New ask Hacker News story: Ask HN: Is data collection the intended purpose of 'security questions'?
Ask HN: Is data collection the intended purpose of 'security questions'?
2 by 0x7E3 | 2 comments on Hacker News.
Security questions seem to fall into two categories. Either easily researched information "what is your mother's maiden name?" or something that "only you" would know. The problem with the first category should be obvious, and as for the second "What is your favorite flavor of ice cream?" "vanilla" is the equivalent of using a single dictionary word (from a very limited dictionary) as a password, and probably using the same single dictionary word as a password on multiple sites at that. It seems to be fairly commonplace for people to answer them with gibberish to avoid the aforementioned problems, and (most? all?) websites will override them if you claim you don't remember what answers you gave. This appears to do nothing to make my account more secure, it just makes me want to avoid using your service. So, for people who have implemented 'security' questions as a form of authentication, what purpose do you think they serve? Are the answers being sold? Is it just theater because you think it will make your users feel safer? Is there some other benefit to collecting this seemingly unnecessary data on your customers and storing it in plaintext that I'm failing to recognize?
2 by 0x7E3 | 2 comments on Hacker News.
Security questions seem to fall into two categories. Either easily researched information "what is your mother's maiden name?" or something that "only you" would know. The problem with the first category should be obvious, and as for the second "What is your favorite flavor of ice cream?" "vanilla" is the equivalent of using a single dictionary word (from a very limited dictionary) as a password, and probably using the same single dictionary word as a password on multiple sites at that. It seems to be fairly commonplace for people to answer them with gibberish to avoid the aforementioned problems, and (most? all?) websites will override them if you claim you don't remember what answers you gave. This appears to do nothing to make my account more secure, it just makes me want to avoid using your service. So, for people who have implemented 'security' questions as a form of authentication, what purpose do you think they serve? Are the answers being sold? Is it just theater because you think it will make your users feel safer? Is there some other benefit to collecting this seemingly unnecessary data on your customers and storing it in plaintext that I'm failing to recognize?
Comments
Post a Comment