Profile picture
, 10 tweets, 2 min read
My Authors
Read all threads
You know that thing that companies do when you set up an online account, asking you to name your favorite food and your high-school mascot as a way to recover your password later, or verify your identity if something sus is going on?

1/
They're called "challenge questions" and they don't work.

That's the conclusion a group of Google security researchers and my EFF colleague Joseph Bonneau reached through a set of careful - and devastating - experiments.

static.googleusercontent.com/media/research…

2/
Not only are the answers to these questions pretty easy for attackers to guess or research (your mother's maiden name is a matter of public record and your favorite food is "pizza"), but actual users really struggle to remember their answers.

3/
Topline findings:

* "37% admitted to providing fake answers in an attempt to make them 'harder to guess' although on aggregate this behavior had the opposite effect"

* "40% of users were unable to recall their answers when needed."

4/
* "Questions that are potentially the most secure (e.g what is your firstphone number) are also the ones with the worst memorability."

* "It appears next to impossible to find secret questions that are both secure and memorable."

5/
I treat these questions as secondary passwords and use password generators to come up with strong, long passwords for them, managing them in a password manager (so much for memorable). Even this has an unexpected failure mode!

6/
My small credit union's site requires you to come up with several of these questions at signup time: favorite movie, high school mascot, etc. You can answer from a list, or you can fill in our own. I did the latter, giving answers like "OWX~kMy!'(T;DkLwmBjrDs."

7/
What I didn't know was that the challenge questions are presented as MULTIPLE CHOICE! So here's how it looks:

8/
WHAT IS YOUR FAVORITE ANIMAL?

[ ] BIRD
[ ] FISH
[ ] TURTLE
[ ] DOG
[ ] PIG
[ ] RABBIT
[ ] SNAKE
[ ] OWX~kMy!'(T;DkLwmBjrDs
[ ] CAT
[ ] FOX

9/
So much for my high-security, hard-to-guess alternative.

eof/
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Cory Doctorow #BLM

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @doctorow see all

Profile picture
Cory Doctorow #BLM
@doctorow
Back in 2016, @thomasfrank_'s "Listen, Liberal!" forcefully explained that "liberals" are not leftists, and that while we on the left might sometimes ally with liberals, we are not on the same side.

us.macmillan.com/books/97816277…

1/
This is something that most of the world outside of the USA knows, but the USA has largely forgotten. I'll never forget my first day of university in the US, when a classmate told me I had "liberal" views; having grown up in Canada's NDP, I knew the difference!

2/
In the US, this manifests as excessive credit for Donald Trump - AKA excessive blame for Donald Trump - as though he was bright enough and had enough executive function to be a cause, rather than an effect.

3/
Read 39 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
Shel Silverstein was a hell of a writer. I mean, I thought so even before George RR Martin told me about "Uncle Shelby's ABZs" - a fantastically rude and incredible hilarious parody of a kid's book.

boingboing.net/2016/09/28/she…

1/
One of the marks of a great writer is that they can sell terrible things so well that you don't even notice that you're buying them. Take "The Giving Tree," a Silverstein book that should be a cautionary tale but is generally read as a suggestion.

2/
In "The Tree Who Set Healthy Boundaries," @topherpayne rewrites the ending of "Giving Tree" to unpick the expert, Silversteinien knot of shitty ideas tied so well that you can easily miss them.

topherpayne.com/giving-tree

3/
Read 7 tweets
Profile picture
Cory Doctorow #BLM
@doctorow
For the past ten days, I've written extensively about Mexico's new copyright law, a law that copy-pastes the US copyright system, enacted with no consultation or debate, nominally to satisfy requirements under Donald Trump's #USMCA agreement.

eff.org/deeplinks/2020…

1/
The law is a disaster for human rights, undermining free speech, the rights of disabled people, cybersecurity, national sovereignty, the #RightToRepair, and other fundamental rights - it puts Mexico at a permanent, structural disadvantage relative to Canada and the US.

2/
Like the US law it copies, the new law has numerous, seemingly reasonable exemptions that, superficially at least, appear to resolve these human rights issues. However, these are tissue-thin pretenses, unusably larded with conditions no one could satisfy.

3/
Read 10 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!