I sometimes see memes about "don't do these 'get to know me' memes because you'll expose your passwords or security question answers".

Honestly, we already do a lot of that in the course of filling out social media platforms and using those platforms? If you're on LinkedIn or Facebook for example, your mother's maiden name is probably in your profile, along with the college you graduated from.

The real lesson is "stop doing security questions truthfully" and "stop having passwords based on things about you and your friends". SQs are a far more common backdoor to take control of someone else's account. Treat "security" answers as additional passwords.

#UserSecurity #SecurityQuestions #PasswordSecurity

@jxself

People asking questions to get the answers to my security questions...

#Security #SecurityQuestions

In context of GDPR and data minimisation requirements... is it even legal to have knowledge based authentication / security questions in use? Any service, except maybe a genealogy service, asking user their mother's maiden name should not exist.

#privacy #gdpr #knowledgebasedauthentication #securityquestions

To reset your password, please answer your security questions:

1. What are your intruder countermeasures?

2. How often do you check your six?


#infosex #SecurityQuestions #PasswordReset

#SquareEnix, your password and e-mail restrictions, use of security questions and other sign-up form requirements suck...

• Password field can't be pasted into
• Password field can't be filled by the browser's password generator (option doesn't show up)
• Password phrases aren't possible as spaces seem to be disallowed
• Additional restrictions such as limiting the amount of repeated characters only provide additional rules for brute force systems, thus reducing the total amount of possible choices. In addition they make it hard for password generators to create a valid password.
• Putting limitations on the kinds of special characters allowed, makes me wonder doubt your user input sanitation...

In addition to this, they are asking for a 'security question', which are notoriously easy to find, guess or social engineer.
The first couple of answers I gave were also refused.

Plus-signs are also not allowed in the e-mail address field, thus making it impossible to use #PlusFiltering, while also going against the #EMailRFC, which states that plus signs are allowed in the local-part of the address.

#Password #Passwords #PasswordFail #Security #SecurityFail #Squeenix #SquareEnix #FFXIV #emailFail #PasswordRestrictions #SecurityQuestions

Scenario: You're asked to provide security monitoring on logs from a bespoke system or one that uses technology that there isn't much in the way of security tooling or rules for already, say an API interface.

What's your approach? I guess it's going to be a 'it depends' depending on how it's deployed right? (e.g. facing internet), or do you reject it and only take on logs you know have a known security value? Or keep them but just for incident response?

#detectionengineering #detection #siem #securityquestions #blueteam #mssp