|
|
|
|
|
|
by freditup
3896 days ago
|
|
|
How do you design a system that's hardened against social engineering but not hardened against innocent mistakes, like losing your password? It seems like the easiest way to access public systems like this is through social engineering techniques around password recovery or phishing. Of course there are well-known answers that are used to mitigate these problems somewhat, TFA solutions, login images, etc. But I still feel as if social engineering attacks hit a really vulnerable weak spot in many systems. (On a mostly unrelated note, can we get rid of security questions forever? I've taken to just giving nonsense answers for them and storing my answers somewhere secure. I sure don't want my passwords being reset because somebody knows my mom's maiden name...) |
|
|
Not only that, any site that used that question and all those that got hacked know your mom's maiden name if that question was ever answered seriously. That's the main reason such 'secret questions' suck because there apparently is a fairly small set of commonly used questions like that (first school, first pet, favorite pet, moms maiden name, street where you were born and so on).