Questionable security

Adding security questions to back up password-protected web sites has become all the rage. I’ve had to deal with this on many web sites I use, and have encountered it on the back end helping teams implement sites. I’ve known security departments of financial organizations that say these are required by industry rules and not to have them would be a breach of responsibility.

The fact is, having “security questions” weakens security rather than strengthens it.  Recent news of the infiltration of Twitter’s proprietary documents is a good case in point.  The New York Times reports

Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.

If you don’t believe me that security questions weaken security, just ask Bruce Schneier.

Post to Twitter Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Comments (1) to “Questionable security”

  1. This is why I like to just type in garbage instead of the real answer. Sometimes I might write it down somewhere (particularly if I think I might get randomly asked those questions while using the site…), other times not.

Post a Comment
*Required
*Required (Never published)