Stupid verification question rules



  • One of my credit cards just "enhanced" their Web site.  They asked for verification questions and answers, which will be used if I forget my password. 

    The problem is, they mixed some commonly-used rules that are applied to PASSWORDS, and applied them to the answers to the verification questions.

    So, for a question like "What is your grandfather's middle name" and "what is your favorite pet's name" they require an answer that has at least 5 characters.

    I called them on the phone, and they suggested adding 1s or something to the end of the answer.  But I would probably not be able remember if I added 1s or 0s or "123" to the end of the real answer.

    It's OK to require a minimum length for a made-up password, but not to the answer to a real-life question!



  • Well, it's not like your pet would be named "Spot" or something.



  • SECURITY QUESTIONS

    ELDEST CHILD'S NAME?

    >Tom

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >Tom12

    FAVORITE PET'S NAME?

    >Fido

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >please cancel my account

    IT LOOKS LIKE YOU ARE TRYING TO CANCEL YOUR ACCOUNT.  IS THIS CORRECT?

    >yes

    IS THERE ANYTHING WE CAN DO TO CONVINCE YOU NOT TO CANCEL YOUR ACCOUNT?

    >no

    WOULD YOU LIKE TO SEE Tom12 AND Fido STILL ALIVE WHEN YOU ARRIVE HOME TONIGHT?

     



  • @CDarklock said:

    Well, it's not like your pet would be named "Spot" or something.

     

    That's my grandfathers name!


  • Considered Harmful

    @newfweiler said:

    SECURITY QUESTIONS

    ELDEST CHILD'S NAME?

    >Tom

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >Tom12

    FAVORITE PET'S NAME?

    >Fido

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >please cancel my account

    IT LOOKS LIKE YOU ARE TRYING TO CANCEL YOUR ACCOUNT.  IS THIS CORRECT?

    >yes

    IS THERE ANYTHING WE CAN DO TO CONVINCE YOU NOT TO CANCEL YOUR ACCOUNT?

    >no

    WOULD YOU LIKE TO SEE Tom12 AND Fido STILL ALIVE WHEN YOU ARRIVE HOME TONIGHT?

     

    >please cancel my account

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >yes

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >no

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >maybe?

    [BLUE SCREEN OF DEATH]



  • It makes sense to a degree.  If someone can guess the answer to your security question, they can get your password or reset your password.  If the answer to your security question is "1" it's going to be easier than something "Jebediah".  They just need to give you enough questions so you don't end up with ALL of them being less than 5 letters.



  • It could have been worse:

    What is your mother's maiden name

    (Answer must contain between 5 and 8 characters and must include at least 2 numbers and one non-alphanumeric character)

     



  • @newfweiler said:

    SECURITY QUESTIONS

    ELDEST CHILD'S NAME?

    >Tom

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >Tom12

    FAVORITE PET'S NAME?

    >Fido

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >please cancel my account

    IT LOOKS LIKE YOU ARE TRYING TO CANCEL YOUR ACCOUNT.  IS THIS CORRECT?

    >yes

    IS THERE ANYTHING WE CAN DO TO CONVINCE YOU NOT TO CANCEL YOUR ACCOUNT?

    >no

    WOULD YOU LIKE TO SEE Tom12 AND Fido STILL ALIVE WHEN YOU ARRIVE HOME TONIGHT?

     



    Nice. For some reason, it reminds me of old-school text RPGs where it asks you to do something.



  • @akatherder said:

    It makes sense to a degree.  If someone can guess the answer to your security question, they can get your password or reset your password.  If the answer to your security question is "1" it's going to be easier than something "Jebediah".  They just need to give you enough questions so you don't end up with ALL of them being less than 5 letters.

    No, it makes absolutely no sense.  If they want passwords, then fine enforce those rules.  If they are asking for answers to questions about you personally, I should not have to re-write my history to fulfill those questions.

    Case in point, one of my accounts required this, I can never get logged in now because I can't recall how I had to modify my real info to fit their rules.  So I call them and they ask the same questions and I tell them, I have no idea.  I give them all the other info they should need, my name, address and account number and they accept and continue on. 

    So if this new info was really needed why did I get my business taken care of, if it isn't needed why enforce such rules?



  • @newfweiler said:

    SECURITY QUESTIONS

    ELDEST CHILD'S NAME?

    >Tom

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >Tom12

    FAVORITE PET'S NAME?

    >Fido

    ERROR.  MUST BE AT LEAST FIVE CHARACTERS.

    >please cancel my account

    IT LOOKS LIKE YOU ARE TRYING TO CANCEL YOUR ACCOUNT.  IS THIS CORRECT?

    >yes

    IS THERE ANYTHING WE CAN DO TO CONVINCE YOU NOT TO CANCEL YOUR ACCOUNT?

    >no

    WOULD YOU LIKE TO SEE Tom12 AND Fido STILL ALIVE WHEN YOU ARRIVE HOME TONIGHT?

    That was awesome! :) 



  • @joe.edwards@imaginuity.com said:

    >please cancel my account

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >yes

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >no

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >maybe?

    [BLUE SCREEN OF DEATH]

     

       Well of course it crashed!  The correct answer should have been completely obvious to all by now:-

     

    >please cancel my account

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >yes

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >no

    ERROR: MUST BE AT LEAST FIVE CHARACTERS

    ARE YOU SURE YOU WISH TO CANCEL YOUR ACCOUNT?

    >file_not_found?

    [BANK'S SERVER CRASHES]




  • I have Verizon for local phone service. I *rarely* call them, but recently, had to get an explanation for an apparently random charge on my bill. I called from work. I did not bring the bill with me as I am quite familiar with my home phone number. For verification purposes, do they ask for my social security number? My phone number? My address? My dogs' middle name? No, they want the exact amount of the last bill, or the 6 character account suffix (the part that comes after the phone number). Who the hell is going to know that stuff?

    F*g phone company - bring back AT&T!



  • @snoofle said:

    I have Verizon for local phone service. I rarely call them, but recently, had to get an explanation for an apparently random charge on my bill. I called from work. I did not bring the bill with me as I am quite familiar with my home phone number. For verification purposes, do they ask for my social security number? My phone number? My address? My dogs' middle name? No, they want the exact amount of the last bill, or the 6 character account suffix (the part that comes after the phone number). Who the hell is going to know that stuff?

    F*g phone company - bring back AT&T!

    Who's going to know that?  Anyone that stole your bill out of your mailbox! 



  • @snoofle said:

    I have Verizon for local phone service. I rarely call them, but recently, had to get an explanation for an apparently random charge on my bill. I called from work. I did not bring the bill with me as I am quite familiar with my home phone number. For verification purposes, do they ask for my social security number? My phone number? My address? My dogs' middle name? No, they want the exact amount of the last bill, or the 6 character account suffix (the part that comes after the phone number). Who the hell is going to know that stuff?

    F*g phone company - bring back AT&T!

    Honestly this is what annoys me about these things. 

    First they make the presumption that only you will have that information, that presumption is born from the idea that our postal mail is safe.  First thing to remember, almost no one has a locked mailbox in front of their house.  They say that most people are honest and won't go into that box.  This is true, but it is not these people we need the data protected from.  This provides no protection from those it is designed to protect us from.

    The secret pass code should be easily memorable and also never transmitted except during verification.  In addition this should never be displayed to the account representative on the other side, it should instead be a protected field, I give them the word and proper spelling and they type it in before getting access to my info.  Far to many times I have had one say "close enough" when I went through the previous scenario of not remembering how I had to modify my personal info to fit their rules.

    Security these days is a joke. 



  • @KattMan said:

    @akatherder said:

    It makes sense to a degree.  If someone can guess the answer to your security question, they can get your password or reset your password.  If the answer to your security question is "1" it's going to be easier than something "Jebediah".  They just need to give you enough questions so you don't end up with ALL of them being less than 5 letters.

    No, it makes absolutely no sense.  If they want passwords, then fine enforce those rules.  If they are asking for answers to questions about you personally, I should not have to re-write my history to fulfill those questions.

    Case in point, one of my accounts required this, I can never get logged in now because I can't recall how I had to modify my real info to fit their rules.  So I call them and they ask the same questions and I tell them, I have no idea.  I give them all the other info they should need, my name, address and account number and they accept and continue on. 

    So if this new info was really needed why did I get my business taken care of, if it isn't needed why enforce such rules?

     

    Here's the thing, though.  For the purposes of security, these secret question answers ARE passwords -- anyone who can find the answer can take control of your account.  If you've got a 4 character secret answer, then for all intents and purposes, you've got a 4 character password.  The whole "secret question" concept is the real WTF.  It weakens account security drastically.


    Generally, when forced to provide answers for these sorts of questions, I just type in a random string.  I've never had to use the account recovery facilities, so it's not worth compromising my account's security.



  • @merreborn said:

     

    Here's the thing, though.  For the purposes of security, these secret question answers ARE passwords -- anyone who can find the answer can take control of your account.  If you've got a 4 character secret answer, then for all intents and purposes, you've got a 4 character password.  The whole "secret question" concept is the real WTF.  It weakens account security drastically.

    Generally, when forced to provide answers for these sorts of questions, I just type in a random string.  I've never had to use the account recovery facilities, so it's not worth compromising my account's security.

    My bank and credit cards added all this stuff lately. For the bank, its not recovery, but login. After my password, I get another screen where it asks one of three questions and I gice the answer. Great, except its not a protected field so it shows my answer as I type it, right where anyone watching my screen could see it. This is a huge security breech! I mean, its not like before this anyone would know what city I was born in, what high school I went to, or the answer to any of the other fantastically secure questions.

    Some of my credit cards started adding the same stuff, but I don't think I have to answer them every time. I really don't know because I put them off the maximum number of times and its just last month I set that trash up. So, later this week I'll find out if I can even log in to pay the damn thing. I know for sure I had to pad and answer or completely invent an answer. If the answer needs to conform to formatting, then it should just be password2. Don't ask for my dog's name and say it has to be 8 characters and a number, never mind that I don't have a dog. That's the other really great part with these recently, they are just a list of questions I have to pick from, and usually all but one, if any, are simply not applicable. Dog's name: I have a cat and I really dislike dogs. Favorite football team: I hate team sports and would rather sit in solitude than watch football. Favorite color: well, only orange, yellow and purple are long enough but I don't really like those and so won't remember what I used. First girlfriend's name: Aha! That'll work, good thing I'm straight, but damn do I hate even thinking about her since she cheated on me and all that shit, but at least an answer I'll remember. Ok, now to find one each in the next two sets that I can sorta answer, w00t.

    I complained about this non-sense and was told that new laws required enhanced security. I tried to explain that security is reduced when you show the answer on the screen, require fake answers that are either written or easily bypassed because everyone needs around for legit reasons, etc. I suggest two factor authentication with a hard token, but that gets no response at all. It doesn't matter how many frickin' questions there are, if you have a keyboard logger / screen scraper installed its still getting all the data. Note that all the recent additions of this crap to my accounts has been wit hnew login systems that often require clicking buttons to enter some part of it or trying to see a field over some awful authentication image, all of which can be defeated trivially.



  • For what it's worth, I've never seen a secret question system that did anything besides email you your password.



  • @Cap'n Steve said:

    For what it's worth, I've never seen a secret question system that did anything besides email you your password.

    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.



  • @valerion said:

    @Cap'n Steve said:
    For what it's worth, I've never seen a secret question system that did anything besides email you your password.

    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.

    The people putting these "secure" systems together seem to have no idea what security is or means.  Having two passwords is really no more secure then having one.  Saving information unencrypted in a database negates all password security as evidenced by all the laptop thefts etc in the news the past few years.

    Yes the solutions are very difficult.  Requiring a time based login will prove to be impossible in real world practice for the masses.  Requiring strong passwords is easy.

    Thing is, look at the news.  there are two avenues that theft of this info occurs and it is not through this "front door".  People failing to shred their documents at home lead to criminals getting their info out of the trash.  Companies not taking security seriously and saving everything in plain text in their systems and failing to secure their systems and documents from physical access.  Wake up and fix the problems you can.  The public is starting to shred more, companies need to start using encryption more and practicing proper security practices for hard copy documents. 

    Put these in place and the need for silly questions is greatly reduced, or rather the perceived need for them will be.



  • @valerion said:

    @Cap'n Steve said:
    For what it's worth, I've never seen a secret question system that did anything besides email you your password.
    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.

    If I had a nickel for every web site or message board that e-mailed me my password in plaintext after registration...



  • I've never had any problem with this.

    signed, James12 Smith91



  • @Saladin said:

    @valerion said:

    @Cap'n Steve said:
    For what it's worth, I've never seen a secret question system that did anything besides email you your password.
    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.

    If I had a nickel for every web site or message board that e-mailed me my password in plaintext after registration...



    No kidding. People sometimes get upset when we can't give tell them what their password is.  All they have to do is put there e-mail in the lost password form and it will send them a link to reset their password that is good for 24 hours. We don't have a secret question, so I guess it could be more secure but at least we aren't throwing passwords around.

     Now if I had a dollar for every nimwit that e-mailed us their credit card number,,, Well that's the point isn't it, someone may very well have many dollars for every nimwit that e-mailed us their cc #. :)
     


  • Considered Harmful

    @Saladin said:

    @valerion said:

    @Cap'n Steve said:
    For what it's worth, I've never seen a secret question system that did anything besides email you your password.
    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.

    If I had a nickel for every web site or message board that e-mailed me my password in plaintext after registration...

    While sending passwords plaintext in emails is very insecure in-and-of itself, it is possible to receive the password, store a cryptographic hash in the database, and send the email while the plaintext password is still in memory.  So, it's possible they aren't actually storing the information in plaintext.



  • @snoofle said:

    I have Verizon for local phone service. I rarely call them, but recently, had to get an explanation for an apparently random charge on my bill. I called from work. I did not bring the bill with me as I am quite familiar with my home phone number. For verification purposes, do they ask for my social security number? My phone number? My address? My dogs' middle name? No, they want the exact amount of the last bill, or the 6 character account suffix (the part that comes after the phone number). Who the hell is going to know that stuff?

    F*g phone company - bring back AT&T!

    Trust me, AT&T asks for almost the exact same thing. They're no better than Verizon in any other way, either. 



  • @valerion said:

    @Cap'n Steve said:
    For what it's worth, I've never seen a secret question system that did anything besides email you your password.

    That's the biggest WTF. Your password should NEVER be stored in either a readable format, or in a way that it can be decrypted.

    For most systems I've dealt with, they e-mail you a new password, and suggest you change it to something else afterwards.  They've got to get you a new password somehow.  Any better suggestions?

     



  • @Saladin said:

    If I had a nickel for every web site or message board that e-mailed me my password in plaintext after registration...

    My preferred mechanism has always been:

    - Email temporary password in plaintext
    - On first login, require password change
    - Store password as one-way digest
    - If password is lost, CHANGE THE PASSWORD and return to top

    That said, I've joined SECURITY forums that sent me my password in plaintext.

    However, I have one password I use to register at every site. If I decide I care about the place, I change my password. Usually, password changes don't get emailed to you at all. This minimises the number of passwords I actually have to remember, without materially decreasing security anywhere that it matters.


Log in to reply