Security questions are not secure

As I was signing up for a service today, which deals with money, I was asked to go through an extensive process in the name of security.

There was a special “security picture” assigned to me to protect me from phishing.

Then there was the ridiculous password requirements:

  • 8-14 characters in length
  • Must contain 2 numbers and an uppercase letter

But aside from that nonsense, the part that bothered me the most was when they asked me to set up “security questions”, you know, in case I forget my ridiculous password.

My question options were limited to a few, including these:

  • What is your current best friend’s name?
  • In what city were you married?
  • What is your favorite book?
  • What hospital were you born in?
  • Who is your favorite athlete?
  • What was your high school mascot?

All of which I can easily pull the answers to from a social media site, public records, or social engineering.

Which leads me to lie on all the questions in an attempt to be “secure”.

Then I’ll not only forget my stupid 8-14 character random password with two numbers in it (was it 29 or 41?) but I’ll also forget the lies I used to answer (was I married on the moon or in the pacific ocean?).

In which I case I’m sure they’ll have a mechanism where I can contact customer support and just tell them my zip code and I’ll be granted access to my account. Everything will be ok.

http://me.veekun.com/blog/2011/12/04/fuck-passwords/

Great article on the state of web security. I wholeheartedly agree, it’s a pain in the ass to manage all your passwords and to make matters worse banks implement those ridiculous “security” guidelines/rules that they make up which end up making your passwords less secure.

There’s got to be a better way.

Until then I’ll just keep using my bookmarklet and web app

Hash - Throwaway passwords

Staying secure online is a difficult task.

When you sign up for a service, you’re giving someone your password so recycling passwords is usually a bad idea. If you use the same password everywhere all it takes is one security breach.

But, managing an entire drawer of passwords is really difficult. There are solutions available both online and natively that allow you to manage multiple passwords, but I’ve yet to come accross a solution that works everywhere and I feel ok about it.

So this afternoon I created this web application which will take a domain name, and a master password and return you a hash. The password is generated on your computer using JavaScript so nothing is sent over the network. You can then use the hash, or part of the hash, as your password. There is also a bookmarklet available which automatically detects password fields and fills them in for you.

This isn’t 100% bulletproof as there are still other ways you may be attacked like phishing and keyloggers, but at least it’s better than recycling passwords or trying to remember a dozen different passwords.

The site is built with Twitter’s Bootstrap library and uses Stanford’s JavaScript Cryptography Library the app itself is built in CoffeeScript.

Give it a whirl and I’d appreciate some feedback.