开源日报 每天推荐一个 GitHub 优质开源项目和一篇精选英文科技或编程文章原文,坚持阅读《开源日报》,保持每日学习的好习惯。
今日推荐开源项目:《应用级JS语言 TypeScript》
今日推荐英文原文:《Security Questions Are a Terrible, Horrible, Bad Idea》
今日推荐开源项目:《应用级JS语言 TypeScript》传送门:GitHub链接
推荐理由:TypeScript是一种应用级JavaScript语言。TypeScript为JavaScript添加了可选的类型,支持针对任何浏览器、任何主机、任何操作系统的大型JavaScript应用程序的工具。TypeScript编译成可读的、基于标准的JavaScript。
今日推荐英文原文:《Security Questions Are a Terrible, Horrible, Bad Idea》作者: Meriam Kharbat
原文链接:https://medium.com/better-programming/security-questions-are-a-terrible-horrible-bad-idea-da108e303240
推荐理由:还记得你的中学老师么?很可能上一次被问到这个问题是你在某个账户填写密保的时候。但是这种安全问题其实很不靠谱,很糟糕。
Security Questions Are a Terrible, Horrible, Bad Idea
Stop asking me for my mother’s maiden name
(Photo by vardan harutyunyan on Unsplash)
As I was setting up my account at Deutsche Bahn, I was surprised to see the following UI:
(Deutsche Bahn account UI)
After the 2013 Yahoo security breach that compromised 3 billion user accounts, it should be common knowledge by now that security questions are a terrible idea. Why are they still a thing?
They Can Be Very Easily Guessed
The main idea behind security questions is they’re safe and memorable. But with today’s social media, anyone can scroll over my posts and figure out the name of my high school mascot, and if I can remember it, then probably a lot of people can too.
This 2015 Google study has confirmed that with only a single guess, an attacker would have a 19.7% chance of guessing an English-speaking user’s answer to the question “What is your favorite food?”.
With 10 guesses, an attacker would have a 24% chance of figuring out Arabic-speaking user’s answer to the question: “What was your first teacher’s name?” and a 39% chance of guessing a Korean-speaking user’s city of birth (and a 43% chance of guessing their favorite food).
Many different users also had identical answers to secret questions you’d typically expect to be unique, such as “What’s your phone number?” or “What’s your frequent flyer number?”.
Then, 37% of people deliberately provide false answers to their questions, thinking this would make them harder to guess, when, in fact, it made it even easier to figure out.
They Can Be Brute-Forced
We demand a user enters a password that contains lowercase and uppercase letters, numbers, and special characters.
But we hide the account recovery mechanism behind a silly question that can be brute-forced? This doesn’t make any sense to me!
They Make Wrong Assumptions About Your Users
Maybe in the Western world, people can find security questions relatable. But I didn’t have a pet, I’m not good at remembering people’s names, and I was never married, so I never went on honeymoon.
Growing up in North Africa, I didn’t even know what a maiden name meant because where I come from, women don't take their husband's names.
So that left me with what’s your favorite dish, and anyone who knows me can guess what that is.
That’s a terrible user experience that excludes anyone who isn't from the same cultural background as the person who developed the application. By doing so, we compromise their privacy because we narrow the questions that they might find relatable.
Conclusion
Today, many available services make authentication integration seamless.
Please implement a proper two-factor authentication flow instead of compromising your users’ privacy.
And next time someone asks me what my favorite dish is, it’ll be something like cOüs;Coū!68$!
下载开源日报APP:https://2025.openingsource.org/2579/
加入我们:https://2025.openingsource.org/about/join/
关注我们:https://2025.openingsource.org/about/love/
The main idea behind security questions is they’re safe and memorable. But with today’s social media, anyone can scroll over my posts and figure out the name of my high school mascot, and if I can remember it, then probably a lot of people can too.
This 2015 Google study has confirmed that with only a single guess, an attacker would have a 19.7% chance of guessing an English-speaking user’s answer to the question “What is your favorite food?”.
With 10 guesses, an attacker would have a 24% chance of figuring out Arabic-speaking user’s answer to the question: “What was your first teacher’s name?” and a 39% chance of guessing a Korean-speaking user’s city of birth (and a 43% chance of guessing their favorite food).
Many different users also had identical answers to secret questions you’d typically expect to be unique, such as “What’s your phone number?” or “What’s your frequent flyer number?”.
Then, 37% of people deliberately provide false answers to their questions, thinking this would make them harder to guess, when, in fact, it made it even easier to figure out.
They Can Be Brute-Forced
We demand a user enters a password that contains lowercase and uppercase letters, numbers, and special characters.
But we hide the account recovery mechanism behind a silly question that can be brute-forced? This doesn’t make any sense to me!
They Make Wrong Assumptions About Your Users
Maybe in the Western world, people can find security questions relatable. But I didn’t have a pet, I’m not good at remembering people’s names, and I was never married, so I never went on honeymoon.
Growing up in North Africa, I didn’t even know what a maiden name meant because where I come from, women don't take their husband's names.
So that left me with what’s your favorite dish, and anyone who knows me can guess what that is.
That’s a terrible user experience that excludes anyone who isn't from the same cultural background as the person who developed the application. By doing so, we compromise their privacy because we narrow the questions that they might find relatable.
Conclusion
Today, many available services make authentication integration seamless.
Please implement a proper two-factor authentication flow instead of compromising your users’ privacy.
And next time someone asks me what my favorite dish is, it’ll be something like cOüs;Coū!68$!
下载开源日报APP:https://2025.openingsource.org/2579/
加入我们:https://2025.openingsource.org/about/join/
关注我们:https://2025.openingsource.org/about/love/