[PLUG-TALK] Challenge Question Authentication Holy S***!

Aaron Burt aaron at bavariati.org
Mon Apr 4 18:41:19 UTC 2016


On 2016-04-03 23:10, Keith Lofstrom wrote:
> Read an old paper: "Designing Authentication Systems with
> Challenge Questions" by Mike Just, and realized, holy s***,
> these represent a huge security risk if used as intended.
> 
> The problem is, most websites use the same short list of
> security questions, like "what was the name of your first
> pet?" and "what was the name of your elementary school?"

Obligatory XKCD: http://xkcd.com/792/
"It'll be hilarious the first few times this happens."

I will note that 3 people visually confirmed my identity vs. my driver's 
license when I took my ARRL Technician-class exam last night.  We care 
about academic fraud; money may secure our lives but perhaps character 
is all we really have.

> [...] Bozo Bob signs up for the
> website, picks the set of questions he is familiar with,
> and gives the answers he is used to giving.  Even if Bob
> is half clever, and uses patterned nonsense answers like
> "bns bromine", Eve can guess that his answer to a
> similar Gmail authentication question is "ggl iron"
> or "gml germanium" (see note).  Most people are more
> robotic than Bob, and their answers are easier to guess.
> [...]
> (note)  Your puzzle for the day: what is Bozo Bob's
> memorizable algorithm?

Still working on it.



More information about the PLUG-talk mailing list