+- Waterloo Region Connected (https://www.waterlooregionconnected.com)
+-- Forum: Waterloo Region Works (https://www.waterlooregionconnected.com/forumdisplay.php?fid=14)
+--- Forum: Transportation and Infrastructure (https://www.waterlooregionconnected.com/forumdisplay.php?fid=25)
+--- Thread: Grand River Transit (/showthread.php?tid=13)
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
RE: Grand River Transit - Markster - 06-18-2017
(06-17-2017, 11:11 PM)jeffster Wrote: How did you get to that page? You need a card to register! You have connections or something?
Go to the site, and then click the links on the left side.
Or maybe this ridiculous URL will work:
https://grteasygofarecard.ca/grt-web/pages/public/register_card.jsf?s=F4AE9D0B7870D5948BEC0408F8D05864711370C9
RE: Grand River Transit - Canard - 06-18-2017
It also assumes that I drink! Or have eyes, to see colours. HOW OFFENSIVE
RE: Grand River Transit - tomh009 - 06-18-2017
Water?
That said, I hate these "secret questions" that ask for favourite this or that. What if I don't have a favourite colour or a movie, for example? Please have concrete questions where I can make sure I use a factual answer!
RE: Grand River Transit - Canard - 06-18-2017
It has to be a question that is something personal to you. It can't be "How high is the CN Tower?" because anyone can know that. It has to be something about you, like a preference, or how many toes you have.
RE: Grand River Transit - jeffster - 06-18-2017
(06-18-2017, 12:11 AM)Markster Wrote:(06-17-2017, 11:11 PM)jeffster Wrote: How did you get to that page? You need a card to register! You have connections or something?
Go to the site, and then click the links on the left side.
Or maybe this ridiculous URL will work:
https://grteasygofarecard.ca/grt-web/pages/public/register_card.jsf?s=F4AE9D0B7870D5948BEC0408F8D05864711370C9
Invalid login, it want's me to register a card first, which I don't have.
Doesn't matter.....I'll wait.
RE: Grand River Transit - danbrotherston - 06-18-2017
@Canard
I think we understand the concept of a security question. But it doesn't have to be a preference; preferences are bad because they change over time. It should be something hard to discover and relatively permanent.
Generally though, security questions are just a bad way of handling password reset. This set of questions is nearly pessimal, but even good ones aren't great. Ten years ago this was as good as it gets, today, we really have better options.
Again, what frustrates me as a software developer is how much money is spent on this type of software which really isn't very good.
RE: Grand River Transit - panamaniac - 06-18-2017
(06-18-2017, 07:55 AM)tomh009 Wrote: Water?
That said, I hate these "secret questions" that ask for favourite this or that. What if I don't have a favourite colour or a movie, for example? Please have concrete questions where I can make sure I use a factual answer!
There are only one or two "secret questions" I can use knowing that I won't have forgotten my response the next time it comes up. Even "address growing up" - did I just use the street name, or did I add "Street"? Pain in the a**, all of it!
RE: Grand River Transit - KevinL - 06-18-2017
I'm holding out just a bit of hope that this is an early, unpolished version of the site and it will be improved before the cards fully launch. But that may be asking too much.
Certainly, a wider variety of options on the questions should be provided, on more obscure but concrete things - what is the first name of your oldest nephew, etc.
RE: Grand River Transit - tomh009 - 06-18-2017
What street did I live on when I was 10 years old? What is the first name of my mother's oldest brother? What colour was my first car? What was the first name of my first boss? What city did I fly to on my first flight? What city was my mother-in-law born in? All of these definitive, permanent and hard for someone else to discover.
If we need to have security questions, at least we should spend 10 minutes coming up with some decent ones (no software development cost difference between good questions and bad questions!).
RE: Grand River Transit - kps - 06-18-2017
(06-18-2017, 07:28 AM)Canard Wrote: Or have eyes, to see colours.
Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)
⋮
The US NIST no longer recommends security questions, and specifically forbids questions of that type:
Quote:The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).
RE: Grand River Transit - highlander - 06-18-2017
I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.
RE: Grand River Transit - danbrotherston - 06-18-2017
(06-18-2017, 01:02 PM)kps Wrote:(06-18-2017, 07:28 AM)Canard Wrote: Or have eyes, to see colours.
Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)
However, one may not necessarily have a first car, especially for transit users.
Quote:The US NIST no longer recommends security questions, and specifically forbids questions of that type:
Quote:The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).
This is interesting, the suggestion is that questions should change over a period of time. This basically entirely defeats the purpose of the questions, in that one may recall the answers at a later time.
RE: Grand River Transit - danbrotherston - 06-18-2017
(06-18-2017, 03:04 PM)highlander Wrote: I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.
So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one. But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.
Not that it's a great system anyway, these questions are both guessable and also hard to remember. Security questions should be a relic of the past.
RE: Grand River Transit - panamaniac - 06-18-2017
(06-18-2017, 10:30 PM)danbrotherston Wrote:(06-18-2017, 03:04 PM)highlander Wrote: I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.
So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one. But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.
Not that it's a great system anyway, these questions are both guessable and also hard to remember. Security questions should be a relic of the past.
Leading many to use a single password for all purposes. Terrible practice, but what can they do?
RE: Grand River Transit - danbrotherston - 06-18-2017
(06-18-2017, 10:42 PM)panamaniac Wrote:(06-18-2017, 10:30 PM)danbrotherston Wrote: So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one. But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.
Not that it's a great system anyway, these questions are both guessable and also hard to remember. Security questions should be a relic of the past.
Leading many to use a single password for all purposes. Terrible practice, but what can they do?
Well, accept that people will do this an implement better two factor auth systems for starters.
We have this discussion with roads, you cannot fix people, our systems should accept that and accommodate our failings instead.
This type of thing would be excusable 10 years ago, but now we have much better options.