Error! The easily guessed security questions that we make you answer in order to reset your password aren’t enough of a security vulnerability. 

Kinja'd!!! "Honeybunchesofgoats" (honeybunche0fgoats)
01/24/2019 at 10:05 • Filed to: None

Kinja'd!!!1 Kinja'd!!! 8
Kinja'd!!!

That’s an actual parameter for a bank account password.


DISCUSSION (8)


Kinja'd!!! I like cars: Jim Spanfeller is one ugly motherfucker > Honeybunchesofgoats
01/24/2019 at 10:20

Kinja'd!!!3

Mine is the same way! I hate that my password is easier to guess for my bank than for my burner email.


Kinja'd!!! Honeybunchesofgoats > I like cars: Jim Spanfeller is one ugly motherfucker
01/24/2019 at 10:23

Kinja'd!!!2

I used to think that security questions were just because banks were behind the times, but now I’m convinced that they actively want people to have access to your account. 


Kinja'd!!! CalzoneGolem > Honeybunchesofgoats
01/24/2019 at 10:25

Kinja'd!!!3

I work at a huge multinational company. One of our major logins won’t accept capital letters.


Kinja'd!!! jimz > Honeybunchesofgoats
01/24/2019 at 10:35

Kinja'd!!!4

Kinja'd!!!


Kinja'd!!! t0ast > Honeybunchesofgoats
01/24/2019 at 10:41

Kinja'd!!!8

A lazy effort for sure, but better than nothing.

Kinja'd!!!

Hopefully they at least allow a decent length to make up for that lack of complexity.


Kinja'd!!! Honeybunchesofgoats > jimz
01/24/2019 at 10:41

Kinja'd!!!0

“I guess I’ll just remove one letter from the end of my password then. Yay security !”


Kinja'd!!! facw > Honeybunchesofgoats
01/24/2019 at 14:10

Kinja'd!!!1

The really offensive thing is that that password should be immediately getting shoved into a hash function for comparison against the stored hash, which means the characters really shouldn’t matter at all. Even if you are passing those into your DB, then 1, you don’t even exclude ‘;’? and 2, any DB access method you should be using should be escaping those for you, if you are just modifying a query string to throw in the password, you are doing something very wrong. And of course you don’t have to worry that it will mess with the HTML you are displaying, because you should never be displaying (or even storing) the raw password.


Kinja'd!!! ranwhenparked > Honeybunchesofgoats
01/24/2019 at 18:53

Kinja'd!!!0

Eh, a multi word phrase consisting of all lower case letters is going to be harder to brake than a jumble of capital and lower case letters, numbers, and characters anyway.