Wednesday, August 09, 2006

(In)Security Questions

I'm pretty sure you've all seen those pesky security questions (sometimes called a secret question) that we're forced to fill in when we create a new account on many internet sites.

They were invented several (many?) years ago, as a solution for the problem of having to reset a forgotton user's password

I have also been in discussions where people assserted that, when you give the user a choice of questions, you are increasing the protection from phishing as the phishing site won't know the question.

I think this is all a bunch of hogwash and I recommend strongly against putting any real data inside of your secret questions. I royally hate sites that force me to create one (and many, if not most, are doing so now).

I strongly recommend that you place random data into this field and record the random data someplace safe should you need it later. That random data will prevent someone who just happens to know the name of your first dog, or your mother's maiden name from being able to reset your password and have full access to your account.

Tags : / /

No comments: