> IIRC, it used personal data already available to DEC -- so they
> didn't have to ask their employees for it
That works great so long as the personal data is accurate.
Banks these days are supposed to verify your identity when you open an
account. Online banks pull your credit report anyway, so
On Thu, Aug 07, 2008 at 08:53:58AM -0400, John Ioannidis wrote:
>
> Does anyone know how this "security questions" disease started, and why
> it is spreading the way it is? If your company does this, can you find
> the people responsible and ask them what they were think
obably involves more setup time
than the average user will want to put up with.)
| > constitute good security questions based on the anticipated entropy
| > of the responses. This is why, for example, no good security
| > question has a yes/no answer (i.e., 1-bit). Aren't security
| > que
[EMAIL PROTECTED] wrote:
John Ioannidis wrote:
| Does anyone know how this "security questions" disease started, and
why
| it is spreading the way it is? If your company does this, can you
find
| the people responsible and ask them what they were thinking?
The answer is "
John Ioannidis wrote:
| Does anyone know how this "security questions" disease started, and
why
| it is spreading the way it is? If your company does this, can you
find
| the people responsible and ask them what they were thinking?
The answer is "Help Desk Call Avoidance"
On Thu, 7 Aug 2008, John Ioannidis wrote:
| Does anyone know how this "security questions" disease started, and
| why it is spreading the way it is? If your company does this, can you
| find the people responsible and ask them what they were thinking?
|
| My theory is that no actua
Stefan Kelm wrote:
Wells Fargo is requiring their online banking customers to provide
answers to security questions such as these:
Does Wells Fargo really use the term "security question" here?
Yes it does. I'm a Wells Fargo customer and I had to set my "security
que
Does anyone know how this "security questions" disease started, and why
it is spreading the way it is? If your company does this, can you find
the people responsible and ask them what they were thinking?
My theory is that no actual security people have ever been involved, and
that
> Wells Fargo is requiring their online banking customers to provide
> answers to security questions such as these:
Does Wells Fargo really use the term "security question" here?
Just wondering,
Stefan.
--
Another useful piece of research on the topic:
V. Griffith and M. Jakobsson.
"Messin' with Texas, Deriving Mother's Maiden Names Using Public Records."
ACNS '05, 2005 and CryptoBytes Winter '07
http://www.informatics.indiana.edu/markus/papers.asp
Cheers, Scott
--
is, I enter random values that I don't even
record for the security questions. Should something go wrong, I'm
going to end up on the phone with a rep anyway, and they will have
some other method for authenticating me (or, of course, a clever
social-engineering attacker).
An except from
Peter Saint-Andre wrote:
[list of security questions snipped]
***
It strikes me that the answers to many of these questions might be
public information or subject to social engineering attacks...
You might enjoy reading Ari Rabkin's recent paper at SOUPS 2008
on this issue:
&quo
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote:
>
> Wells Fargo is requiring their online banking customers to provide answers to
> security questions such as these:
>
> ***
>
> What is name of the hospital in which your first child was born?
...
> What was your
Chris Kuethe wrote:
On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote:
Wells Fargo is requiring their online banking customers to provide answers
to security questions such as these:
***
...
***
It strikes me that the answers to many of these questions mi
On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote:
> Wells Fargo is requiring their online banking customers to provide answers
> to security questions such as these:
>
> ***
> ...
> ***
>
> It strikes me that the answers to many of t
On Wed, 6 Aug 2008, Peter Saint-Andre wrote:
| Wells Fargo is requiring their online banking customers to provide
| answers to security questions such as these:
|
| ***
|
| What is name of the hospital in which your first child was born?
| What is your mother's birthday? (MMDD)
| What i
Wells Fargo is requiring their online banking customers to provide
answers to security questions such as these:
***
What is name of the hospital in which your first child was born?
What is your mother's birthday? (MMDD)
What is the first name of your first roommate in college?
What is the
On 07 January 2008 17:14, Leichter, Jerry wrote:
> Reported on Computerworld recently: To "improve security", a system
> was modified to ask one of a set of fixed-form questions after the
> password was entered. Users had to provide the answers up front to
> enroll. One question: Mother's maid
Florian Weimer <[EMAIL PROTECTED]> writes:
>* Jerry Leichter:
>> I can just see the day when someone's fingerprint is rejected as
>> "insufficiently complex".
>It's been claimed that once you reach the retirement age, one person in ten
>hasn't got any fingerprints which can be used for biometric pu
of possible relevance...
Mike Just. "Designing and Evaluating Challenge-Question Systems". IEEE
SECURITY & PRIVACY, 1540-7993/04, SEPTEMBER/OCTOBER 2004.
=JeffH
-
The Cryptography Mailing List
Unsubscribe by sending "unsubsc
* Jerry Leichter:
> I can just see the day when someone's fingerprint is rejected as
> "insufficiently complex".
It's been claimed that once you reach the retirement age, one person in
ten hasn't got any fingerprints which can be used for biometric
purposes.
-
stored).
In fact, I see security questions as a security weakness.
My typical answer is random garbage, such as output of pwgen -s -y 48 1.
This can be discarded then. Or, at least, gpw 1 60 (gpw output is less
secure, but can be stored, remembered, and even written in on simplified
keyboards)
L
d
unmemorable (stored on a "keychain" or just discarded if the primary
password is similarly safely stored).
When asked to provide answers for security questions, mine are always
either the output of "openssl rand -base64 N" (with N = 6, 9 or 12),
or more memorable non-sequ
om: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Leichter, Jerry
Sent: Tuesday, 8 January 2008 4:14 AM
To: cryptography@metzdowd.com
Subject: Foibles of user "security" questions
Reported on Computerworld recently: To "improve security", a system was
modified to ask on
Reported on Computerworld recently: To "improve security", a system
was modified to ask one of a set of fixed-form questions after the
password was entered. Users had to provide the answers up front to
enroll. One question: Mother's maiden name. User provides the
4-character answer. System r
25 matches
Mail list logo
