Security questions pick list very unsecured?

Fairgame
Fairgame
Community Member

I just want to ask general opinion here. One of the companies I deal with rolled out new security features for login to the website.
Part of this new system is selecting security questions with security answers in case the password is forgotten.
However, the only answers allowed are from the pick list 18-35 items long. For example, they ask what is your favorite color and give you about 18 colors to choose from.
Also, they still allow 4 digit pin to be used together with the password, which to me obliterates any good password generated by 1PW. No way to opt out of the pin. Either the pin or the password allows login to the account on this company website.

So my questions are:

How unsecured is using pick list of answers limited to such a small set?
How unsecured is using 4 digit pin in addition to password.

Thank you for your opinion and discussion of the subject.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • hawkmoth
    hawkmoth
    Community Member
    edited February 2016

    @Fairgame - I suspect you are describing the United Airlines site, because your description is exactly my experience there. I regard their system for generating answers to the security system to be misguided, in part because they don't offer any way to use randomly generated character strings as the answers. The AgileBits folk recommend that users lie when answering such questions.

    One other comment, if I'm right about where you dealing with all of this, is that the PIN will no longer be allowed for logging in to the site, but needs to be retained for telephone use.

    I posted my observations about this in the forum a few days ago, here. The ensuing discussion might interest you. I don't think it's definitive about the security implications of that silly system for confining answers. There is another recent thread titled "Security questions must die!" It isn't specifically about this, but it's germane regarding the general issue of security questions.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Fairgame: Always lie. Now, that means you're going to have to keep your lies straight, but of course saving them in 1Password can help with that. ;)

    Now, in this particular case it sounds like you're not able to actually create your answers from scratch. Yuck. Obviously that would be ideal. But instead you can at least pick the questions and answers randomly and record them, rather than answering truthfully, since that could open you up to social engineering attacks. Not great, but it sounds like there's at least some variety to choose from.

    Regarding the PIN/password, if both are required, that's not bad at all. However, if the PIN is accepted instead of the password...well 4 digits is pretty pathetic. I'm not sure about the legality, but I feel like any company who supports such awful security should be liable for any losses that come as a result. :lol:

    P.S: Here's the other discussion hawkmoth referenced.

  • Fairgame
    Fairgame
    Community Member

    hawkmoth, you keep a good eye on these things. Thanks both of you for the links.
    Lying on these questions is very easy with 1Password. I always get kick out of giving my security answers to live person over the phone. One could sense their surprise when they type in the gibberish and it works.
    Thank you

  • AGAlumB
    AGAlumB
    1Password Alumni

    One could sense their surprise when they type in the gibberish and it works.

    Love it! :lol:

This discussion has been closed.