Ask HN: Online Account Security Questions

3 points by bbissoon ↗ HN
I'm constantly bothered by the techniques used to secure our online accounts.

First - the multiple security questions. Second - the mandatory length and confusion in our passwords

This techniques are ridiculous and only hinders usability and adoption.

How about letting users enter a pin instead of requiring them to answer and set 5 random questions.

Password security, if I want it to be password - so be it. Give me a warning and let me keep moving. That ALONE has been the reasons I opt for not using certain services online.

Why must online security be stricter than real world application such as ATM pin with the added benefit of using all alphanumeric chars?

While taking brute force precaution in the code - why make it harder for users to use/register for your service?

4 comments

[ 0.25 ms ] story [ 18.6 ms ] thread
You know, I was wondering the same thing. I am guessing it is to protect websites against bots or something.
But when you're accounting for brute force attack, you can lock out an account for a certain number of incorrect tries. A bot wouldn't have a chance to correctly identify the pin unless it ran the correct combination in the first 3 tries.

With the use of all alphanumeric chars - it would be even greater security. The only risk I see is if people consciously decided to use 111, aaa, bbb etc and those of the like.

But you can also block these pins from the jump so people can't use them.

The database containing everybody's PINs will be stolen. Even if you use 8 digit PINs and they are properly hashed, they will get brute-forced rather quickly. Any longer and people will not be able to remember their PINs or will use the same PIN with multiple websites --- exactly the same problems we have with passwords.

(Am I saying that security questions are secure? No.)

If you have to use ALL alphanumeric chars - how can this possibly be brute forced quickly? If you're table of pins is stolen and the information readily connects a user to a pin - that system is horrible from the jump.

Human beings attempt to brute force their own pins, most of which have a greater insight into possible combinations and STILL get their account locked. Remember - 3 tries gets you locked.

Why would it get broken quicker? If there's something I'm missing, I want to know it for the sake of being a better developer.