stupid sentence!

  • (cs)

    The best part of all that is the question about the airspeed velocity of an unladen swallow. That never gets old.

  • Jay (unregistered)

    So today when I am asked to select a password, I am warned that I should not use my name, my birth date, my social security number, the city I live in, or any other "personally identifiable" information, because a hacker might find out the answers to these questions. Then I am told that in case I forget my secret password, I should enter what amounts to an alternate password, where I am not only ENCOURAGED to give personally identifiable information, but indeed to identify exactly what personally identifiable information it is.

    If I just used the name of my home town as my password, at least a hacker would not have any easy way to know that I used the name of my home town and not my first girlfriend or my favorite color or whatever. But with these "security questions", they specifically tell the hacker what personal information they're looking for!

  • Jay (unregistered)

    Using "what is your favorite color" as a security question is sexist. It makes men's accounts much more vulnerable than women's. After all, if you ask a man to name his favorite color, his answer is likely to be limited to one of "red", "blue", "green", "yellow", "orange" and perhaps a dozen or so other possibilites. A hacker could easily run through all the possibilities in a few minutes. But a woman may say "burgundy" or "mauve" or "chartreuse" or "sea foam" or hundreds of other colors that I couldn't identify if you showed them to me.

  • Bob Saggett (unregistered) in reply to Walleye

    I remember that from a book. Wasn't it one of those adventure game books - turn to page 5 if you want to go left?

    Pip as the character name rings a bell but what was the book?

  • (cs) in reply to Bob Saggett
    Bob Saggett:
    I remember that from a book. Wasn't it one of those adventure game books - turn to page 5 if you want to go left?

    Pip as the character name rings a bell but what was the book?

    That would be Space Explorations by the pioneering choose-your-own-adventure author Charlie Dickens.

  • (cs) in reply to amischiefr
    amischiefr:
    Griphon:
    Eastern or European?
    That's European or African tard
    So, what IS the unladen airspeed velocity of a European tard?
  • (cs) in reply to Jeff
    Jeff:
    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.
    Except that you just told us all how to reset your PayPal password and steal all your free money...
  • (cs) in reply to jesse
    jesse:
    On a related note, I had to laugh at my bank once, they didn't get the whole security question/answer thing. I called one day to sort something out, and they asked me what my security question was? (the actual question, not the answer)...
    Maybe your security question was: "What is your security question?"
  • bbj (unregistered) in reply to Binary Logic
    Binary Logic:
    Does anyone else see a problem with a security question that has only two possible answers?

    [Yes] [No]

    Mu!

  • the amazing null (unregistered) in reply to Rev. Johnny Healey
    Rev. Johnny Healey:
    Once, when I went to recover a password from a site, I found myself confronted with the security question "What is blue?". I tried all sorts of answers but never managed to figure out what it was that I had entered as the answer originally.

    if you are anything like me, then try: 450-495 nm

    i hate when being a smart ass gets in my way later... like when you are asked the name of your first love and i have to remember the serial number for my old PS1... always ask yourself what you would have entered if you held contempt for the fact that you were tasked with creating the stupid question/answer pair to begin with.

  • (cs) in reply to Jay
    Jay:
    Using "what is your favorite color" as a security question is sexist. It makes men's accounts much more vulnerable than women's. After all, if you ask a man to name his favorite color, his answer is likely to be limited to one of "red", "blue", "green", "yellow", "orange" and perhaps a dozen or so other possibilites. A hacker could easily run through all the possibilities in a few minutes. But a woman may say "burgundy" or "mauve" or "chartreuse" or "sea foam" or hundreds of other colors that I couldn't identify if you showed them to me.

    I always use something like "#00A0FF". 24 bits of entropy is better than 4.08746284125034 bits (the five named plus 12 others = 17 choices) .

  • Dave Grammar (unregistered) in reply to Walleye

    Apostrophe fail

  • wklink (unregistered)

    I love the "write your own questions," especially if there's a place where you can call and make someone ask you the question.

    Operator: Ok, Mr. Klink, before we proceed, I need to verify your identity. What are you wearing?

    Me: I think that's highly inappropriate.

    Operator: Great, now how may I help you today?

  • Happy (unregistered) in reply to Jeff
    Jeff:
    meh, just answer all the questions with NOWAYINHELLWILLIANSWERTHIS. It's long enough to be secure, bears no relation to the question, easy to remember, and once more people implement this, I'll get free money.

    Nice. I just use the word "no". Love to answer that.

  • (cs) in reply to Dave Grammar
    Dave Grammar:
    Apostrophe fail

    How do you know that? Does the sentence make more sense to you without the apostrophe?

  • Jon (unregistered)

    No one from this site thought to lead the question, "What the..."?

    luctus: Lucky Borg name

  • jbrecken (unregistered) in reply to wklink
    wklink:
    I love the "write your own questions," especially if there's a place where you can call and make someone ask you the question.

    Operator: Ok, Mr. Klink, before we proceed, I need to verify your identity. What are you wearing?

    Me: I think that's highly inappropriate.

    Operator: Great, now how may I help you today?

    I never would have guessed that Eugene Mirman was a WTF reader.

  • JeffyD (unregistered) in reply to Walleye

    I remember that one... here's another:

    Q: Why do mice spin? A: The higher, the fewer.

  • YetAnotherDave (unregistered) in reply to Walleye
    Walleye:
    Q: What's the difference between a duck? A: One of it's legs is both the same.

    A very similar one: Q: What's the difference between a stove? A: The more you polish it gets.

  • (cs) in reply to Disgruntled Postal Worker
    Disgruntled Postal Worker:
    Ken:
    $query = "SELECT strSecretQuestion,strSecretAnswer FROM tblSecretQA WHERE strSecretQuestion LIKE '" . $secretquestion . "' LIMIT 1;";

    I so bet something like this is the source of the bug. (yes, I know my example is vulnerable to textbook sql injection attacks)

    It's extremely inefficient to fire off a new SELECT ... LIKE for every key pressed! It would have to sequentially scan every record in the table.

    This sort of feature is probably better implemented with map - reduce on a flat file

    uh, dude, read the article over. It extends your question for you when you click submit, not every keypress. You must be mistaking my comment for the story about the four dentists and their data centralization initiative.

    Also - as bonzombiekitty said, this might be an attempt at saving space/some freakish over-normalization/softcoding at work, except the coder didn't quite understand the proper way to write the SELECT statement.

  • not me (unregistered) in reply to Walleye

    cement police car

  • Joshua Karlston (unregistered)

    Try putting yourself down as being born before 1910. Apparently, Thawte is very ageist in its advertising.

    captcha: opto ... optogenerian?

  • Dennis (unregistered) in reply to Dave Grammar
    Dave Grammar:
    Apostrophe fail
    Quote fail.
  • Dennis (unregistered) in reply to Will
    Will:
    Rev. Johnny Healey:
    Once, when I went to recover a password from a site, I found myself confronted with the security question "What is blue?". I tried all sorts of answers but never managed to figure out what it was that I had entered as the answer originally.

    I assume you tried "my balls"?

    "No, thanks."

  • Ben (unregistered) in reply to Claxon
    Claxon:
    Given that God is infinite and that the universe is also infinite... Would you like a toasted tea-cake?

    I'm a waffle man myself.

Leave a comment on “Thawtf”

Log In or post as a guest

Replying to comment #:

« Return to Article