That most annoying of security features: the super-secret question!
By sylvie | January 4, 2010
The powers-that-be have implemented a new web system for our human resources needs, one that is supposedly more secure. Of course, the first thing it did when I first signed in was demand that I change my password. How very annoying, especially since I had been using the same password since I first signed up with this system.
OK, so I suppose that having the same password for 10-odd years is not very secure, but to be honest, I never worried about it before because I could only access the system while I was inside our firewall. Plus, what are they going to do? Steal my vacation days? But okay, I am willing to change my password to something more secure (and which I promptly forgot, of course - luckily I have a secure program where I keep all these passwords or I would never be able to access anything).
Today, the website wants me to set up a question/answer system in case I forget my password. Unfortunately, they don’t let you choose your own question and they include very easily hackable questions. There is the old standard, “what is your mother’s maiden name”. There are a lot of kids in Quebec who sport the names of both their parents. That should make it particularly easy to hack that answer. Or what about all the genealogy buffs out there who fill out information on the internet to find their ancestors? Then there is “what is your pet’s name”. I don’t blog about Smaug & Odin much, but it’s pretty easy to find my dogs’ names on the interwebs. Jeez, maybe I shouldn’t have mentioned their names there. Other questions they’ve included: “favourite song title” (really? something that can change as soon as your favourite artist comes out with a new CD or that you discover a new singer?), “favourite colour” (more stable than song title, though may be fairly easy to figure out; you could make it harder by choosing a rarer colour word (scarlet instead of red) but then you have to remember what synonym you chose) and “birth place” (again, a bit of poking around should get you that information).
I’m not a specialist in security issues, but it’s obvious to me that these questions are not going to make their website any more secure than it was before. Sigh. Oh well, time to go jump through hoops.
Topics: Security |
