[PLUG-TALK] Challenge Question Authentication Holy S***!
Aaron Burt
aaron at bavariati.org
Mon Apr 4 18:41:19 UTC 2016
On 2016-04-03 23:10, Keith Lofstrom wrote:
> Read an old paper: "Designing Authentication Systems with
> Challenge Questions" by Mike Just, and realized, holy s***,
> these represent a huge security risk if used as intended.
>
> The problem is, most websites use the same short list of
> security questions, like "what was the name of your first
> pet?" and "what was the name of your elementary school?"
Obligatory XKCD: http://xkcd.com/792/
"It'll be hilarious the first few times this happens."
I will note that 3 people visually confirmed my identity vs. my driver's
license when I took my ARRL Technician-class exam last night. We care
about academic fraud; money may secure our lives but perhaps character
is all we really have.
> [...] Bozo Bob signs up for the
> website, picks the set of questions he is familiar with,
> and gives the answers he is used to giving. Even if Bob
> is half clever, and uses patterned nonsense answers like
> "bns bromine", Eve can guess that his answer to a
> similar Gmail authentication question is "ggl iron"
> or "gml germanium" (see note). Most people are more
> robotic than Bob, and their answers are easier to guess.
> [...]
> (note) Your puzzle for the day: what is Bozo Bob's
> memorizable algorithm?
Still working on it.
More information about the PLUG-talk
mailing list