

Ask HN: Online Account Security Questions - bbissoon

I'm constantly bothered by the techniques used to secure our online accounts.<p>First - the multiple security questions. 
Second - the mandatory length and confusion in our passwords<p>This techniques are ridiculous and only hinders usability and adoption.<p>How about letting users enter a pin instead of requiring them to answer and set 5 random questions.<p>Password security, if I want it to be password - so be it. Give me a warning and let me keep moving. That ALONE has been the reasons I opt for not using certain services online.<p>Why must online security be stricter than real world application such as ATM pin with the added benefit of using all alphanumeric chars?<p>While taking brute force precaution in the code - why make it harder for users to use/register for your service?
======
mooism2
The database containing everybody's PINs _will_ be stolen. Even if you use 8
digit PINs and they are properly hashed, they will get brute-forced rather
quickly. Any longer and people will not be able to remember their PINs or will
use the same PIN with multiple websites --- exactly the same problems we have
with passwords.

(Am I saying that security questions are secure? No.)

~~~
bbissoon
If you have to use ALL alphanumeric chars - how can this possibly be brute
forced quickly? If you're table of pins is stolen and the information readily
connects a user to a pin - that system is horrible from the jump.

Human beings attempt to brute force their own pins, most of which have a
greater insight into possible combinations and STILL get their account locked.
Remember - 3 tries gets you locked.

Why would it get broken quicker? If there's something I'm missing, I want to
know it for the sake of being a better developer.

------
barakstout
You know, I was wondering the same thing. I am guessing it is to protect
websites against bots or something.

~~~
bbissoon
But when you're accounting for brute force attack, you can lock out an account
for a certain number of incorrect tries. A bot wouldn't have a chance to
correctly identify the pin unless it ran the correct combination in the first
3 tries.

With the use of all alphanumeric chars - it would be even greater security.
The only risk I see is if people consciously decided to use 111, aaa, bbb etc
and those of the like.

But you can also block these pins from the jump so people can't use them.

