Insisting on security risks – revisted

A while back I wrote a post about companies insisting we put our accounts at risk by forcing us to answer silly questions that would serve as a backup in case we lose a password. You know, like what our favorite color is, where we were born, and other commonly available items.

Thanks to Bruce Schneier’s post on Secret Questions I’ve learned about some research people have done on the subject. Yep, it’s just as stupid an idea as I originally thought, and they point out something I hadn’t noticed – people often forget the answers they give. Who has the same favorite color or movie forever?

Since I wrote my post on the subject, I’ve taken to using a very long password to these questions, which are becoming increasingly popular – even with companies that should know better.

A parking lot is the answer

I just read a post about how voting machines in Ohio are going on sleepovers before elections. Whether they’re being protected or hacked is up to you, but clearly physical access to voting machines is considered to be an influence on their validity.

How about this: Put them all in a large group in a parking lot. Then put some simple barrier – maybe police line tape – around them. Then alert media, activist groups, and everyone else that they are there. I’m guessing you’ll end up with enough witnesses and video that any attempt at tampering will end up on tape from several angles. Problem solved. For free, and to everyone’s satisfaction.

A Critical Element in BlackBerry vs. iPhone

Or maybe “Should Be A Critical Element…” Because American business by and large doesn’t really care about security very much.

Thanks to Bruce Schneier we learn that the Indians are pushing to get the encryption keys to RIM’s BlackBerry system. What this means is that the messages sent to BlackBerrys in the field could be decrypted by the Indian government. Strangely, only non-corporate users are at risk for now.

How long do you think it will be before other governments get the keys in exactly the same way as the Indians did? How long do you think it will be before a corporate user is thought to be enough of a security concern that even corporate users must turn over keys?

The reason why this is significant for the BlackBerry vs iPhone situation is that the iPhone works differently. It doesn’t pass all messages through a server. It behaves like a computer connected to the internet, with a regular email client. So, as soon as someone is allowed to create an email client with encryption capabilities we will have secure mobile email. Apple has released the iPhone SDK, and is expected to unveil applications along with an improved version of the iPhone in June. It might even happen that Apple builds encryption into the mail client themselves.

The problem for RIM is that there is no way to do full decryption on the BlackBerry without doing it on their server, at least with their current software. Creating this after making deals with governments to provide access will be impossible.

So, if you believe in having privacy, and you conduct business overseas, it looks like BlackBerry isn’t the best choice.

Why do companies insist on security risks?

Why do companies insist on making our accounts less secure?

I just tried to log in to Lowes, and got the password wrong and they then asked me the stupid questions that they build into the system to try to avoid having to deal with lost passwords. Idiotic questions like “What was the name of your first pet?” and “Where did you go to high school?” When I’m forced to provide answers to these security risks I usually just enter 30 to 60 characters of gibberish. I figure if for some reason I cannot recover the password I can talk to a human being at the company and regain access that way.

The normal and professional way to handle lost passwords is:

  1. Send the lost password to the person’s registered email address. This is the most sensible way, as long as you give the password loser the chance to back out if they know their email account is compromised.
  2. Make them call and talk to a human being.
  3. Email them a new randomly-generated password.

Not at Lowes – if you don’t remember what you put down as your high school (I went to two) then you’re screwed. The idiots at Lowes make you re-register. Re-registering is bad enough, but my old account is still out there somewhere.

So, I guess the only sensible thing to do is just treat these stupid questions like a password prompt, and come up with a 20 character answer to give all of them. I’m sure as hell not going to tell the truth. Seriously – how hard would be to get anyone to give up the name of their high school or their first pet? If I wanted to break in to, say, a coworker’s account, all I’d do is try to get to find the questions, and then ask the coworker. Do you think anyone’s going to balk at talking about their first pet or their high school days?