T-Mobile insists that I set up three insecurity questions. They say:


  • Choose a question that only you would know the answer to, so it would be difficult for someone else to find out or guess.

  • Choose an answer that is real and means something to you.

  • Choose an answer that doesn’t change over time, so it will be easier for you to remember.

Ignoring the difficulty of answers that don’t change and yet are private (the less things change, the more they become public), their security question choices are limited and mostly based on information that can be found in public record. Also, the answers to several are potentially ambiguous.

Calling those “security questions” is frankly stupid.

Michael K Johnson August 26, 2015 21:18

Oh, wow, and each set of questions is the same; most of the insecurity-enforcing SSO vendors at least have three disjoint set of questions. I guess T-Mobile went with a cut-rate SSO vendor.

James Stansell August 26, 2015 21:30

Pathetic isn’t it?

Edward Morbius August 26, 2015 22:41

As I’ve said before:

“Who are you?” is proving to be the most expensive operation in all of computing. Because no matter how you get it wrong, you’re fucked.


Imported from Google+ — content and formatting may not be reliable