

Twitter Porn Names Scam - coglethorpe
http://www.pcworld.com/article/164719/security_alert_twitter_porn_names_scam.html

======
dsingleton
It really frustrates me when sites require a question and secret answer like
"hometown" or "mothers maiden name".

Those are both very easy to find pieces of information. Let me select the
question myself too. By forcing me to give you answer here you're potentially
making my account _less secure_.

Right now I have standard fake answers to those questions, let's hope they
never cross reference those with anything else. I'm not sure how I'd convince
someone my mothers maiden name is "<insert comedy name here>"

~~~
axod
Best policy is just to use your password as the answer to these questions.

~~~
there
which is stored in plaintext and often viewable by all support staff...

~~~
axod
Right, good point. I was assuming you were using a unique password for that
website.

Also depends what sort of site it is and if it has a concept of "support
staff".

------
raganwald
Authenticating users with passwords and "secrets" such as your hometown, high
school, or first street name are all ridiculous strategies. My not-so-inner
cynic suggests that banks know this but think they are safe from lawsuits as
long as such methods are "industry standards."

~~~
aamar
Can you suggest a better alternative?

Currently, we use email/password for authentication, but if our user forgets
their password, they can answer their security questions to reset it. To
design our list of questions, we worked off of
<http://www.goodsecurityquestions.com/examples.htm> and tried to find
questions which were relatively obscure, but not so obscure that users
couldn't come up with answers. I suppose we can make "write your own question"
an option, but we do think that most users given that option will write too
easy a question, like mother's maiden name.

Our app contains a lot of sensitive data, including medical data, and privacy
of this data is incredibly important to our business. We have to be attentive
to regulation and industry standards -- and you're right that industry
standards probably give us some cover -- but we have both the desire and the
flexibility to do the right thing.

~~~
raganwald
There are no easy answers if the scenario is that someone has "forgotten"
their password AND you want to authenticate them using a web form that can be
submitted anonymously from an arbitrary machine.

------
bonsaitree
Keep in mind these are all meant to be in-channel "back-up" strategies for
when usual authentication methods fail and/or human error results in a
complete loss of credentials. Forcing a true side-channel workflow for re-
authentication and credential recovery isn't practical for most organizations.

A more secure, but frustrating for the dis-organized, approach is to email out
a small set (3-5) of one-time credential-recovery passphrases (often called a
scratch-list) with the initial account approval message.

Another slightly more usable forced-in-channel alternative includes image file
recognition where the user selects from a predefined set of pictures to use as
their "shared secret" when the account is created. Typically, a salted hash of
the image file is stored as the actual password value so multiple versions
(slightly bit skewed) of the same visual representation can be leveraged for
password expiration.

Alas, all of these more secure alternatives limit the user's ability to
"personalize" their shared secret and require additional bookkeeping.

------
jimfl
C'mon, that porn name formulation is as old as the hills. --Duffy Kauffman.

------
tlrobinson
Of course it would be just as easy to actually ask for the user's password,
like many Twitter applications do...

------
badger7
Whenever forced to use one of these authentications, I just wail on the
keyboard to provide an answer. My mother's maiden name? Why, it's
"sfdgh,jsdzl.kg hjsldghs,hb".

~~~
dsingleton
Be careful doing this for a service with an offline/telecoms aspect. Both my
bank and credit card companies ask to verify that information when I phone
them,

~~~
eru
Chances are you can just answer "I wrote gibberish." and the guy on the phone
will accept that.

~~~
klein_waffle
Unlikely. The person on the phone doesn't have the right to make judgments
like that. Furthermore, if they were to allow it, that means that everyone who
writes gibberish can have their account compromised by someone who guessed
that it's gibberish.

Whenever i need to open an important account (say, with the power utility) I
make up answers and record them on paper. Simple. Effective.

~~~
randallsquared
_Simple. Effective._

Combustible.

