09 May 2010

Blacklists

From Sacramento Credit Union's FAQ:

Why are the Security Questions used?
The first time you login and enroll in Protection Plus, you will be asked to enter five Security Questions and corresponding answers. The Security Questions are used if you do not want to register the computer you are currently using. With the Security Questions, we can make sure it is you logging in when you use different computers, such as, a internet bar computer. The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words "insert," "delete," "drop," "update," "null," or "select."
Why can't I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

I suppose that superficially this explanation is reassuring, but what it suggests about the underlying implementation is both saddening and terrifying.

(Blacklisting is often the wrong approach.)

No comments:

Post a Comment