

Challenge-response: the use of incorrect responses in validating identity - amrith
http://hypecycles.wordpress.com/2009/09/27/who-are-you-really/

======
makecheck
American Express recently added these "3 questions" to my account, and it made
me very mad. For one thing, their "request" was persistent; it eventually
wouldn't let me log in until I provided them, so they were really a
requirement. "For security", of course, even though there's evidence [1] they
make security worse.

To make it more insulting, though, I discovered that the implementation was
very dumb:

1\. The questions were fixed, and extremely stupid. Any of them could probably
be guessed by someone with a few minutes to Google.

2\. The question lists were too short, making it difficult to pick a really
hard-to-guess answer.

3\. The lists were unique to _each question_. So if I saw 2 questions I liked
in the first slot, I could choose only one of them, and if the 2nd slot had
completely inane options, I had to choose one of the inane options.

4\. The last question _didn't even offer options that applied to me_. So
suddenly, for "security", I had to remember which unrelated question I
selected, and which made-up response I provided. Thanks a hell of a lot, AE.

[1]
[http://www.schneier.com/blog/archives/2009/05/secret_questio...](http://www.schneier.com/blog/archives/2009/05/secret_question.html)

~~~
amrith
I worked with a system administrator once. He didn't understand two factor
security. So he told everyone to remember two passwords.

Maybe he now works at American Express.

I see exactly the same thing with most "security improvements". Hence treat
each answer as just another password! a random string of characters, numbers
and punctuations.

------
russell
I usually give a different email address to each service that I sign up to, so
I can tell if they are selling my address, but I never thought of giving a
different mother's maiden name so I can detect phishing. It's a reasonable
strategy, but I have trouble remembering the name of my elementary school, my
favorite color (I dont care), the make of my first car (my parent's or the one
I actually paid for) ... However, I will trythe strategy of giving a couple of
wrong answers to weed out the fakes.

~~~
amrith
The issue with providing an answer that is a meaningful response is that one
can in fact guess and often get it right. Second, most sites that use these
secret answers (favorite color, first car, ...) don't have a mechanism to lock
out after a certain number of incorrect attempts.

My first car is likely something like x78uyipoqA.

Call me paranoid!

