Welcome Guest!
In order to take advantage of all the great features that Waterloo Region Connected has to offer, including participating in the lively discussions below, you're going to have to register. The good news is that it'll take less than a minute and you can get started enjoying Waterloo Region's best online community right away.
or Create an Account




Thread Rating:
  • 4 Vote(s) - 4.75 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Grand River Transit
What street did I live on when I was 10 years old? What is the first name of my mother's oldest brother? What colour was my first car? What was the first name of my first boss? What city did I fly to on my first flight? What city was my mother-in-law born in? All of these definitive, permanent and hard for someone else to discover.

If we need to have security questions, at least we should spend 10 minutes coming up with some decent ones (no software development cost difference between good questions and bad questions!).
Reply


(06-18-2017, 07:28 AM)Canard Wrote: Or have eyes, to see colours.

Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)



The US NIST no longer recommends security questions, and specifically forbids questions of that type:
Quote:The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).
Reply
I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.
Reply
(06-18-2017, 01:02 PM)kps Wrote:
(06-18-2017, 07:28 AM)Canard Wrote: Or have eyes, to see colours.

Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)

However, one may not necessarily have a first car, especially for transit users.

Quote:The US NIST no longer recommends security questions, and specifically forbids questions of that type:
Quote:The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).

This is interesting, the suggestion is that questions should change over a period of time. This basically entirely defeats the purpose of the questions, in that one may recall the answers at a later time.
Reply
(06-18-2017, 03:04 PM)highlander Wrote: I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.

So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.
Reply
(06-18-2017, 10:30 PM)danbrotherston Wrote:
(06-18-2017, 03:04 PM)highlander Wrote: I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.

So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

Leading many to use a single password for all purposes.  Terrible practice, but what can they do?
Reply
(06-18-2017, 10:42 PM)panamaniac Wrote:
(06-18-2017, 10:30 PM)danbrotherston Wrote: So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

Leading many to use a single password for all purposes.  Terrible practice, but what can they do?

Well, accept that people will do this an implement better two factor auth systems for starters.

We have this discussion with roads, you cannot fix people, our systems should accept that and accommodate our failings instead.

This type of thing would be excusable 10 years ago, but now we have much better options.
Reply


(06-18-2017, 10:42 PM)panamaniac Wrote:
(06-18-2017, 10:30 PM)danbrotherston Wrote: So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

Leading many to use a single password for all purposes.  Terrible practice, but what can they do?

There is a huge and fundamental difference between a single password which is revealed to numerous entities, and storing multiple secure passwords in a single password store that are all unlocked by the same secure password. Note too that the password store password is never sent over the network at all.

My bugaboo is the inability to set a randomly determined password consisting of, say, 8 lowercase letters. Note the “randomly determined”. 8 random lowercase letters give way more password choices than the usual “my dog’s name with a capital letter, digit, and punctuation appended” sort of password choice mechanism, and are way easier to type.

Also some sites don’t even allow Safari’s randomly-chosen password, which consist of several blocks of upper- and lower-case letters and digits, combined with dashes.

So the correct way for a password system to work is to allow Safari’s (or your favourite browser) password store to auto-generate its passwords. If a higher level of security is truly needed, issue two-factor tokens. If it’s too expensive to do so, then the higher level of security is not obtainable, full stop. OK, not full stop, I continue to say that it probably isn’t actually needed. Any situation where the higher level is needed probably has enough resources floating around that two-factor is feasible.

A site can also allow Facebook/Google/… logins. That is especially appropriate for relatively low-security situations like a transit agency fare account login. This avoids all the issues associated with storing and updating passwords — essentially you outsource an entire section of the application, and avoid cluttering people’s lives with yet more rarely-used passwords.
Reply
Good news! A Google-derived anti-bot system has been added to their security!

[Image: bhwkrHZ.gif]
Reply
(06-19-2017, 07:13 PM)isUsername Wrote: Good news! A Google-derived anti-bot system has been added to their security!

[Image: bhwkrHZ.gif]

Please tell me this post was meant for April 1.
Reply
LLOLOLOLOLOLOL
Reply
Anyone else find it ironic that the iXpress 200 takes about 50% longer to go from Conestoga Mall to DTK than the #7 milk-run. Now, yes, the 7 is a much more direct route, but it's also the same time as the #6 which also goes far out of the way.
Reply
(06-21-2017, 02:34 PM)danbrotherston Wrote: Anyone else find it ironic that the iXpress 200 takes about 50% longer to go from Conestoga Mall to DTK than the #7 milk-run.  Now, yes, the 7 is a much more direct route, but it's also the same time as the #6 which also goes far out of the way.

Yeah, the construction detours really killed the 200s schedule. It's always been faster to take the 7C from downtown than the 200, but it's gotten much worse.

Route 6 has always been a bit of a secret. It's not excessively out of the way, and it runs on much faster roads, and makes fewer stops due to fewer passengers. If you're going between downtown and Conestoga mall, it's actually a very sane choice! If it's bad weather, it's almost certainly going to be more reliable than the 7.
Reply


(06-21-2017, 02:52 PM)Markster Wrote:
(06-21-2017, 02:34 PM)danbrotherston Wrote: Anyone else find it ironic that the iXpress 200 takes about 50% longer to go from Conestoga Mall to DTK than the #7 milk-run.  Now, yes, the 7 is a much more direct route, but it's also the same time as the #6 which also goes far out of the way.

Yeah, the construction detours really killed the 200s schedule. It's always been faster to take the 7C from downtown than the 200, but it's gotten much worse.

Route 6 has always been a bit of a secret.  It's not excessively out of the way, and it runs on much faster roads, and makes fewer stops due to fewer passengers.  If you're going between downtown and Conestoga mall, it's actually a very sane choice!  If it's bad weather, it's almost certainly going to be more reliable than the 7.

Yes, although ironically, a friend of mine says he doesn't like the 6 because it's like a milk run.
Reply
So there's been a change to the design of paper schedules (again!) - Last year they changed from having a flush-to-the-corners design to one with a bit more free space, presumably to improve readability, but they still maintained an 'abstracted' map design - a thematic map with just the roads relevant to the route, rectified and straightened, as they've had fro the last 5-7 years or so.

But now they've started to introduce accurate maps - actual geographically correct route maps, no abstraction allowed.

And the absurd part is, all of these designs are currently in use to some degree or another, depending on the specific route - I pulled these fresh off the rack at Charles Street. Yikes.

[Image: 5Tb1GXP.png]
Reply
« Next Oldest | Next Newest »



Forum Jump:


Users browsing this thread: 9 Guest(s)

About Waterloo Region Connected

Launched in August 2014, Waterloo Region Connected is an online community that brings together all the things that make Waterloo Region great. Waterloo Region Connected provides user-driven content fueled by a lively discussion forum covering topics like urban development, transportation projects, heritage issues, businesses and other issues of interest to those in Kitchener, Waterloo, Cambridge and the four Townships - North Dumfries, Wellesley, Wilmot, and Woolwich.

              User Links