Problem ID: 4260977261047443941
Entered by: Ben Simo

I'm going to ask you a question

What is a more secure way to secure people's data on your website than the typical username and password pairing?

Someone at UPS seems to think an answer to a stupid question is better.  These aren't just any stupid questions. These are question that are likely answerable by anyone who knows you.  If you pick the right question, there's a good chance that you've even posted the answer to the question on your blog, on Facebook, or even Twitter. So, what is a stupid question? Take a look:

No, these aren't the so-called "security questions" that are used in addition to a username and password pair. This question and answer is being used where a password would typically be found.

All that is needed to access an account is an email address and the answer to a question.

Narrowing people's thinking as they select passwords, and later giving the same clue at login seems almost as insecure as asking for no more than a phone number and zip code. Oh, but that's already taken by Century Link*.

* Century Link is the new owner of the Telecommunications Company
formerly known as Qwest,
formerly known as US West,
formerly known as Mountain Bell,
formerly part of AT&T.



Post a Comment