Security Questions are Insecure

I’m sure it is an example of the Baader-Meinhof Phenomenon, but I’ve seen quite a few comments lately about people having their eBay, Facebook, or other online account “hacked” by their parents. One such example came from this month’s issue of Psychology Today:

One morning I woke to discover my bank account overdrawn by thousands of dollars. In a late-night shopaholic moment she’d hacked both my Paypal and Ebay accounts–easily answering my security questions like “in which hospital were you born?” and “what’s you mother’s maiden name?”—and bought more antique French dishes than we could ever eat off of.

As the author states, her accounts were compromised because common security questions are, inherently, things that other people know. We like to believe that the people who know this information about us won’t use it and that the “evil hacker” somewhere on the internet won’t have access to it. Neither of these things are true. You can only tell so many different websites your mother’s maiden name before one of them is hacked and that answer is forever associated with your email address.

How to Protect Yourself

  • Lie. As long as you can remember the answer, make one up.
  • Some websites allow you to set your own question. This is a simple solution, as you can pick a question and answer that is both unique to that site and limits the number of other people who know the answer. Just avoid picking question and answer combos that are from your favorite movie or TV show. Scripts are readily available online and easily Google-able.
  • Treat the answers to security questions like one more password. Select another strong password and use it instead of the real answer.

Use A Password Manager to Handle Security Questions
I’m a big advocate of using a password manager, like KeePass, to generate strong passwords and keep track of them. You can also use these programs to “answer” security questions and record your made up answers.

KeePass makes this easy with the “Advanced” tab attached to each entry. You click “Add” and then you’re able to enter any other values to keep track of. There’s even a option for “Enable in-memory protection” which treats the answer as sensitive and masks it out in the preview screen.

My high school mascot was really a walrus...

My high school mascot was really a walrus…

When I use this option to track my answers to security questions, I also use KeePass to generate the answer. This is as simple as clicking on “Tools” and then “Generate Password List” where a list of several secure answers will appear on the “Preview” tab. Some websites limit what you can type in the security answer, so you may need to generate a password without any special characters to use it as an answer.

Conclusion
Even if you are vigilant about choosing strong passwords, answering common security questions honestly can often weaken the safety of your online accounts. To protect yourself, treat security questions like one more password field. As always, this is made easier by using a password manager to generate and track your passwords.

New Gig, New Tools

I’m going to be temporarily putting my work with Seven Languages in Seven Weeks on hold so that I can explore some new PHP tools. I’ve accepted an offer at a new company, staring later this month, and want to devote some time to learning the tools they’ve picked out. For starters, we’ll be using Zend Framework 2 for the application that I’ll be focusing on.

I have experience with the original Zend Framework but, when ZF2 and Symfony 2 released, went the Symfony 2 route instead. Looking through the Getting Started with Zend Framework 2 tutorial, I see things that are similar to both frameworks that I’m familiar with. That’s one of the awesome things about the PHP-FIG: cross pollination.

I definitely intend to return to the exploration of new languages, but I want to be able to hit the ground running on this new project. Stay tuned.

Io, Io, it’s off to work we go

The second language covered in Seven Languages in Seven Weeks is Io. If you’re like me and enjoy Googling for help learning a new language, this one is tough. The only real sources of information about Io seem to be the official website and answers to the questions raised in this very book. As of this writing, there’s only 39 questions tagged with “iolanguage” on StackOverflow (compare to Ruby’s 71,477).

That being said, Tate picked Io because he “struck JavaScript because it was too popular and replaced it with the next most popular prototype language…” He also indicated that he had a much stronger understanding of how JavaScript worked after learning Io.

One thing I struggled a bit with is that most commands in Io read backwards compared to what I’m used to from other languages, but not always.
# PHP
print "Hello, World!";
echo "Hello, World!";

# Io
"Hello, World!" print
write "Hello, World!"

In the first example, Io is sending the message print to the sequence “Hello, World” while, in the second example, the sequence is being passed to the write method as an argument. Loop constructs also can work from both sides.

# 0..9
for (i, 0, 9, i println)
10 repeat (i, i println)

Tate does spend a section talking about how Io is powerful when building a domain-specific language. Like Ruby, Io let’s you replace any built in functionality with new versions. For example, in one of the daily lessons, the book has you replace the built in division operator (“/”) with one that returns zero if the divisor is zero.

Overall, I felt that the real meat of this section was in the first lesson, while the other days were merely code exercises. I found this section severely lacking compared to the one on Ruby, which is Tate’s “native” language. I won’t know if that is a criticism of the book or just this section until I finish the next.

The Positive Programmer on Ruby

[text: “ruby on rails is different, but I’m open to new ideas”, photograph of a bullet train, named for its ability to kill people that get in its way]

Ruby == Mary Poppins

Prior to reading Seven Languages in Seven Weeks, my exposure to Ruby was very limited. In a “hands on” sense, my only experience was installing Graylog2, a log management package. It is written in Ruby and I needed to work with Rake to get it installed. This wasn’t hard as PHP’s Composer draws heavy inspiration from Rake.

Other than that, my knowledge of Ruby was what I gleaned from the occasional blog post that hit the front page of HN comparing PHP and Ruby. Most of them focus on syntax and how much less code you have to write in Ruby to accomplish the same thing.

Bruce A. Tate explains this as syntactic sugar, “those little features that break the basic rules of the language to give programmers a little friendlier experience and make the code a little easier to understand.” And, throughout this chapter, I was able to really see that mentality shine. From tools to easily list the methods available on an object, to the names of boolean methods ending with a question mark, it really felt like a language in which clean, readable code is easy to create.

I found all of the examples and self-study challenges easy to complete probably, in part, because Ruby is a loosely-typed, object-oriented language just like PHP. Thanks to their well-written API documents and StackOverflow, anything I needed to look up was easily found.

In the last few pages of the chapter, Tate touched on the weaknesses of the language. I knew that performance was a concern as, years ago, the Penny Arcade folks were bemoaning their Rails site. On top of that, I worry that Ruby might lend itself to easily creating “clever” code that’s hard to debug and change. Tate really emphasizes Ruby as a tool to get your product to market which lets you worry about scaling issues later; this was the case for Twitter, which started out as Ruby and then rewrote core parts of their application in Scala.

Seven Languages in Seven Weeks

I always recommended Teach Yourself Programming in Ten Years to junior developers as a path to expand their skills. With some gentle prodding from a friend, I’ve decided that it’s time to take some of my own advice and focus on one of the recommendations from that article:

Learn at least a half dozen programming languages. Include one language that supports class abstractions (like Java or C++), one that supports functional abstraction (like Lisp or ML), one that supports syntactic abstraction (like Lisp), one that supports declarative specifications (like Prolog or C++ templates), one that supports coroutines (like Icon or Scheme), and one that supports parallelism (like Sisal).

My professional work has been almost exclusively with PHP and JavaScript. I did a number of VB projects during school and there’s always a few tools you need to use or modify in other languages, but my experience with Ruby, Python and Perl doesn’t extend much beyond configuration, compiling and installation.

Recently I read through a good bit of Learn You a Haskell for a Great Good but I feel like I need a resource that’s more dedicated to teaching me what makes the language different and what it excels at, rather than an API reference guide. Enter Seven Languages in Seven Weeks by Bruce A. Tate.

I Will Take you Beyond Syntax
To really get into the head of a language designer, you’re going to have to be willing to go beyond the basic syntax. That means you’ll have to code something more than the typically “Hello, World” or even a Fibonacci series.

The book covers Ruby, Io, Prolog, Scala, Erlang, Clojure and Haskell which gives an amazing smattering of different typing and programming models. I’m really looking forward to working through the programming examples and challenges in the book.