Jump to content

New Security Questions Client Area


IveLeft...

Recommended Posts

  • Management

The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds.

A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking.

Link to comment
Share on other sites

6 hours ago, Matt said:

The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds.

A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking.

1. You don't really offer unique or non-obvious questions either.  Many of these are standard security questions that I've seen on other websites.  Just putting that out there.  

2.  My stripper name would be Chimmi Louetta.  Hot damn I would be an amazing stripper.  

3. On a serious note, they always say the best Q&A would be related to your community.  As such, I think you should include more customized questions unique to the IPS experience such as:

- who is your most favorite IPS or Marketplace developer?

- what is your most favorite Marketplace application or plugins?

- what was the theme color of your first IPS community? 

- what year did you buy your first IPS package? 

They combine personalized questions with an IPS twist, thereby making it harder for others to crack while being more relevant to the admin. 

 

Link to comment
Share on other sites

7 hours ago, Matt said:

The issue with obvious questions is that they often have a very obvious answer that most people reveal often in their own Facebook feeds.

A lot of people reply to those "What is your stripper name" style posts. For example: "What is your stripper name? Answer with your first pet's name and your mom's maiden name!" and then you have revealed two often used security question answers without really thinking.

 

That was just an example, the ones you have are too limited and pretty useless, so perhaps expand them for a wider choice.

I don t do Face book and very few know my first pets name, my first school, my first car etc

Link to comment
Share on other sites

Shouldn't the user be able to define their own security questions? It is the only way to have them be truly secure, questions like this are quite easy to get the answers to with simple social engineering. I skipped them as well, because there is a vast amount of assumption, only one question is valid. I'd be concerned if I didn't use 30-character passwords.

Link to comment
Share on other sites

  • Management
On 11/17/2016 at 4:16 PM, Marcher Technologies said:

Shouldn't the user be able to define their own security questions? It is the only way to have them be truly secure, questions like this are quite easy to get the answers to with simple social engineering. I skipped them as well, because there is a vast amount of assumption, only one question is valid. I'd be concerned if I didn't use 30-character passwords.

So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps? That's one way to go. :lol:

I don't like the idea of defining your own security questions and I suspect the reason virtually no major site (no social site, bank, utility or any site I visit anyway) offers that ability is because of the support overhead involved with people who base those questions on current events like "what's your favorite song?" and then can't remember the answer. 

There's no problem with adding more questions - give us some more examples. If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc. 

Link to comment
Share on other sites

  • Management
On 21/11/2016 at 3:42 AM, Lindy said:

So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps? That's one way to go. :lol:

I don't like the idea of defining your own security questions and I suspect the reason virtually no major site (no social site, bank, utility or any site I visit anyway) offers that ability is because of the support overhead involved with people who base those questions on current events like "what's your favorite song?" and then can't remember the answer. 

There's no problem with adding more questions - give us some more examples. If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc. 

It's funny you mention that, my childhood hero was also dHqi1(##1oPzKAl<QQ!!S. He was amazing.

Link to comment
Share on other sites

On 11/20/2016 at 8:42 PM, Lindy said:

So, because you feel the answers are easy to get via social engineering, you opted out of the system altogether thus saving an attacker a few steps?

If you really take security seriously, you shouldn't be using actual answers anyway. You should be using a password manager like Lastpass or 1Password. All of them have a notes section... "Childhood hero: dHqi1(##1oPzKAl<QQ!!S" etc. 

Perhaps my logic is flawed. I do use a password manager. From my perspective and understanding of the relevant technology, if an attacker was to gain access to this account, they will have to have gained access to my password manager, as brute forcing such a large and complex password would take decades, even if for some reason the database was compromised. Security questions such as these would be a last barrier to entry on this specific account, and as a result I wouldn't think it wise to store the answers to such questions anywhere, much less in the same password manager that would very likely already be compromised.

Link to comment
Share on other sites

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...