security questions

Security questions are the big thing now. Everybody is demanding that I
reveal private information to them in clear text.

How can this be good? Am I wrong, or are we giving system administrators
and others around the globe access to our banks and mutual funds? Because
sooner or later, somebody is going to use my dog's name to try to
get access to my accounts via the security question.

I mean, now they're starting to put more security questions in, but with 8
to choose from, that's like using a 3 bit security algorithm.

How about this as an alternative: have the user put in two passwords.
Maybe a PIN and a PUK. Or just have the security quesition be optional.

These sites often let you reset your password by mail anyway,
so what's the point?

Re: security questions

unix_fan (07-09-13 16:10:58):

> Security questions are the big thing now. Everybody is demanding that
> I reveal private information to them in clear text.

This is where your view is wrong. Security questions don't demand true
answers. To the question, "what's the name of your dog?", would you
really tell the name of your dog? Use anything _but_ the name of your
dog. View this as a password prompt, where you can choose the prompt
message.


Regards,
Ertugrul Söylemez.


--=20
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.