

The Weakest Link Is You - andyhmltn
https://medium.com/tech-talk/280c753b1145

======
lawl
Wait? You can reset a facebook password by having 3 friends confirm? What the?
First of all getting 3 friends to pull a prank on someone should be fairly
easy. Other than that you can just create 3 fake accounts and get the victim
to add you as friend. I find that way worse than these security questions,
because there's essentialy no way to defend against this.

Well, except by not having facebook (which luckily I don't have).

~~~
IronSean
What the original author failed to mention (or likely never bothered to find
out) was it's not simply 3 friends, but instead 3 friends from distinct social
circles, possibly with a minimum mutual friend requirement or more.

When you choose the you're friend you want to verify, it dramatically limits
the choice pool for the next two, meaning you can't pick 3 mutual friends, you
need to pick yourself, their friend from back in college you don't know, and
their sister. Harder to do than get any three friends to play a prank.

~~~
sageikosa
I certainly hope they stay my friends, and don't die before I need them.

------
DoubleMalt
Another proof of the fact that security questions are a really bad idea.

I'd rather have to go through some manual time intensive procedure in the
unlikely instance of losing access to my password safe, instead of opening
myself that wide to social engineering.

~~~
andyhmltn
I agree. I would prefer to have to ring up a support line and provide ID or
something. However, that opens up two problems:

* What if it's a non-critical service? * How do they link an ID to an account without requiring it at launch?

------
jpswade
Consider this:

The question "What is your pornstar name?" asks for your mothers maiden name
and first pets name...

To get your security details.

~~~
JDGM
I believe the corresponding joke goes something like this:

"To get your pornstar name, take your mother's maiden name and first pet's
na--"

"Let me stop you there. You realise those are both common security questions
for authentication if you forget your password, right?"

"Argh! You mean my bank knows my pornstar name?!"

------
jrabone
Who gives real information as answers to security questions? The approach I
took is to use a hardware device with limited login attempts to generate store
most of my (random, 16 character) passwords (an IronKey, in my case).

IronKey have a reset mechanism involving security questions; I've never used
it, and I don't know the answers I gave; they're on a sheet of paper, in a
safe somewhere. Yes, it's going to be inconvenient if I ever need it, but if
it happened tomorrow it would be a once-in-ten-years event.

My bank inconveniently REQUIRES security questions in addition to a PIN for
online banking; again, the information they have is made up. I remember it
because I use it regularly, so that ISN'T written down anywhere.

For almost anything else less important, I've either just ignored the security
questions (ie. entered random data) or noted them in the extra account info
field on the IronKey.

For email, I run my own mail server in colo. It's maybe overkill, but I don't
care. Credentials are again 16 character random passwords that I couldn't tell
you, and authentication is only allowed over TLS. I'm toying with going for
full client SSL certificates but device support would be the issue. I've
already discovered more than I wanted to about incompatible SSL
implementations on mobile devices over the years, which is why I'm still
building Debian packages from source linking to OpenSSL instead of GnuTLS...
And there's no webmail access. Never did find one that wasn't either written
in PHP, half-functional or abandoned.

~~~
ams6110
_Who gives real information as answers to security questions?_

Most people do. This piece doesn't really point out that people are a "weak
link" (though they are) as much as it highlights that these "security
questions" do not really add much security in most cases.

~~~
mikeash
Well no, the point is not that security questions don't add security, it's
that they _greatly subtract from_ security.

Sometimes security questions are used to augment a password, but in many
cases, including the one given in the article, they are provided as an
_alternative_ to a password, and one that's often much easier to guess.

------
mikecane
>>>The only thing left between me and winning the bet was the questions. I
dropped them both subtly in a conversation, noted down the answers and to my
surprise: they were both accepted.

Hoo boy. They should let us create our own security questions that can't be
asked in everyday conversations. I never liked "Favorite pet's name" or "Best
teacher's name" and the rest of them.

------
csears
Made me think of this social engineering scene from the movie Sneakers:
<http://www.anyclip.com/movies/sneakers/passport/>

------
captn3m0
I use gibberish answers to security questions. This way I don't need to worry
who all know my mother's maiden name or my first pet's name. Staying safe is
easy, if you know how to game the system.

~~~
hermannj314
I do the same thing. What good does it do me to have a secure password, if the
answers to security questions are well known?

Of course, I learned this the hard way. I had an ex that was able to breach my
email because she knew personal details to answer my security questions (of
course this was back in Hotmail days circa 2001).

------
UVB-76
Security 101: Never answer security questions truthfully

~~~
bluedino
Not a bad idea, but then you have to create some file with a list of your
little lies. Then that file has to be encrypted and you have to remember the
password for it. What was your childhood pet's name? _Did I answer this with
'Bob Saget' or 'Nosferatu'? I can't remember!_

~~~
marcosdumay
Yes, I generate them at random, and keep them at my password database, right
next to the actual password for the service.

That makes them absolutely useless, it's true. And it is the most usefullness
you can extract from them. I'd throw them away, but lots of services make you
anwser them once in a while.

------
simonbarker87
The main problem here is that a large amount of a consumer web service's user
base are none technical, "normal", people who will in all likelihood balk at a
more complicated authentication process unless they can really see the need
for it OR it is implemented really well. Currently the best implementation is
the card reader used by banks but that is a pain as you have to have it with
you all the time (however it is protected people's money and so a certain
level of pain is more tolerable in this instance). As a result most banks only
use it for big stuff like sending money to a new account etc. I think only
Barclay's use it for logon and it is a real PITA and made me leave them as a
bank.

Santander use the "if you don't recognise the picture above then don't login"
method which is stupid as if people don't login regularly then they will
forget what picture they choose and login anyway.

~~~
andyhmltn
That's a very good point. Two factor authentication is the way to go IMO. It
is a pain to have it with you all of the time, but what if it was just a
simple little USB that you used to reset the password?

To login you need your password + your phone but to reset your password you
need that USB with a unique fingerprint on. That way, I'd just keep it at home
in some kind of safe.

~~~
6d0debc071
I tried using google's two factor auth for a while. It was such a pain to have
to unlock my phone and load the app every time I wanted to log in that I
stopped using it pretty quick. When people are used to just loading their
password manager up when they start their computer, sticking their more secure
details into that, and then being able to log in to wherever with a click and
a very short wait, sticking that sort of extra complexity in seems like a deal
killer. Maybe for my debit card but... then it's worth going to a little extra
effort for the security.

~~~
andyhmltn
Most accounts remember you've authenticated until you log out. That's never
been a problem for me

~~~
6d0debc071
It's cookie based. The system tries to put a cookie on your computer to stop
you clearing your cookies at the end of the session. It's not meant to ask you
to reauthenticate on every login, if you look at the help, it tells you that
clearing the cookies is probably responsible.

More bother than its worth to me under those conditions, ought to be Ip based
instead and kept server side.

------
tomp
Reading this article, I'd say that the weakest link isn't "you" (or "myself"),
but "others", to which the account providers tailor their (in-)security
practices, and thus allow easy access to any account.

------
guard-of-terra
Passwords can't be safe. We have a fundamental problem with passwords that
somebody got to fix by replacing passwords with something safe.

------
dolphenstein
I think now days you really want to have 3 factor authentication for e-mail.
It is a gateway to just about anything you do online!

------
rdl
Apple put some effort into fixing the password recovery vulnerability for
AppleID's recently (i.e. a few months ago), vs. KBA.

------
pasbesoin
Here's a thought with respect to security questions/answers. Even if you
designate random, password-like/quality answers, are those answers security
hashed?

If not, you're nonetheless one DB dump or other undesirable access away from
having your account pwned.

