This sort of comment appears a lot and it makes for an easy trip to victim blaming.
Apple created these questions for you to enter real answers. They fully intend for you to put in real answers. That is what the system's purpose is.
That we look at it and say "well that is grossly insecure, so I'm going to put in the SHA512 hash of the question with a fixed secret salt" might assuage our risk, but it does nothing to relieve Apple of the failure of this security system.
Not only is it insecure, but in some cases intensely user unfriendly. I used to put real answers in these until I realized even if I remembered the answer I could never recall the exact string I used.
A common example: "Name of first car?"
So was that "Neon"? or "Dodge Neon"? or "Blue Neon"? or maybe "neon"? or "1991 Dodge Neon"?
Security questions are basically a secondary password masquerading as something else. But because they are not called a password, the expectations on their character-wise-correctness are not clear to a layman. I find the continued proliferation of security questions baffling, especially when some sites call password + security question "two factor authentication".
personZ|11 years ago
Apple created these questions for you to enter real answers. They fully intend for you to put in real answers. That is what the system's purpose is.
That we look at it and say "well that is grossly insecure, so I'm going to put in the SHA512 hash of the question with a fixed secret salt" might assuage our risk, but it does nothing to relieve Apple of the failure of this security system.
AlexandrB|11 years ago
A common example: "Name of first car?"
So was that "Neon"? or "Dodge Neon"? or "Blue Neon"? or maybe "neon"? or "1991 Dodge Neon"?
Security questions are basically a secondary password masquerading as something else. But because they are not called a password, the expectations on their character-wise-correctness are not clear to a layman. I find the continued proliferation of security questions baffling, especially when some sites call password + security question "two factor authentication".
cryptoz|11 years ago
[1]: No, not that exact string ;)
samspot|11 years ago
electromagnetic|11 years ago