Are the security questions hard enough?

Technical problems, questions, comments, and suggestions for the forum and wiki.

User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Are the security questions hard enough?

Post by brimstoneSalad »

We just had a spammer from China figure out the security questions, and spam a bunch of links to buy world or warcraft gold or something.

I was surprised that they figured out the security questions. Kind of impressive, actually.
Tofu is to soybeans as Seitan is to _____
A form of animal cruelty where trained animals are used for entertainment
Islam is to the Qur'an as Christianity is to _______
Vegans don't, or try not to, consume any _____
Charles Darwin discovered and wrote about...
Name a famous Atheist 'horseman'
Which of these questions are too easy? Being easy to Google search may make them easier for people to crack.

Can you think of some better questions, that are harder to search the answers to?
Don't give the answers, just the questions.
User avatar
TheVeganAtheist
Site Admin
Posts: 824
Joined: Sun May 04, 2014 9:39 am
Diet: Vegan
Location: Canada

Re: Are the security questions hard enough?

Post by TheVeganAtheist »

How about

1) Genesis is to the OT as ______ is to the NT
2) Muhammad supposedly flew on a ______ to heaven
3) The Bible is to Christianity as the ______ is to Judaism
4) Vegans don't, or try not to, wear ________ (multiple answers permitted)
Do you find the forum to be quiet and inactive?
- Do your part by engaging in new and old topics
- Don't wait for others to start NEW topics, post one yourself
- Invite family, friends or critics
User avatar
miniboes
Master of the Forum
Posts: 1578
Joined: Mon Sep 15, 2014 1:52 pm
Diet: Vegan
Location: Netherlands

Re: Are the security questions hard enough?

Post by miniboes »

Perhaps they approach it like a password, trying out all sorts of words and characters? "The bible", for example, would be a very unsecure password. Perhaps it would be better to make it something you have to interact with?
"I advocate infinite effort on behalf of very finite goals, for example correcting this guy's grammar."
- David Frum
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: Are the security questions hard enough?

Post by brimstoneSalad »

They only get five tries before being locked out for the session; it's pretty hard to brute force it. But maybe. I could reduce this to three, I guess?

All of them have multiple answers. I just added three of the four suggestions. #2 has about 47 possible answers listed. I want to catch anything remotely correct somebody might respond with. They only get a few chances to get these right.
PrincessPeach
Senior Member
Posts: 352
Joined: Sat Jun 28, 2014 1:36 pm
Diet: Vegan

Re: Are the security questions hard enough?

Post by PrincessPeach »

::sigh::
First of all the security questions should have nothing to do with anything
VEGAN or ATHEIST or anything closely related to those two things,
got it ?

also you should get some sort of SSL ... !!!

https://ssl.comodo.com/
Don't be a waste of molecules
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: Are the security questions hard enough?

Post by brimstoneSalad »

PrincessPeach wrote:::sigh::
First of all the security questions should have nothing to do with anything
VEGAN or ATHEIST or anything closely related to those two things,
got it ?
Why?
PrincessPeach
Senior Member
Posts: 352
Joined: Sat Jun 28, 2014 1:36 pm
Diet: Vegan

Re: Are the security questions hard enough?

Post by PrincessPeach »

brimstoneSalad wrote:
Why?
Shouldn't what just happened be your answer to as why?
The security questions need to be completely random and unrelated to anything that has anything to do with this forum!
I'm honestly surprised I had to tell you this but I guess people just don't know..That's why it was so easy to hack..
&&Now it is my time to tell you guys
I TOLD YOU SO
&&
Should have listened to me when I told you to get SSL!!

If you get some basic encryption on this site it should better protect TVA from hackers & maybe just maybe if you could also get an encryption level high enough to protect us users too but; TVA is more important & it's cheaper to protect yourself on this site than everyone else.
Don't be a waste of molecules
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: Are the security questions hard enough?

Post by brimstoneSalad »

PrincessPeach wrote:Shouldn't what just happened be your answer to as why?
Not really... it was one spammer. As far as I can tell, a human being (a gold farmer), not a bot, who solved it, and then made (or turned it over to a bot to make) a couple posts that were promptly deleted. I don't think it has been cracked by bots, or we'd have a flood of them.

Unless something is very transparent and easy to bot, most of this question solving is done by humans, not by brute force.
http://www.nytimes.com/2010/04/26/techn ... .html?_r=0

The answers aren't "vegan" or "atheist" (not so on the nose as that).
As the forum is getting bigger, we will have more human beings with eyes on these questions to let bots in the door to post, no matter how hard they are to brute force.

It's the difficulty to humans that I'm worried about.
PrincessPeach wrote:The security questions need to be completely random and unrelated to anything that has anything to do with this forum!
This issue isn't that simple. It's a matter of difficulty to spammers vs. difficulty for potential users.

By making the questions vegan and religion related, they become easier for potential users, without making them too easy to Google.
They become easier to brute-force, yes, but it's hard to brute force these anyway due to the attempt limits.

I think what has to be kept an eye out for is Google search replies being valid (which would make botting viable).

They could be questions about mathematics, but that would make them even easier for spammers from China who have no problem doing basic math... and unfortunately probably quite hard for dumb Americans. ;) Seriously, I've seen threads with people complaining about how hard it is to add 7 + 3 to register an account.
It is possible to write questions that are only easy for fluent English speakers, like linguistic riddles... but then that makes it difficult for our non-fluent vegan atheist friends from abroad (South America, Asia, the Middle East, and others) to join.

A question should be:
1. Hard to answer with a Google search
2. Not easy to guess, or based on basic math which any spammer could solve with a half a second of human attention
3. Easy for prospective members to answer.

And this is challenging.
I think the bottom line is that the questions may be too easy for one reason or another.
PrincessPeach wrote:That's why it was so easy to hack..
I don't think it was hacked. I think a human being with basic English skills saw it and answered it. Unless one of the questions turns up a result as a google search. That's something I need to check.
PrincessPeach wrote:If you get some basic encryption on this site it should better protect TVA from hackers & maybe just maybe if you could also get an encryption level high enough to protect us users too but; TVA is more important & it's cheaper to protect yourself on this site than everyone else.
At this point, as the forum grows, it might be a good idea. We will start to become subject to hackers as the link real estate here becomes more valuable. And also just malicious hacking, from theists or carnists who hate us.
PrincessPeach
Senior Member
Posts: 352
Joined: Sat Jun 28, 2014 1:36 pm
Diet: Vegan

Re: Are the security questions hard enough?

Post by PrincessPeach »

brimstoneSalad wrote:
Not really... it was one spammer. As far as I can tell, a human being (a gold farmer), not a bot, who solved it, and then made (or turned it over to a bot to make) a couple posts that were promptly deleted. I don't think it has been cracked by bots, or we'd have a flood of them.

Unless something is very transparent and easy to bot, most of this question solving is done by humans, not by brute force.
http://www.nytimes.com/2010/04/26/techn ... .html?_r=0

The answers aren't "vegan" or "atheist" (not so on the nose as that).
As the forum is getting bigger, we will have more human beings with eyes on these questions to let bots in the door to post, no matter how hard they are to brute force.

It's the difficulty to humans that I'm worried about.
::SMH::
You do realize that the answer to the security question doesn't have to match the question right?
You could have what is 1 + 1 and you could make the answer to that question uh IDK, DOG!?
Of course it wasn't a bot silly I never said that!

Really if you want to talk about good internet security that is my father's deal he knows all about that..

If you want I will e-mail you the link to OUR web hosting site and you can switch over and get the real security and good web hosting that you need!
Ever heard of tucows?
Since this website is PHP based a linux server would do wonders and lessen the likely hood of a threat :-)
We do offer windows too.
Don't be a waste of molecules
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: Are the security questions hard enough?

Post by brimstoneSalad »

PrincessPeach wrote: ::SMH::
You do realize that the answer to the security question doesn't have to match the question right?
You could have what is 1 + 1 and you could make the answer to that question uh IDK, DOG!?
I do, but those kinds of tricky questions make it more difficult for legitimate users to register. Many users complain about having to search for the right answer to a non-obvious security question.

Yes, it could be written in the site banner, or something (since I don't think the spammers usually load the whole site), but if they did load the page, that would make it very easy for them all the same AND still harder for users, because they don't always notice that, or the users could have accessibility issues (blind) and be unable to read the answer there.

It's a balancing act of difficulty for the bot, vs. difficulty for prospective users. I'd rather have to clean up spam now and then than make it hard for a real person to join. I think TVA would probably agree on that point.

Now, making them trickier for spammers but still easy for prospective users: that's the golden ticket.
We could ask questions that require the users to be particularly smart. It would stop stupid people from joining though. Maybe that's a good thing? I'm not sure.

What I definitely still want to do is make posting links impossible for new users, but we've had trouble adding phpBB extensions.


I doubt TVA wants to migrate anywhere, but I'll ask him to look into some site security. It may be needed soon if we keep growing.
Post Reply