All opinions on this site are solely those of the author unless specified otherwise. All affiliations and endorsements will be disclosed if present. If no disclosure, no affiliation exists.

I'm just here so I don't get fined...

It's time to nuke password security questions

I'll come right out and say it - password security questions are not only insecure, they're a blatant security hole. They're worse than not being there at all, and for any of a number of reasons.

First, they're all the same. How many times have you been asked your mother's maiden name, the make or model of your first car, what city you were born in, or the name of your first pet? These answers, if given truthfully, are easy to find out. You've likely blogged the answer at some time in the past.

If I know your Uncle's last name, odds are I also know your mother's maiden name (50/50 shot there, and if I know he's your maternal uncle, I've got it).

At this point, these security questions are no better than a second, easy-to-guess password. And in cases where they're used to recover a password, they become more of a risk than anything else.

The only thing to do here if these questions are mandated is to make up a unique and incorrect answer. Yet another password. Yet another password to remember, and many password managers don't realize that these question fields are password fields to store and protect.

The immediate solution is two-factor authentication. When you log in to a site, the site sends you a one-time code to your phone and you must enter that number. The password is simply to keep people from causing the code to be spammed to your phone and interrupting you while you're in the bathroom. Since everyone has a smart phone these days (a generalization I'm prepared to make), this requires someone who wishes to hack you to have access to your phone. Sure, if they get your phone they get everything, but they still need to know your password to cause the two-factor to fire. It's not perfect, but it's close.

The real solution is an un-replayable biometric solution. A fingerprint reader on every keyboard, implemented in such a way as to make storing and replaying of biometric data impossible. That's a tough nut and might also have to include physical two-party, but I suspect it would work.

If you want into a site, you don't need to give it a name or password. You simply place your finger on the scanner and then wait for your phone to give you the access code which you then type in. The code expires the moment it's used (or in 60 seconds if it is unused). Thus, storing the biometric data isn't really all that useful. And if the biometric data is somehow hashed with an expiring timestamp, storing it won't do much good after a few minutes anyway.

Either way, passwords are dead and password security questions are worse than dead.

(Image: my first pet, "Nonyabizness" - not his real name)

Time to step it up, Apple

I'm an Apple guy, and while I'm not religious about it, I like that all my devices work together now and are generally portable. The UX works for me and I like having a development platform that is, under the hood, UNIX-based.

That said, Cortana kicks Siri's ass. It's not even a fair fight. What Lisa's Windows phone can do, in terms of an intelligent AI assistant is incredibly compelling.

Apple, your user experience is second to none. Now it's time to kick up the actual heft behind it. Microsoft is eating your lunch in this one, specific area. Step it up.


Optimizing Images for Web Sites

My latest article is now up at the GoDaddy Garage. It's an overview of image optimization for web sites aimed at small business owners who are comfortable doing their own web work. Not advanced by any means.

Stick It!

Okay, yes, I work at GoDaddy, so I'm supposed to like the commercials. But honestly, I find this one funny. Maybe it's my strange sense of humor. Then again, I also like gefilite fish. Go figure.


Blake Irving on Net Neutrality

Blake Irving, CEO of GoDaddy, sent an open letter to The Honorable Thomas E. Wheeler, Chairman of the Federal Communications Commission.

In short, GoDaddy supports net neutrality. Full stop. It really is that simple. And (full disclosure), as a GoDaddy employee, I'm very pleased to see this. As I've said many times, this isn't the same company people remember from many years ago. Management gets it. In this case, it's the right position and the company is taking it. I continue to confirm that I made the right decision coming to work here.

Now... Mr. Chairman? It's Go Time.

And on social media...


Site Map