Slightly off topic - security questions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Nunners
Forum Commoner
Posts: 89
Joined: Tue Jan 28, 2003 7:52 am
Location: Worcester, UK
Contact:

Slightly off topic - security questions

Post by Nunners »

This is slightly off PHP, but does anyone have a decent list of standard questions to ask a customer, that is personal, but not necessarily a password type answer.

An example would be "Mother's Maiden Name" - but as this is easy to look up, we were trying to think of some non-objective ones, but something more subjective (assuming I've got my ob & sub the right way round :))

Thanks
Nunners
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Favourite Colour
Pet's Name
Favourite Place
Favourite Movie

anything in the favourites category really.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Personally, I would advise against implementing this sort of functionality if you can tie the account to an email address.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Ambush Commander wrote:Personally, I would advise against implementing this sort of functionality if you can tie the account to an email address.
I agree, there will always be those stupid ones with the so-easy-to-guess answers :P
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

- relative's middle names
- first place, pet, person names

Go sign-up for Google or Yahoo and see what they have.
(#10850)
Nunners
Forum Commoner
Posts: 89
Joined: Tue Jan 28, 2003 7:52 am
Location: Worcester, UK
Contact:

Post by Nunners »

I'd agree with you all, however, there are various draw backs to various things!

In terms of using personal details (mother's maiden name/father's middle name etc), these are fairly easy to find nowadays.

With regards to linking directly to an email address, again that is not necessarily completely secure - but what is! But, as this is part of a system to allow users to reset their password for their email account, sending it to an email address isn't really gonna work!

We're also trying to get away from users setting their own questions, as some users put things that are particularly blue - and when they ring up our support desk, it makes things somewhat interesting, and indeed embarassing when you have to ask a customer what their favourite body part is (and that's just a minor one)!

So, I think we're gonna stick with the favourite x, but also get more details off them, possibly using postcode, date of birth etc.

Thanks for you help though...

James
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well, you could just ask them for their credit card number... (if it's paid, of course).
toasty2
Forum Contributor
Posts: 361
Joined: Wed Aug 03, 2005 10:28 am
Location: Arkansas, USA

Post by toasty2 »

Lol, I'm sure that they would give it to you :D :?:
Services like Google do let you choose a question, common questions are:
Mother's Maiden Name
Frequent Flyer Number
First Phone Number
Pet's Name
Just to name a few...
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

As far as I know, when you implement this kind of thing, you always have to sacrifice some security.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Let the user choose the question. That's my preference.

Also, see the fourth tip here:

http://jeremiahgrossman.blogspot.com/20 ... users.html
Post Reply