|
|
If you give a logical answer, it can be logically guessed, and the guesser will then own your account.
But what really makes me laugh is that facebook users typically give away every detail that's ever asked by these questions.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
But it makes it so much easier to steal your identity if we know what street you grew up on and what your high school mascot was.
|
|
|
|
|
Quote: Simply let the user write his/her OWN question and answer I remember some sites offer this way and it's not a bad idea too.
|
|
|
|
|
As in -
You don't think you're going out dressed like that, do you?
to which the answer is -
You can't tell me what to do, you're not my real dad.
|
|
|
|
|
I don't think they're absurd and don't find them annoying, and several of the sites that I use do allow you to add your own question/answer set.
#SupportHeForShe
Government can give you nothing but what it takes from somebody else. A government big enough to give you everything you want is big enough to take everything you've got, including your freedom.-Ezra Taft Benson
You must accept 1 of 2 basic premises: Either we are alone in the universe or we are not alone. Either way, the implications are staggering!-Wernher von Braun
|
|
|
|
|
You are, of course, entitled to your opinion... and maybe the questions aren't as absurd in the lovely land of Oz, but when I am asked to choose one of several questions, each asking for my "favorite" thing among categories in which I have no preferences (ice cream, sodas, sports teams, etc) I find it extremely frustrating.
Like you, I have run across a few sites that allow users to write their own questions, but these sites are by far the minority. May their tribe prosper!
|
|
|
|
|
Two Points:
1) I agree, and I much prefer Authenticator tools like AWS, Dwolla, and my banks use
(although my bank still asks the annoying questions)
2) Have fun with it. In order to make my answers hard to guess, I have created an imaginary friend with a consistent life, and I use his answers. You should see the looks I get from my wife when I have to verify something like my mothers maiden name. He grew up near a friend of mine, and went to a different grade school and everything.
The worse part is that they are doing 2 things:
1) Storing these as clear text in most cases
2) Sharing your answers with NSA, and potentially with others
PS: You can't let the users choose their own questions and answers... The average user?
- What is the Worst Bank Ever?
- What Bank Really Stinks?
- Is there a such thing as a Stupid Question?
- Question? (with the answer literally being: answer, then Q2,A2, Q3,A3 ... Then a NYT Article,lol)
|
|
|
|
|
I don't know if we can make our voice be heard. Just wanted to share the worst I've come across.
A while back, I was on united.com for some reason; they wanted me to update my account with security questions/answers. Sigh. I guess, ok.
Not only are the questions from an enumerated list of possibles, but the answers were as well.
Grrrr.
|
|
|
|
|
Use your own has its own issues. I was working at a company that runs websites for managing retirement accounts. One day the call center manager comes running into room where developers work, waving a piece of paper and yelling to shut everything down. She had a screenshot that had the nav and masthead of the site, but the content area had just one word, "f***" and a submit button. She and several other people thought the site had been hacked and that we should shut it down immediately to prevent data leakage or damage. So we shut it down.
The printout didn't show the text input that would have been on the original page, or the address bar to show the offending page location. Turns out some moron set "f***" as his security question and forgot about it. Then later he forgot his password and went to HR to figure out how to get into the site. The HR manager attempts to use the password reset feature which of course presents the security question and a box to give the answer. HR managers being highly sensitive types are easily offended by websites being profane, and so she sent an angry email with screenshot (without address bar of course).
Yes if we had put some phrase like "Your previously chosen security question:" it would have been more obvious what was going on. But at least it made the day exciting. Oh and his answer to that wonderful security question was "great".
|
|
|
|
|
Specifically responding to your update:
I wish it was that easy. I work at the customer service level of a financial business that recently implemented "build your own" style security questions. The form is as self-explanatory as can be...
Password Reset Security Question {input element}
Password Reset Answer {input element}
This just confuses the hell out of users. I have to walk an average of one person per day through the process, and thoroughly explain that "here you can type out your own question, which will be shown to you when you request a password reset. Below, you put in the answer to that question." This is a basic concept to those of us who have experience in site development and high-level security concepts... but to the average user, it's mind boggling. In some cases, I even end up recommending that the user leaves those fields blank (in that case, they simply cannot self-initiate a password reset, and must call or come in to one of our offices. It's more work for us, but doesn't add a security risk). There are plenty of people who are far too impatient to even attempt to figure it out, and for them, I'm glad our situation has a workaround for the concept.
This isn't to say that the concept needs reworking. Security questions as they are typically implemented are appallingly insecure, and depend on essentially public data. This is bad, and needs to be addressed by the industry at large. On that, we are completely agreed.
|
|
|
|
|
joequincy wrote: This just confuses... users
This is just a UI/UX problem caused by a web page designer who thought he was limited to a 4 word label. He could have just as easily labeled those fields with:
"Please write a question that only you know the answer to."
followed by
"Now write the answer to that question."
I can't imagine verbage like this would stymie the average loser user. Please, joequincy, I beg you: don't let complaints from your colleagues about extra work from the "build your own questions" implementation motivate your institution to retract that strategy. IT IS THE RIGHT STRATEGY. Just get the web devs to implement it in the RIGHT WAY.
If I can influence one institution to do the right thing in this regard, I will have fulfilled one of my life's goals.
|
|
|
|
|
You mean please type a question, or else it will get written on a "post-it notes"!
|
|
|
|
|
|
*before i read all replies*
I've used a few websites which offer selection of questions to chose from, also ones where you can input your own question. (online banking i think)
|
|
|
|
|
I have one standard answer for when I can't specify the prompt and one standard prompt/answer for when I can specify the prompt.
Of the latter, I did have to answer it on the phone once.
Unfortunately, my wife doesn't understand the security implications so she always answers with the "real" answers.
|
|
|
|
|
|
|
|
Hmm, the topic seems to ring a bell. The Insider News - CodeProject[^]
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
It was in the Daily News this morning as well.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
That's because MS payed way to much for nothing...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
I admit I can't see any logic to it: LinkedIn does seem to be the breeding grounds for the world's dumbest recruitment agencies rather than anything particularly usable. Lot of money for just all our personal details...maybe I should close my account...
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
My first thought was also to close it...
I actually maintained my account to see some proposals, but only contractors made connection...
I just can't imagine what MS will do with it...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
Keeping an eye on your personal info!
Shuvro
|
|
|
|