passwords - Why don't the answers to "security questions" need to be stored securely? -

-

"postprint" itemprop = "text">

I have done some work on some places now where the password is salty and is divided into pieces in the database, but for the answer security The questions are stored in plain text Now, I have signed up for our hydro power company online portal, and in the Account Management section, the security question and answer is displayed to me.

Given that security questions and answers often allow the use of the user, in an alternative way, without a password, in an account, why are they allowed to store them in plain text? Especially when people often have a limited pool of security questions to choose from, so they use the same answer in many sites.

The problem with security questions is that the designs are completely insecure. Because they are stored in plain text, it is sometimes used by humans to confirm that they should be seen by humans and that some answer is correct. A user's answer to their favorite food is "corn pop", and they answer "popcorn", so this is a valid answer.

Hashing the answers to the security questions will require the user to know his previous answer that absolutely , such as it was a password, and we already know that the user forgot his password (In cases where the user is trying to access the account).

Similarly, because these are not arbitrary answers like passwords, sometimes they are displayed back to the user as you saw them. This is because when he is no longer right then his answer can change. The password is an arbitrary response, but the security questions are not answered unchecked. People's choices and even what or what they think is that they can change over time. A user who is asked from his favorite movie, he can choose one last night, and after a year forgets that he has ever given it such a high status.

For that matter, the answer to the security questions is the hedging limited utility (primarily for security jacks which they know to answer randomly). His very nature is that he is public Hashing the user's latest car model does not just keep hackers from reading his Facebook feed.

Security questions are not safe to use to use them. Technically, they should be treated like passwords, because they are passwords for all practical purposes but if we have taken the answers to the security questions, then the necessary users should choose strong answers And they are not allowed to easily guess the answer, then there will be no meaning for them.

Remember, the purpose of security questions and answers is not bypass password the more they are behaving like a password, the more useless they become for that purpose.


Comments

Post a Comment

Popular posts from this blog

java - org.apache.http.ProtocolException: Target host is not specified -

-
I have written a simple httprequest / response code and I am getting this error below: I used to type in my classpath httpclient, httpcore, common -Codecs and general logging. I am very new to Java and I do not know what's going on here. Please help me. code: import org.apache.http.client.HttpClient; Import org.apache.http.client.methods.HttpGet; Import org.apache.http.HttpResponse; Import org.apache.http.impl.client.HttpClientBuilder; Import org.apache.http.Header; Import org.apache.http.HttpHeaders; Public class UnshorteningUrl {public static zero main (string [] args throws exception {HttpGet request = zero; HTTP Client Client = HTTP ClientBuilder.credit (). Build (); Try {Request = New HTTP Gate ("trib.me/1lBFzSi"); HttpResponse httpResponse = client.execute (request); Header [] header = httpResponse.getHeaders (HttpHeaders.LOCATION); // Preconditions.checkState (headers.length == 1); String new url = header [0] .getValue (); System.out.println ("new url...
Read more

java - Gradle dependencies: compile project by relative path -

-
Is it possible to specify a dependency on another gradeal project in the granular (in android studios) outside the current project limits? For example, with a relative path like this: dependence {collection project ('../../ stdlib / dagger'}} MyApp (path / user / foo / workspace / mypad) The app (Path / User / Foo / Workspace / MyPass / App) And I have an Android Library Project with 3 subdomules: stdlib (path is / user / foo / Utilities (Path / User / Foo / Workspace / Stadlib / Utilis) http (Path / User / Foo / Workspace / Stadlib / HT) / Li> What I have to do is compile the Dagger, Util, http module in the MyApp project. The Stidelib Library module under heavy development And MyApp will grow in the form of Growth, so I do not want to push them into a Mewen repository. I am a little change. is likely to add another Gredle projects in some way? I will push the study library into the Maven repository after the source is in search of a temp...
Read more

ruby on rails - Object doesn't support #inspect when used with .include -

-
So I have participated in a glitch error that I do not even know how to debug. I am very new to the railing, so it has kicked my ass well when I use the .includes (school) seen by the student, it gives a blue box error, But when I look at any other model and .includes (school) , the school works just fine. class student & lt; ActiveRecord :: Base has has_many: relationships, foreign_key: "liker_id", dependent :: has_many: matches, foreign_key: "student_1_id", dependent :: deleted belong_to: school belong_to: conference belong_to: would_you_rather belong_to: home city belong_to: year is_to: Major and class school & lt; on the console activatecord :: Affiliate for the base: conference includes: respondent, class: "school", foreign_key: "rival_id" (e.g. For: School) Select SQL generated Select "School". * "School" from "school" "ID" IN (1) error message back NoMethodError: u...
Read more