This form does not yet contain any fields.
    Navigation
    Login
    « With apologies to Toby Ziegler. | Main | Hear ye, hear ye. »
    Thursday
    May012008

    What we can learn about IdAM from the process of moving house.

    DateThursday, May 1, 2008 at 11:55AM

    My friend Brad recently blogged (http://www.identitychaos.com/2008/04/letter-to-ing-direct.html) about the weaknesses of "security question"-based mechanisms for managing passwords for online systems.

    Fast-forward to yesterday.  Just moved into a new house and, being an "IT guy...", I need my Internet back and stat.  My new house is in a complex that was pre-wired for FiOS during construction (*drool*), so off to Verizon I go to transfer my DSL servce in old house to FiOS service in new house.  Technician shows up, starts plugging things in, and...asks for my DSL password. 

    Which I haven't typed anywhere in 7 years.

    But good news! It's saved on my hard drive...of a computer that's in a box on a moving van that's not scheduled to show up for another 3 hours.

    Fine.  Go to the website, do the "Forget password" thing, punch in my mother's maiden name, set a new password.

    So far, so good.  But now, I apparently need to choose a new "Secret question", and I only get a list of 5 questions to pick from, none of which are really applicable to me.  Problem # 1.

    I pick one for the sake of picking one, which asks for "the last name of my best friend".  Uhhh...what are we, in high school here?  Maybe it's just how I relate to people, but I'm actually hard-pressed to tell you who my "best friend" is.  So I pick a last name from a good friend, and punch it in.

    *bzzzzzzt*  "We're sorry, the answer to your secret question only has 4 letters; it needs to have at least 5."  And so we go from the sublime to the ridiculous.

    Though the good news is that the odds of me remembering which "best friend" I ended up picking are heightened if I ever need to reset that password again, since the story around it just had me shaking my head so.

     

    AuthorLaura E. Hunter | Comment2 Comments |
    in

    Reader Comments (2)

    The problem w ith these systems is that the questions are too general and subjective based on time. A year from now the answers to those questions might not be the same answer that you gave. To complicate matters, the more you align the questions to elicit more static answers the more likely the answers are publically verifiable (what hospital were you born in, what is your DOB, etc).

    I think a better alternative is voice print analysis and I have high hopes that someone will deliver this functionality in the ILM "2" timeframe.
    May 1, 2008 | Unregistered CommenterBrad Turner
    I have two or three standard answers to those types of questions. Just because there is a question doesn't mean the answer has to make sense in that context.

    Instead of remembering the name of your 'best friend' (assuming that billy/sally/mary/tom is still such in several years) just remember the answer to all stupid question.... frog (no, mine is not frog).

    And yes, I use my answer for Mothers maiden name too as most of the time I can't remember it. It does illicit the occasional odd response from tech support over the phone which again doesn't matter as long as I match the secret word. :)

    Steven Peck

    May 8, 2008 | Unregistered Commentersepeck

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Post:
     
    All HTML will be escaped. Hyperlinks will be created for URLs automatically.
    Alert
    Comment Moderation Enabled
    Your comment will not appear until it has been cleared by a website editor.

    Notify me of follow-up comments via email.