

The Giant Security Hole That Facebook Doesn’t Care About - derpenxyne
http://gizmodo.com/5986861/the-giant-security-hole-that-facebook-doesnt-care-about

======
benologist
I use 1password to generate answers and also the actual questions when I can.

------
pasbesoin
I remember being involved in the implementation of security questions, some
years back. (Not my choice...)

Lots of talk and "analysis" about "best practices"...

It's just another password. (I'll consider a set of multiple Q//A to still
constitute a single pass... mechanism.) One socially engineered to have low
entropy and ever-increasing discoverability.

When sites force me to enter security Q/A values, I generate random values and
use those. And note them in local, encrypted store for possible future
reference.

The whole security Q/A has ended up being a cost savings-driven, analyst
defined, best practices boondoggle.

And the idea, in this FB instance, that you have a password that you can never
change, and that you were prompted to set to what is probably a fairly
discoverable and/or low entropy value? Facebook needs to rethink this. It
needs to get past the customer support level ("it's a feature, trust us") to
some serious consideration and re-evaluation/re-architecting.

I'm not outright opposed to a backup access mechanism, when properly defined
and used. (Compromised? Be sure to use the backup in some "out of band"
fashion.)

But a weak, can't be changed "password"? Come on.

P.S. Of course, another approach may be the assumption that all people have /
soon will have phones that provide an out of band mechanism for two-factor
authentication. (Although... given that the same phone is increasingly one's
primary access to the FB site itself... maybe this should be rethunk, too?)

