Conversation

Notices

1. Embed this notice
   Chester Wisniewski (chetwisniewski@securitycafe.ca)'s status on Friday, 01-Dec-2023 05:43:06 JST Chester Wisniewski

   • Bob Lord 🔐 :donor:
   • Per Thorsheim

   Great! TransUnion, whom I have the pleasure of receiving free credit monitoring from due to the MGM Casino breach in Sept, has a policy of only allowing 15 characters or less. Not like anything important is on the line or anything. Oh, they get bonus points for letting me skip the password with a trivial security question! #InfoSec #NotAFeature @boblord @thorsheim

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 01-Dec-2023 05:43:04 JST Aral Balkan

     in reply to

     • Chris Johnson
     • Bob Lord 🔐 :donor:
     • Per Thorsheim

     @captainslim @thorsheim @chetwisniewski @boblord Wow, much entropy, such security!

   • Embed this notice
     Chris Johnson (captainslim@infosec.exchange)'s status on Friday, 01-Dec-2023 05:43:05 JST Chris Johnson

     in reply to

     • Bob Lord 🔐 :donor:
     • Per Thorsheim

     @thorsheim @chetwisniewski @boblord

     United Airlines makes you choose from a list of allowed answers for their security questions.

   • Embed this notice
     Per Thorsheim (thorsheim@mastodon.social)'s status on Friday, 01-Dec-2023 05:43:06 JST Per Thorsheim

     in reply to

     • Bob Lord 🔐 :donor:

     @chetwisniewski @boblord
     1) do not use security questions. :)
     2) if you use a pwd.manager, use that to generate & remember random pwds as answers to security questions
     3) if a service provider uses security questions, tell them to stop using them.
     4) Recommending them a little bit of MFA, in particular WebAuthn/passkeys, is a good idea.
     5) Tell them using security questions is close to negligence, if not gross negligence, of recommended practices & standards today.