Log in

No account? Create an account
The Mad Schemes of Dr. Tectonic [entries|archive|friends|userinfo]

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Too Secure [May. 31st, 2016|08:30 pm]
Exasperation of the day: We have a new benefits reporting system of some kind at work that I can't use because it is too secure. I honestly don't know what all it does, because I can't register to use it.

The problem is, I literally cannot answer enough security questions to finish the registration.

There are 18 questions to choose from. You need to pick 3.

9 of them flat-out do not apply. I have no children, so I can't use a question about my firstborn.

Of the remainder, there are 2 of them that I have a straightforward answer for. (Though I had to think a bit to recall what it was.)

There are 4 of them for which I could probably come up with an answer, but the odds of me coming up with the same answer several months from now are not good. What was the name of the street I lived on when I was a kid? Well, I remember the name of the street, but was it a Way or Circle? Or nothing at all? And I can't look it up to check, because it no longer exists!

And then there are the 3 questions that I do have an answer for, that I can recall fairly easily, but that I can't use because the correct answer is either too short or too long! Because, oh yes, all the answers must be between 6 and 20 characters long, letters and numbers only, no spaces.

Sure, I could abbreviate one of the too-long answers, or use some variant of "not applicable" for an N/A one, but it's got that same reliability problem: in six months, will I remember exactly how I answered the question with no good answer? Given my lousy track record at remembering how various other infrequently-used passwords are capitalized, I'd prefer not to have to rely on it.

So I think the next time I see the head of the computer security group in the lunchroom, I'm going to sit down next to him and ask him what their process is for password recovery when the user can't get their security questions right. 'Cos that's gonna be me if I ever forget mine.

[User Picture]From: dr_tectonic
2016-06-01 02:40 am (UTC)
Also: I got a flat tire on the way in to work today. But that was mostly just dirty and time-consuming rather than exasperating.

I just left it in the parking lot of the shopping center at the bottom of the hill and took the shuttle up to work so I wouldn't be late for my meeting. After work, Jerry helped me get the donut spare on and followed me as I puttered home at 40 mph. I'll go get a new tire tomorrow morning, no big.
(Reply) (Thread)
[User Picture]From: dpolicar
2016-06-01 02:42 am (UTC)
Clearly, the thing to do is write down all your security questions and answers on a web page somewhere you can easily find in case you... oh.
(Reply) (Thread)
[User Picture]From: dr_tectonic
2016-06-01 03:48 am (UTC)
(Reply) (Parent) (Thread)
[User Picture]From: dpolicar
2016-06-02 04:08 pm (UTC)
Though TBH, this actually is the strategy I use. All my passwords and etc. are kept in a single password-protected file, and I worry a lot about the security of THAT password file, and I produce random passwords everywhere else that I don't expect to remember, and I look them up.

Except for some sites, for which "I forgot my password!" is just a routine part of how I access the site.
(Reply) (Parent) (Thread)
[User Picture]From: dr_tectonic
2016-06-02 04:52 pm (UTC)
I think the "put it on a web page somewhere you can easily find" element is a significant difference between those strategies. :)
(Reply) (Parent) (Thread)
[User Picture]From: dendren
2016-06-02 03:05 pm (UTC)
OMG... the memes that used to go around livejournal and facebook used to drive me crazy... I was always amazed at how many people filled them out and posted them :P

"let's get to know each other meme... tell me the name of your first dog, what street did you grow up on, who was your best friend in school?"
OMGWTFBBQ!!!! these memes are all my security questions. Well played internet thieves, well played.

(Reply) (Parent) (Thread)
[User Picture]From: dpolicar
2016-06-02 04:04 pm (UTC)
There was a riff on this going around for a while that asked for the street I grew up on, my pets name, and the last four digits of my social security number.
(Reply) (Parent) (Thread)
From: detailbear
2016-06-01 03:24 am (UTC)
Some people use a standard word for their security answers so that no one can do social searching to find it.

First pet: armadillo
First street: armadillo
Mother's maiden name: armadillo

or maybe link it to the website. NSFarmadillo

N.B.: mine is not "armadillo".
(Reply) (Thread)
[User Picture]From: dr_tectonic
2016-06-01 03:52 am (UTC)
It's a good strategy, but switching over to it is the hard part. Because until you've switched everything, you have to remember where you used that strategy and where you haven't yet and that's where my brain drops the ball...
(Reply) (Parent) (Thread)
[User Picture]From: dendren
2016-06-02 03:12 pm (UTC)
I do something similar. I use the real answer if there is a true answer for it but in cases where there are questions and most don't really have a viable answer for me, I just choose one and use a code word like your Armadillo go-to. If my security question pops up like "what is your first child's name", I know I had to have answered Armadillo since I don't have kids.
(Reply) (Parent) (Thread)
(Deleted comment)
[User Picture]From: dr_tectonic
2016-06-01 03:59 am (UTC)
The problem is that these questions have all been specifically chosen NOT to be searchable via social media footprints. Which is what makes so many of them unanswerable for me.

(Seriously, who has foods they hate ~secretly~ and would never admit to hating? Yeah, that makes it unsearchable, but who ARE you that you live like that?)

I think the root problem is not the questions themselves, it's the decision that this system warrants that level of security.
(Reply) (Parent) (Thread)
[User Picture]From: dpolicar
2016-06-02 04:05 pm (UTC)
>who has foods they hate ~secretly~ and would never admit to hating?

And for whom is this a unique descriptor?!?
(Reply) (Parent) (Thread)
[User Picture]From: goobermunch
2016-06-13 01:56 pm (UTC)
Do you have an iPhone? Try SplashID. It's a password protected password vault. You can put all of this information in your phone and let the portable cyberbrain remember it.
(Reply) (Parent) (Thread)
[User Picture]From: pink_halen
2016-06-01 04:24 am (UTC)
You will appreciate this sentiment from a Small Town guy. In his essay he laments that security questions don't mean anything in a small town.

And on the other hand, I have this other bank-related thought: Pretty much everyone who works there knows the answers to my online security questions. I don’t mean they have access to them. I mean they know them. What is your paternal grandmother’s first name? In what city were you born? Who was your first girlfriend? So how do I deter identity theft? By keeping my account balance and credit score as low as possible.


It sort of fits with my favorite joke.
You don't have to use your turn signals. We already know were you are going.
(Reply) (Thread)