Example of a Sincere Attempt at Security Questions That Still Goes BadlyPosted: June 27, 2017 | Author: ThomasPowell | Filed under: rant | Tags: constraints, design, names | Leave a comment »
Synchrony Bank has the following security questions when setting up an account. They look well thought out, at least. The only problem? All of the answers are required to be 6 characters or longer. There are plenty of proper names or other valid answers that don’t meet that requirement.
2 of the answers I can readily recall from this list don’t meet the requirement. Half of them I don’t have an answer for, and at least one of the answers is public information.
This one is bad… seven of my answers here are 3-5 characters, two don’t have an answer for me.
Again, 4 out of 10 are 4-5 characters, 1 doesn’t have an answer, and 1 of them I wouldn’t spell the same way twice. Also: Ford? Dodge? Kia? Honda? Lexus? GMC? AMC?
Beyond all this, programmers need to read Falsehoods Programmers Believe About Names. …and anyone answering security questions just needs to store the answers to the security passwords as yet another generated password using something like https://1password.com/ (although I had to limit the symbols that my own password manager would use to generate because slashes weren’t allowed.)
I *just* registered in this same exact tab 20 minutes ago.