NotionCommotion Posted December 19, 2014 Share Posted December 19, 2014 (edited) I've done the "what is your mother's maiden name" or "what is your favorite football team" in the past, but have started coming to the conclusion that that using such weak information is counterproductive. I've recently came across https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet which recommends using secret question challenges. I typically feel owasp is on target, however, am not so sure on this occasion. Note that for my situation, I have the user's email. Please advise. Edited December 19, 2014 by NotionCommotion Quote Link to comment Share on other sites More sharing options...
Strider64 Posted December 19, 2014 Share Posted December 19, 2014 I personally would say no, for a lot of hackers use social hacks. By that I mean a would be hacker can get that kind of information in different ways, for example an official looking email asking those kind of questions. I'm also surprised by OWASP. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted December 19, 2014 Share Posted December 19, 2014 I'm personally not a fan of "secret questions". If the questions are answered honestly, it's fairly easy for someone who knows me to access my account. So I usually answer the questions with fake answers which are harder to remember and can lead to loosing access to an account. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 20, 2014 Share Posted December 20, 2014 The OWASP recommends security questions as additional protection on top of the classical send-secret-token-by-mail approach. It's not a replacement for that. So the advice isn't fundamentally wrong. But like I already said in your other thread, security questions have a lot of issues: You need a supporter on the phone to help users in case they have trouble with the answer (they will). This supporter needs to carefully give hints and ultimately decide if the request is legitimate. Designing good security questions is difficult. If they're too obvious, anybody will know the answer, if they're not obvious enough, nobody will, not even the user. Pedagogically, this is a disaster: We've been telling people to not share personal information and not reuse secrets, now we're doing the exact opposite. We ask them for their mother's maiden name, and the answer probably works on other websites as well. It's also a usability disaster. A lot of people will rather give up their account than call a stranger and have an awkward discussion about their family, their pets or whatever. Security questions may make sense on big sites like Amazon, PayPal etc. They're also helpful for professional users who'll enter a backup passphrase instead. But for the average site and the average user, no. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.