Why? I, the user, have initiated it. I, the user, know what is happening.
My apologies if you missed the sarcasm. Please read my posts again then read your post again.
Ah, nevermind. My second post which was exactly the same as the first post was deleted.
I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.
My apologies if you missed the sarcasm. Please read my posts again then read your post again.
Ah, nevermind. My second post which was exactly the same as the first post was deleted.
HA HA HA HA HA HA HA! Oh, man. I'm so used to accidental double posts here. Oh, that's great.
I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.
Yeah, they'd fail it. They're morons. I'm not saying it would be the option, just an option. I'm sure most people don't use anything but the 4-number password, but the keyboard is there all the same.
I'd actually like to be able to use my international keyboards on the password screen. What's a more secure password than one in a language you can't read and in a character set you can't write? No one is going to crack that based on your personal information.
This whole idea, by the way, came from my experience in Windows, where I can type my password perfectly and the OS says no. Then I type it again and the OS says yes.
Microsoft's first innovation: a new security feature, of all things.
That makes no sense at all. You can add additional data points easily which won't confuse or annoy the user. For example banks may ask a series of questions such as your first school, or recent past address, in order to further verify you if you are logging in from a machine without a cookie or a known IP address.
I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:
- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.
- Who is your favorite musician? I don't have one favorite. It depends on my mood.
- Who is your favorite sports team? I don't like sports.
- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?
- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).
Exactly my point. In a single case where you are the only one required to know about the fake failure, it works, but when you look at it from the perspective of the general populace it is a total failure. So when you met that hot potential date and shared your phone number, you had to also tell them "just ignore the fake message". Do you see how that might cause you to miss that rendezvous unless you clarified the obscure message? A commercial entity would be deluged with irate customers calling support because they could not log in. Not fake fail. Complete fail.
They first try the password they KNOW is correct but it doesn't work, so they think am I going crazy and they try some other password instead and of course that fails too, so they think maybe I mistyped the first time. Let me try the first one again but that is rejected as well. Calling support...
Exactly my point. In a single case where you are the only one required to know about the fake failure, it works, but when you look at it from the perspective of the general populace it is a total failure. So when you met that hot potential date and shared your phone number, you had to also tell them "just ignore the fake message". Do you see how that might cause you to miss that rendezvous unless you clarified the obscure message? A commercial entity would be deluged with irate customers calling support because they could not log in. Not fake fail. Complete fail.
Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.
Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?
OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.
Security always comes with a cost of certain conveniences.
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
No, it's secure.
What better deterrent than a deterrent?
I'm sorry TS but it is just a stupid concept unless you are the only person to ever log in to the site and you know about the fake failure. Can you imagine the chaos that would cause on a site where millions of users are logging in and are completely unaware of the fake failure? And if you make it well known that the fake failure is part of the process, the deterrent is lost because everyone knows about it. Just ridiculous.
Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.
Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?
OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.
Security always comes with a cost of certain conveniences.
I really don't understand how this is so hard for you to grasp. There is no need for analogies. It just doesn't work for Internet logins. If people get confused and can't login, they call support.
It would be fine for me as long as it is not easily fooled like other systems have been with gelatin for example. Easy to change a compromised password but not so easy if they have all 10 of your fingers molded.
I really don't understand how this is so hard for you to grasp. There is no need for analogies. It just doesn't work for Internet logins. If people get confused and can't login, they call support. :no:
I see. I jumped in with a generalized response about fake failures. I can't think of any example for a fake login failure working on a large scale because the more that know about it the less successful it becomes as a security measure.
If you want consider internet-only security then look at honey pots which are used for fake success. That's the opposite of a fake failure but in the same category. These are quite successful when done well and one can learn a great deal about the methods people use to get in and setup shop in a system.
I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:
- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.
- Who is your favorite musician? I don't have one favorite. It depends on my mood.
- Who is your favorite sports team? I don't like sports.
- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?
- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????
And so on.
Wow, this is spot on as to why I also hate those stupid security questions. They assume a kind of "normalcy" that I have never been in possession of.
The exact nature of the answer is indeed a real problem for this type of security also. I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.
They might as well get you to remember a random text string ...
I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:
- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.
- Who is your favorite musician? I don't have one favorite. It depends on my mood.
- Who is your favorite sports team? I don't like sports.
- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?
- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????
Wow, this is spot on as to why I also hate those stupid security questions. They assume a kind of "normalcy" that I have never been in possession of.
The exact nature of the answer is indeed a real problem for this type of security also. I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.
They might as well get you to remember a random text string ...
I sent the following letter to Tim Cook every workday for three months to no avail.
I am attempting to purchase media from my MacBook Pro which I have had for several years as well as my iPhone 4S which I have had for several months. My iTunes account is not locked. When I attempt a purchase I am stopped by iTunes and forced to select security questions and answers. The issue I have is that the new security questions in iTunes are too vague and obscure. I haven't forgotten the answers to the security questions. I simply refuse to answer the security questions because I will not be able to remember the answers without recording the information which defeats the purpose of having security questions.
Until the security questions in iTunes are changed by Apple I will not be able to purchases apps, books, movies, music, or TV shows. This is a serious issue for me as my family relies heavily on Apple since we have 2 new iPads (3rd generation), 2 iPhone 4S's, 2 iPod Touches, 2 AppleTVs and 1 MacBook Pro currently. We are planning to purchase several more Apple computers this year as well and were planning to cancel our cable subscription to use AppleTV. I strongly urge Apple reconsider the security questions. While I applaud the effort to improve security, the questions are not appropriate due to the reasons already specified.
Here are examples of questions which Apple is asking:
What was the first car you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Many of these questions contradict or are contraindicated by good security question principles:
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
* What is your driver's license number? (I haven't memorized mine, have you?)
* Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
* What was the name of your first pet?
* What was your first car, favorite elementary school teacher, first kiss, etc.
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
According to http://www.goodsecurityquestions.com/designing.html the answer to a good security question:
1. Cannot be easily guessed or researched (safe)
2. Doesn’t change over time (stable)
3. Is memorable
4. Is definitive or simple
1. Safe - Cant Guess of Research
The most important characteristic of a good security question is security - it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.
Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.
The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
The question has many possible answers where the probability of guessing the correct answer is low.
Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.
Bad examples:
What is your address?
What is your phone number?
What is your mother's maiden name?
Good examples:
What was your dream job as a child?
What is the first name of the boy or girl that you first kissed?
An additional option is to combine several data elements in one question thus increasing possible responses and decreasing the probability of others guessing the correct answer.
Examples:
What is the name, breed, and color of your pet?
What is the city, county, and state of your birth?
The downside to this is that it makes it more difficult for the user to answer consistently each time.
2. Doesn’t Change
The answer to a good security question doesn't change over time.
Bad examples:
Where did you vacation last year?
Where do you want to retire?
... work or personal address, employer, nearest relative, phone number, etc.
One of my biggest complaints is "favorites." Favorite vacation, teacher, color, movie, book, animal, song, artist, etc. The list is endless and worthless for those of us that aren't definitive or change our minds or are human. Last year my favorite vacation was Italy; this year it is Hawaii. Favorites change and the next time I login and have to answer a security question, I get locked out. Result: frustrated user, perceived untrustworthy website, wasted support time, or worse, the user doesn't return.
Good examples:
What is the middle name of your oldest child?
What school did you attend for sixth grade?
The other problem with favorite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace. You should use more caution when using these types of questions.
3. Memorable
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
4. Definitive
The question should be asked so the answer is 1) definitive or simple, 2) has an obvious format, and 3) is NOT case sensitive.
Definitive
The question should require a specific answer.
Bad example:
What was your first car?
Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too - but, honestly, I couldn't remember what my first car was - had to ask my wife).
Better example:
What was the make of your first car?" (Some will not understand "make")
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake.... hmm, do people name their snakes?
Simple Format
The format of the answer should be clear. Don't ask "When was your anniversary?" The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month were you married (e.g., January)?” Providing a format example in the question, indicates how the user should answer.
Bad example:
What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.
Better example:
What month and year were you born? (e.g., January 1900)
(include the example in the question)
Not Case Sensitive
Don't validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I've actually sat and wondered if I capitalized the name of my elementary school.
With these three definitive guidelines, here's how to make a bad question better.
Bad example:
What is your brother’s birthday?
Better example:
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
User Written Questions
Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that creating good security questions are not simple. Permitting the user to create a good question at the moment of need is setting the user up for frustration and failure and potential security breach. Self-service password resets are more complicated than they appear, and you should think carefully before implementing this option. If IT professionals have difficulty writing good questions, how can we expect users to create a safe, consistent, memorable, and definitive question within moments.
My recommendation: don't let users write their own questions. You're the expert, that's what you're paid for.
Not for Everyone
A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets as seen below. You would need to eliminate the selected question from the first question for the subsequent question groups.
Security Questions
You must select three questions and enter an answer for each question. You cannot use the same question more than once. Anwsers are NOT case sensitive (caps or no caps are OK).
1. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 1:
2. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 2:
3. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 3:
Other Tips
Well, that's just about it, but here's a few other tips when creating good security questions.
There are few good questions that work for all people. Some questions are poor for some people and good for others. Offer a variety of good questions and users will select what works for them.
Don't ask too many questions. I've been through some registrations for sign-in verification that asked 15 security questions. My eyes started to glaze over after five (probably just old age). Perhaps more than five questions are warranted, but be kind to users.
Make your questions grammatically correct. It may not affect the quality of the question, but it can affect your reputation.
Avoid questions about color — there are limited number of colors that people will use.
Once you have good and great questions selected, provide good instructions for users.
Thank you very much for your time and consideration.
Wow, this is spot on as to why I also hate those stupid security questions. They assume a kind of "normalcy" that I have never been in possession of.
The exact nature of the answer is indeed a real problem for this type of security also. I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.
They might as well get you to remember a random text string ...
I don't think the problem is one of a faulty concept but one of poor execution by presenting typical questions/answer options which may not apply to everyone.
In the case of my bank when I screwed up my login because I changed my password and then forgot I did so, they went into the extreme verification mode.
The part I found the most impressive was multiple choice questions. They submitted four apparently random addresses and asked if any of them were associated with me. They repeated the sequence a number of times and in some cases the correct answer was none of the above. The addresses they presented, that were correct, they got from public records not from any information I supplied to them. Then they somehow got information about my acquaintances, perhaps from my online presence, but nevertheless they were able to determine beyond any statistical margin of error that I was legitimate even though I may have answered some questions incorrectly.
Wait wait wait. is that an article on the fact that a multibillion dollar company hired an engineer?
Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."
Wait wait wait. is that an article on the fact that a multibillion dollar company hired an engineer?
Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."
Or am I just a bit too harsh?
Not sure if you're too harsh, but many Apple watchers are genuinely curious about when/if Apple implements this technology and whether or not they get it right. I didn't detect any rampant "fanboism" or Android trashing.
Comments
Bad idea.
Originally Posted by MacBook Pro
Bad idea.
Why? I, the user, have initiated it. I, the user, know what is happening.
My apologies if you missed the sarcasm. Please read my posts again then read your post again.
Ah, nevermind. My second post which was exactly the same as the first post was deleted.
I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.
Originally Posted by MacBook Pro
My apologies if you missed the sarcasm. Please read my posts again then read your post again.
Ah, nevermind. My second post which was exactly the same as the first post was deleted.
HA HA HA HA HA HA HA! Oh, man. I'm so used to accidental double posts here. Oh, that's great.
I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.
Yeah, they'd fail it. They're morons.
I'd actually like to be able to use my international keyboards on the password screen. What's a more secure password than one in a language you can't read and in a character set you can't write? No one is going to crack that based on your personal information.
This whole idea, by the way, came from my experience in Windows, where I can type my password perfectly and the OS says no. Then I type it again and the OS says yes.
Microsoft's first innovation: a new security feature, of all things.
I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:
- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.
- Who is your favorite musician? I don't have one favorite. It depends on my mood.
- Who is your favorite sports team? I don't like sports.
- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?
- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????
And so on.
Quote:
Originally Posted by Tallest Skil
The fake failure is PART of the security. You have to get it right twice.
Originally Posted by mstone
That makes no sense at all.
Of course not¡
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).
Quote:
Originally Posted by SolipsismX
Quote:
Originally Posted by mstone
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).
Exactly my point. In a single case where you are the only one required to know about the fake failure, it works, but when you look at it from the perspective of the general populace it is a total failure. So when you met that hot potential date and shared your phone number, you had to also tell them "just ignore the fake message". Do you see how that might cause you to miss that rendezvous unless you clarified the obscure message? A commercial entity would be deluged with irate customers calling support because they could not log in. Not fake fail. Complete fail.
They first try the password they KNOW is correct but it doesn't work, so they think am I going crazy and they try some other password instead and of course that fails too, so they think maybe I mistyped the first time. Let me try the first one again but that is rejected as well. Calling support...
Originally Posted by mstone
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
No, it's secure.
What better deterrent than a deterrent?
Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.
Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?
OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.
Security always comes with a cost of certain conveniences.
Quote:
Originally Posted by Tallest Skil
Originally Posted by mstone
Advocating a system whereby fake failure is part of the process of verification is ridiculous.
No, it's secure.
What better deterrent than a deterrent?
I'm sorry TS but it is just a stupid concept unless you are the only person to ever log in to the site and you know about the fake failure. Can you imagine the chaos that would cause on a site where millions of users are logging in and are completely unaware of the fake failure? And if you make it well known that the fake failure is part of the process, the deterrent is lost because everyone knows about it. Just ridiculous.
Quote:
Originally Posted by SolipsismX
Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.
Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?
OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.
Security always comes with a cost of certain conveniences.
I really don't understand how this is so hard for you to grasp. There is no need for analogies. It just doesn't work for Internet logins. If people get confused and can't login, they call support.
It would be fine for me as long as it is not easily fooled like other systems have been with gelatin for example. Easy to change a compromised password but not so easy if they have all 10 of your fingers molded.
http://www.zdnet.com/sweet-bypass-for-student-finger-scanner-1339306878/
I see. I jumped in with a generalized response about fake failures. I can't think of any example for a fake login failure working on a large scale because the more that know about it the less successful it becomes as a security measure.
If you want consider internet-only security then look at honey pots which are used for fake success. That's the opposite of a fake failure but in the same category. These are quite successful when done well and one can learn a great deal about the methods people use to get in and setup shop in a system.
Quote:
Originally Posted by jragosta
I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:
- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.
- Who is your favorite musician? I don't have one favorite. It depends on my mood.
- Who is your favorite sports team? I don't like sports.
- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?
- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????
And so on.
Wow, this is spot on as to why I also hate those stupid security questions. They assume a kind of "normalcy" that I have never been in possession of.
The exact nature of the answer is indeed a real problem for this type of security also. I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.
They might as well get you to remember a random text string ...
I sent the following letter to Tim Cook every workday for three months to no avail.
I am attempting to purchase media from my MacBook Pro which I have had for several years as well as my iPhone 4S which I have had for several months. My iTunes account is not locked. When I attempt a purchase I am stopped by iTunes and forced to select security questions and answers. The issue I have is that the new security questions in iTunes are too vague and obscure. I haven't forgotten the answers to the security questions. I simply refuse to answer the security questions because I will not be able to remember the answers without recording the information which defeats the purpose of having security questions.
Until the security questions in iTunes are changed by Apple I will not be able to purchases apps, books, movies, music, or TV shows. This is a serious issue for me as my family relies heavily on Apple since we have 2 new iPads (3rd generation), 2 iPhone 4S's, 2 iPod Touches, 2 AppleTVs and 1 MacBook Pro currently. We are planning to purchase several more Apple computers this year as well and were planning to cancel our cable subscription to use AppleTV. I strongly urge Apple reconsider the security questions. While I applaud the effort to improve security, the questions are not appropriate due to the reasons already specified.
Here are examples of questions which Apple is asking:
What was the first car you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Many of these questions contradict or are contraindicated by good security question principles:
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
* What is your driver's license number? (I haven't memorized mine, have you?)
* Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
* What was the name of your first pet?
* What was your first car, favorite elementary school teacher, first kiss, etc.
http://www.goodsecurityquestions.com/designing.htm
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
According to http://www.goodsecurityquestions.com/designing.html the answer to a good security question:
1. Cannot be easily guessed or researched (safe)
2. Doesn’t change over time (stable)
3. Is memorable
4. Is definitive or simple
1. Safe - Cant Guess of Research
The most important characteristic of a good security question is security - it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.
Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.
The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
The question has many possible answers where the probability of guessing the correct answer is low.
Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.
Bad examples:
What is your address?
What is your phone number?
What is your mother's maiden name?
Good examples:
What was your dream job as a child?
What is the first name of the boy or girl that you first kissed?
An additional option is to combine several data elements in one question thus increasing possible responses and decreasing the probability of others guessing the correct answer.
Examples:
What is the name, breed, and color of your pet?
What is the city, county, and state of your birth?
The downside to this is that it makes it more difficult for the user to answer consistently each time.
2. Doesn’t Change
The answer to a good security question doesn't change over time.
Bad examples:
Where did you vacation last year?
Where do you want to retire?
... work or personal address, employer, nearest relative, phone number, etc.
One of my biggest complaints is "favorites." Favorite vacation, teacher, color, movie, book, animal, song, artist, etc. The list is endless and worthless for those of us that aren't definitive or change our minds or are human. Last year my favorite vacation was Italy; this year it is Hawaii. Favorites change and the next time I login and have to answer a security question, I get locked out. Result: frustrated user, perceived untrustworthy website, wasted support time, or worse, the user doesn't return.
Good examples:
What is the middle name of your oldest child?
What school did you attend for sixth grade?
The other problem with favorite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace. You should use more caution when using these types of questions.
3. Memorable
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
4. Definitive
The question should be asked so the answer is 1) definitive or simple, 2) has an obvious format, and 3) is NOT case sensitive.
Definitive
The question should require a specific answer.
Bad example:
What was your first car?
Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too - but, honestly, I couldn't remember what my first car was - had to ask my wife).
Better example:
What was the make of your first car?" (Some will not understand "make")
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake.... hmm, do people name their snakes?
Simple Format
The format of the answer should be clear. Don't ask "When was your anniversary?" The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month were you married (e.g., January)?” Providing a format example in the question, indicates how the user should answer.
Bad example:
What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.
Better example:
What month and year were you born? (e.g., January 1900)
(include the example in the question)
Not Case Sensitive
Don't validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I've actually sat and wondered if I capitalized the name of my elementary school.
With these three definitive guidelines, here's how to make a bad question better.
Bad example:
What is your brother’s birthday?
Better example:
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
User Written Questions
Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that creating good security questions are not simple. Permitting the user to create a good question at the moment of need is setting the user up for frustration and failure and potential security breach. Self-service password resets are more complicated than they appear, and you should think carefully before implementing this option. If IT professionals have difficulty writing good questions, how can we expect users to create a safe, consistent, memorable, and definitive question within moments.
My recommendation: don't let users write their own questions. You're the expert, that's what you're paid for.
Not for Everyone
A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets as seen below. You would need to eliminate the selected question from the first question for the subsequent question groups.
Security Questions
You must select three questions and enter an answer for each question. You cannot use the same question more than once. Anwsers are NOT case sensitive (caps or no caps are OK).
1. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 1:
2. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 2:
3. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?
Answer to Question 3:
Other Tips
Well, that's just about it, but here's a few other tips when creating good security questions.
There are few good questions that work for all people. Some questions are poor for some people and good for others. Offer a variety of good questions and users will select what works for them.
Don't ask too many questions. I've been through some registrations for sign-in verification that asked 15 security questions. My eyes started to glaze over after five (probably just old age). Perhaps more than five questions are warranted, but be kind to users.
Make your questions grammatically correct. It may not affect the quality of the question, but it can affect your reputation.
Avoid questions about color — there are limited number of colors that people will use.
Once you have good and great questions selected, provide good instructions for users.
Thank you very much for your time and consideration.
Quote:
Originally Posted by Gazoobee
Wow, this is spot on as to why I also hate those stupid security questions. They assume a kind of "normalcy" that I have never been in possession of.
The exact nature of the answer is indeed a real problem for this type of security also. I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.
They might as well get you to remember a random text string ...
I don't think the problem is one of a faulty concept but one of poor execution by presenting typical questions/answer options which may not apply to everyone.
In the case of my bank when I screwed up my login because I changed my password and then forgot I did so, they went into the extreme verification mode.
The part I found the most impressive was multiple choice questions. They submitted four apparently random addresses and asked if any of them were associated with me. They repeated the sequence a number of times and in some cases the correct answer was none of the above. The addresses they presented, that were correct, they got from public records not from any information I supplied to them. Then they somehow got information about my acquaintances, perhaps from my online presence, but nevertheless they were able to determine beyond any statistical margin of error that I was legitimate even though I may have answered some questions incorrectly.
Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."
Or am I just a bit too harsh?
Quote:
Originally Posted by SolipsismX
Can we at least start with sodium pentothal?
Codeine and being nice to an injured agent is said to work too.
Well, I also understood "agent" means allies and "spy" means ennemies... so I guess it's "an injured spy"
Quote:
Originally Posted by lightknight
Wait wait wait. is that an article on the fact that a multibillion dollar company hired an engineer?
Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."
Or am I just a bit too harsh?
Not sure if you're too harsh, but many Apple watchers are genuinely curious about when/if Apple implements this technology and whether or not they get it right. I didn't detect any rampant "fanboism" or Android trashing.