
Gandi – Why we retired the security question - ddacunha
https://news.gandi.net/en/2020/07/why-we-retired-the-security-question/?affiliate=nl_EN_jul20_1&pk_campaign=Newsletter_EN_email_44032&pk_kwd=NL&pk_source=email&pk_medium=email&pk_content=news1_security
======
Jaruzel
In the UK the NCSC[1] also no longer advocate security questions such as these
and recommends using MFA to recover lost passwords. Additionally they also
advocate non-expiring passwords, as ironically, having to change a password
every 30 days actually causes users to use less secure passwords (i.e.
Monday1, Monday2, Monday3 etc.).

\--

[1] [https://www.ncsc.gov.uk/](https://www.ncsc.gov.uk/)

------
sha666sum
This URL includes a bunch of tracking parameters. Cleaned version:
[https://news.gandi.net/en/2020/07/why-we-retired-the-
securit...](https://news.gandi.net/en/2020/07/why-we-retired-the-security-
question/)

------
FunSociety
Using the email to trigger a password recovery is a good solution. But in the
end, you are just outsourcing your "self-care" problem to the email provider.

~~~
Normille
That works as long as you to know the email you signed up with and have
forgotten the password. But what if it's the other way round?

I'd imagine most web savvy people these days have several email addresses and
lots of us will use disposable emails or tricks like adding '+something' to
our emails when we sign up.

I've recently run into this problem on a couple of sites [I'm thinking
Trustpilot and Mastodon but could be wrong], whereby my password manager had
saved my login name and password but, when I returned to the site, it wanted
me to login with my email address and password. [inconsistent naming of form
fields twixt registration screen and login screen, no doubt].

I couldn't remember which of my half dozen or so email addresses or "+"-added
variations of them I'd used, or if I'd used a disposable email like Mailinator
to sign up. So I clicked on the "forgot login" link --which then asked enter
my account email address, in order to be sent a password reset link!

------
Normille
Another favourite of mine is when sites ask your date of birth as a security
question. Y'know, that top secret piece of info known only to; yourself, your
family, most of your friends, anyone you've ever worked for, anyone you've
ever filled in a form for... etc.

Which is why, when sites require me to setup answers for these dumb security
questions, I always invent ridiculous ones and then save those along with the
password in my password manager.

It did partially backfire one time though when my insurance co. had to ring me
and asked me to confirm my mother's maiden name. I don't think they believed
me when I replied it was "Hitler".

