Comments on: Favorites are FAIL for web security

By: Andrew

Andrew — Tue, 03 Nov 2009 21:24:49 +0000

@chris a belated reply… but you have a great point, it really should be ash-heaped. But it seems like everybody’s doing this stuff just to cover their ass. Someone else is doing it, so they have to do it too, because if they don’t and somebody sues them, they could be called to account for not having security like their peers. At least, that’s what seems to be behind this and other crap like the “choose a picture” thing.

By: Christopher Fahey

Christopher Fahey — Fri, 09 Oct 2009 23:06:33 +0000

They also usually fail to be case-insensitive, so even if you remember your favorite friend’s name, you’re likely to fail on capitalization. Not to mention trying to remember whether you typed their first and last name, or just their first name, etc.

The whole “security question” model is, itself, completely broken. It’s based on telephone-based customer service, where a human being can interpret your amorphous answer better than a computer form field can. We have the email-based password reset model now, so the security question can probably be left in the ash heap of history.

By: Andrew

Andrew — Fri, 04 Sep 2009 15:35:50 +0000

I suppose I should’ve said “most favorites” — but I still wonder why even go there, if there are enough stable facts in people’s lives you could use. But again maybe it’s because I’m especially absent minded about these things, and can’t remember what I decided.

Good point on the example – I meant to put two graphics in there, but got lazy and just had the one.

By: Andrew

Andrew — Fri, 04 Sep 2009 15:34:04 +0000

Thanks for the recommendation!

By: Austin Govella

Austin Govella — Wed, 02 Sep 2009 17:16:29 +0000

Yahoo’s new account design uses lots of favorites, and I think they use them better than most:
* http://www.flickr.com/photos/austingovella/3846383539/

(P.S. The example you posted was not for “favorites”. I agree answers to those questions would be highly variable. I think Yahoo did a good job of finding some favorites that were less variable. Although, I do agree that security questions suck.)

By: Amanda Jahn

Amanda Jahn — Wed, 02 Sep 2009 09:30:52 +0000

Slightly OT but I highly recommend 1password (if you are on a Mac) which is great for storing all that data, as well as generating secure passwords. I’m sure you could extend it to those security questions too, since it doesn’t matter what you put there, as long as you remember it right (and having something which stores all that certainly helps).
I put my 1password keychain in dropbox which not only adds an extra layer of security but means I can access my passwords wherever.
It still doesn’t solve the issue of how we get the wider community to adopt better security management however which is IMHO is the heart of the issue rather than the mechanism we use to retrieve passwords. All the options we have currently – security questions, entering personal details along with your email or username or receiving an email with your password – are problematic in various ways.