Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/thorsheim/statuses/111496351037034176">Per Thorsheim (thorsheim@mastodon.social)'s status on Friday, 01-Dec-2023 05:43:06 JST</a><a href="https://mastodon.social/@thorsheim" title="thorsheim@mastodon.social"><img src="https://gnusocial.jp/avatar/182605-48-20231008110623.webp" width="48" height="48" alt="Per Thorsheim" style="position: absolute; left: 0; top: 0;">Per Thorsheim</a><div><a href="https://securitycafe.ca/@chetwisniewski/111491638515318543" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/164905" title="boblord@infosec.exchange">Bob Lord 🔐 :donor:</a></li></ul></div></section><article><p><a href="https://securitycafe.ca/@chetwisniewski">@chetwisniewski</a> <a href="https://infosec.exchange/@boblord">@boblord</a> <br>1) do not use security questions. :)<br>2) if you use a pwd.manager, use that to generate &amp; remember random pwds as answers to security questions<br>3) if a service provider uses security questions, tell them to stop using them.<br>4) Recommending them a little bit of MFA, in particular WebAuthn/passkeys, is a good idea.<br>5) Tell them using security questions is close to negligence, if not gross negligence, of recommended practices &amp; standards today.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2397970#notice-4738888">In conversation</a><time datetime="2023-12-01T05:43:06+09:00" title="Friday, 01-Dec-2023 05:43:06 JST">about a year ago</time> <span>from <span><a href="https://mastodon.social/@thorsheim/111496351037034176" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@thorsheim/111496351037034176">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Per Thorsheim (thorsheim@mastodon.social)'s status on Friday, 01-Dec-2023 05:43:06 JSTPer Thorsheim
in reply to
- Chester Wisniewski
- Bob Lord 🔐 :donor:
@chetwisniewski @boblord
1) do not use security questions. :)
2) if you use a pwd.manager, use that to generate & remember random pwds as answers to security questions
3) if a service provider uses security questions, tell them to stop using them.
4) Recommending them a little bit of MFA, in particular WebAuthn/passkeys, is a good idea.
5) Tell them using security questions is close to negligence, if not gross negligence, of recommended practices & standards today.
In conversationabout a year ago from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice