Stupid security procedures

cog on 2005-06-08T18:32:09

In a Portuguese website where people create blogs, when creating one, you're asked to choose a question from a group of five and insert the answer to it (for password retrieval).

The five possible questions are:

  • What's the date in which your parents married?
  • What's the name of your first pet?
  • What's the name of your first girl/boyfriend?
  • What's the number of your driver's licence?
  • What's your mother's maiden name?


First of all, this is a stupid method, because anyone can get that information.

For password retrieval, you simply have to know the person's login, see the question, find out the answer (really, it's not that hard), answer it, and bang, you can change that person's password.

Then you can login, change the profile (including the answer to the "secret" question) and probably screw that person's life...

Secondly, it also means you can't have a blog if:

  • Your parents never married,
  • You never had a pet,
  • You never had a relationship,
  • You don't drive, and
  • You never met you mother


So it's not only stupid, but also discriminating O:-)

In a stupid kind of way, I know O:-)


blogblogblog

rafael on 2005-06-08T20:42:17

Yes, but since bloggers usually blog about their parents, pets, relations, or cars, this is to actually discriminate between bloggers and people who might have something interesting to write. (note the "might")

Re:

Aristotle on 2005-06-09T03:53:56

Schneier on Security: The Curse of the Secret Question