[PLUG-TALK] Challenge Question Authentication Holy S***!
Pete Lancashire
pete at petelancashire.com
Mon Apr 4 18:52:14 UTC 2016
The one time passcode is about the only way to go, Ebay support was one of
the first site I use to implement it.
If a site still wants to use question/answer matches it should allow one to
create their own Q/A pairs.
It would take no more then a day for a determined hacker to figure out the
answers to 99% of the canned questions I've seen.
When I ask a bank I use to have an account at why the only allowed canned
questions their lame answer could be translated into "The contractor we
used in India to implement the software is no longer in business".
On Mon, Apr 4, 2016 at 11:41 AM, Aaron Burt <aaron at bavariati.org> wrote:
> On 2016-04-03 23:10, Keith Lofstrom wrote:
> > Read an old paper: "Designing Authentication Systems with
> > Challenge Questions" by Mike Just, and realized, holy s***,
> > these represent a huge security risk if used as intended.
> >
> > The problem is, most websites use the same short list of
> > security questions, like "what was the name of your first
> > pet?" and "what was the name of your elementary school?"
>
> Obligatory XKCD: http://xkcd.com/792/
> "It'll be hilarious the first few times this happens."
>
> I will note that 3 people visually confirmed my identity vs. my driver's
> license when I took my ARRL Technician-class exam last night. We care
> about academic fraud; money may secure our lives but perhaps character
> is all we really have.
>
> > [...] Bozo Bob signs up for the
> > website, picks the set of questions he is familiar with,
> > and gives the answers he is used to giving. Even if Bob
> > is half clever, and uses patterned nonsense answers like
> > "bns bromine", Eve can guess that his answer to a
> > similar Gmail authentication question is "ggl iron"
> > or "gml germanium" (see note). Most people are more
> > robotic than Bob, and their answers are easier to guess.
> > [...]
> > (note) Your puzzle for the day: what is Bozo Bob's
> > memorizable algorithm?
>
> Still working on it.
> _______________________________________________
> PLUG-talk mailing list
> PLUG-talk at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pdxlinux.org/pipermail/plug-talk/attachments/20160404/d7cb534e/attachment.html>
More information about the PLUG-talk
mailing list