Questionable security

Adding security questions to back up password-protected web sites has become all the rage. I’ve had to deal with this on many web sites I use, and have encountered it on the back end helping teams implement sites. I’ve known security departments of financial organizations that say these are required by industry rules and not to have them would be a breach of responsibility.

The fact is, having “security questions” weakens security rather than strengthens it.  Recent news of the infiltration of Twitter’s proprietary documents is a good case in point.  The New York Times reports

Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.

If you don’t believe me that security questions weaken security, just ask Bruce Schneier.

1 Comment

Categories: Working Software


One Reply to “Questionable security”

  1. This is why I like to just type in garbage instead of the real answer. Sometimes I might write it down somewhere (particularly if I think I might get randomly asked those questions while using the site…), other times not.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.