Grand River Transit

[Markster]

How did you get to that page? You need a card to register! You have connections or something?

Go to the site, and then click the links on the left side.

Or maybe this ridiculous URL will work:
https://grteasygofarecard.ca/grt-web/pag...64711370C9

[Canard]

It also assumes that I drink! Or have eyes, to see colours. HOW OFFENSIVE

[tomh009]

Water?

That said, I hate these "secret questions" that ask for favourite this or that. What if I don't have a favourite colour or a movie, for example? Please have concrete questions where I can make sure I use a factual answer!

[Canard]

It has to be a question that is something personal to you. It can't be "How high is the CN Tower?" because anyone can know that. It has to be something about you, like a preference, or how many toes you have.

[jeffster]

How did you get to that page? You need a card to register! You have connections or something?

Go to the site, and then click the links on the left side.

Or maybe this ridiculous URL will work:
https://grteasygofarecard.ca/grt-web/pag...64711370C9

Invalid login, it want's me to register a card first, which I don't have.

Doesn't matter.....I'll wait.

[danbrotherston]

@Canard

I think we understand the concept of a security question.  But it doesn't have to be a preference; preferences are bad because they change over time. It should be something hard to discover and relatively permanent.

Generally though, security questions are just a bad way of handling password reset. This set of questions is nearly pessimal, but even good ones aren't great. Ten years ago this was as good as it gets, today, we really have better options.

Again, what frustrates me as a software developer is how much money is spent on this type of software which really isn't very good.

[panamaniac]

Water?

That said, I hate these "secret questions" that ask for favourite this or that.  What if I don't have a favourite colour or a movie, for example?  Please have concrete questions where I can make sure I use a factual answer!

There are only one or two "secret questions" I can use knowing that I won't have forgotten my response the next time it comes up.  Even "address growing up" - did I just use the street name, or did I add "Street"?  Pain in the a**, all of it!

[KevinL]

I'm holding out just a bit of hope that this is an early, unpolished version of the site and it will be improved before the cards fully launch. But that may be asking too much.

Certainly, a wider variety of options on the questions should be provided, on more obscure but concrete things - what is the first name of your oldest nephew, etc.

[tomh009]

What street did I live on when I was 10 years old? What is the first name of my mother's oldest brother? What colour was my first car? What was the first name of my first boss? What city did I fly to on my first flight? What city was my mother-in-law born in? All of these definitive, permanent and hard for someone else to discover.

If we need to have security questions, at least we should spend 10 minutes coming up with some decent ones (no software development cost difference between good questions and bad questions!).

[kps]

Or have eyes, to see colours.

Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)

⋮

The US NIST no longer recommends security questions, and specifically forbids questions of that type:

The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).

[highlander]

I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.

[danbrotherston]

Or have eyes, to see colours.

Well, your first car did have a colour, whether you could see it or not. (Obligatory Google ad.)

However, one may not necessarily have a first car, especially for transit users.

The US NIST no longer recommends security questions, and specifically forbids questions of that type:

The CSP SHALL NOT use KBV questions for which the answers do not change regularly over a period of time (e.g., What was your first car?).

This is interesting, the suggestion is that questions should change over a period of time. This basically entirely defeats the purpose of the questions, in that one may recall the answers at a later time.

[danbrotherston]

I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.

So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

[panamaniac]

I didn't know people actually answered these honestly. I just generate a random password as an answer and store it in an encrypted note in my password manager. The actual questions don't matter.

So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

Leading many to use a single password for all purposes.  Terrible practice, but what can they do?

[danbrotherston]

So, think of the average user, the average user doesn't even know what a password manager is, let alone how to use one.  But also, this entirely defeats the purpose of the security questions, the purpose being that in the event you lose your password (for example, if your password manager database is lost), you are able to securely identify yourself another way by knowing this information about yourself independently from your password.

Not that it's a great system anyway, these questions are both guessable and also hard to remember.  Security questions should be a relic of the past.

Leading many to use a single password for all purposes.  Terrible practice, but what can they do?

Well, accept that people will do this an implement better two factor auth systems for starters.

We have this discussion with roads, you cannot fix people, our systems should accept that and accommodate our failings instead.

This type of thing would be excusable 10 years ago, but now we have much better options.