IveLeft... Posted November 13, 2016 Posted November 13, 2016 I clicked to opt out as the questions are so limited i could only use one that was true that i would remember. Please add some more decent questions. Perhaps like First Pets Name First Childs Name Your mothers maiden name Where did you go to college / Uni etc etc
Management Matt Posted November 15, 2016 Management Posted November 15, 2016 The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds. A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking.
Simon Woods Posted November 15, 2016 Posted November 15, 2016 I could also nix all of the questions provided for different reasons. Will there be any additions in the foreseeable future or is this it?
Joel R Posted November 15, 2016 Posted November 15, 2016 6 hours ago, Matt said: The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds. A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking. 1. You don't really offer unique or non-obvious questions either. Many of these are standard security questions that I've seen on other websites. Just putting that out there. 2. My stripper name would be Chimmi Louetta. Hot damn I would be an amazing stripper. 3. On a serious note, they always say the best Q&A would be related to your community. As such, I think you should include more customized questions unique to the IPS experience such as: - who is your most favorite IPS or Marketplace developer? - what is your most favorite Marketplace application or plugins? - what was the theme color of your first IPS community? - what year did you buy your first IPS package? They combine personalized questions with an IPS twist, thereby making it harder for others to crack while being more relevant to the admin.
IveLeft... Posted November 15, 2016 Author Posted November 15, 2016 7 hours ago, Matt said: The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds. A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking. That was just an example, the ones you have are too limited and pretty useless, so perhaps expand them for a wider choice. I don t do Face book and very few know my first pets name, my first school, my first car etc
Marcher Technologies Posted November 17, 2016 Posted November 17, 2016 Shouldn't the user be able to define their own security questions? It is the only way to have them be truly secure, questions like this are quite easy to get the answers to with simple social engineering. I skipped them as well, because there is a vast amount of assumption, only one question is valid. I'd be concerned if I didn't use 30-character passwords.
Management Lindy Posted November 21, 2016 Management Posted November 21, 2016 On 11/17/2016 at 4:16 PM, Marcher Technologies said: Shouldn't the user be able to define their own security questions? It is the only way to have them be truly secure, questions like this are quite easy to get the answers to with simple social engineering. I skipped them as well, because there is a vast amount of assumption, only one question is valid. I'd be concerned if I didn't use 30-character passwords. So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps? That's one way to go. I don't like the idea of defining your own security questions and I suspect the reason virtually no major site (no social site, bank, utility or any site I visit anyway) offers that ability is because of the support overhead involved with people who base those questions on current events like "what's your favorite song?" and then can't remember the answer. There's no problem with adding more questions - give us some more examples. If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc.
Management Matt Posted November 22, 2016 Management Posted November 22, 2016 On 21/11/2016 at 3:42 AM, Lindy said: So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps? That's one way to go. I don't like the idea of defining your own security questions and I suspect the reason virtually no major site (no social site, bank, utility or any site I visit anyway) offers that ability is because of the support overhead involved with people who base those questions on current events like "what's your favorite song?" and then can't remember the answer. There's no problem with adding more questions - give us some more examples. If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc. It's funny you mention that, my childhood hero was also dHqi1(##1oPzKAl<QQ!!S. He was amazing.
Marcher Technologies Posted November 22, 2016 Posted November 22, 2016 On 11/20/2016 at 8:42 PM, Lindy said: So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps? If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc. Perhaps my logic is flawed. I do use a password manager. From my perspective and understanding of the relevant technology, if an attacker was to gain access to this account, they will have to have gained access to my password manager, as brute forcing such a large and complex password would take decades, even if for some reason the database was compromised. Security questions such as these would be a last barrier to entry on this specific account, and as a result I wouldn't think it wise to store the answers to such questions anywhere, much less in the same password manager that would very likely already be compromised.
Simon Woods Posted November 23, 2016 Posted November 23, 2016 On 21/11/2016 at 3:42 AM, Lindy said: There's no problem with adding more questions - give us some more examples.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.