Recently I was setting up access to just another high security system and I was presented with this list of questions (I had to select three) as my security questions so that I can get my account back if (when) I forget my password.

Lets review these questions for a minute.  Now some of these Facebook actually asks you to provide them so that they can put them on your profile (that annoying part at the top of your Facebook profile).   The rest you can probably figure out about most people just by looking at the information that they provide during the course of using social media in their daily lives and with the groups on Facebook that they belong to.  You add access to a public linked in profile and a little searching in public records and getting most if not all of these answers shouldn’t take you more than a couple of hours.

As the people that build these applications we need to take more notice of just how easy it is to figure out these questions.  The questions that we are putting into the applications shouldn’t be so annoying as “Favorite Teacher’s Last Name”, which I’ve actually seen but they need to be stuff that is at least a little harder to figure out if these are the things that we are going to use to ensure that people are who they say they are.

Things like drivers license number or state ID number (for those without a drivers license) are a good start.  They don’t change all that often (except when you move between states).  Social Security Numbers basically never change so those aren’t a bad number to use (granted there are other issues with using a persons tax ID here in the US).

When you are designing these sorts of authentication systems, don’t assume that just because your paranoid ass doesn’t upload your entire live to Facebook, LinkedIn and Twitter that no one else does that either.  People do, do that and they will continue to do that.  If you want to actually provide a level of security for your customers, which I sure hope that you do as that is kind of your job, then assume that the customers will be posting the easy to figure out questions online for all to see so you might want to use some slightly more complex questions.

Denny

“But Denny, you swear like a sailor, there’s no way they want your foul mouth showing up on TechNet.”  And you are correct, the idea that godforsaken thing coming out of my mouth showing up on TechNet would be highly amusing for probably 5 minutes until someone from Microsoft management noticed it and had it pulled down faster that an Apple employee would run screaming from one of Buck Woody‘s presentations.

You can click through to the page with my info on it (and Arnie Rowland‘s as well) or just go to TechNet, click on SQL Server on the left, then find the “Connect with SQL Server featured MVPs…” at the bottom of the nav menu on the right.

All that is up there for the moment is a couple of test tweets that we did to get the filtering correct (click the screen shot).

Let this be a warning to you, if you see me tweet something which the #tnSqlDC hash tag and you reply with the hash tag, it’ll probably show up there as well as a click-able link and it’ll go straight back to you.

Let the warning end here, and the mayhem begin.

Denny