According to GoodSecurityQuestions.com (yes, there really is a site by that name, the best IT security questions meet five criteria:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, simple, consistent
- Many: has many possible answers
Crafting the right 'secret questions' used for resetting forgotten passwords is no simple task, and for some platforms, critical to preserving mission critical data? A lot of times, the questions used aren't so secret after all. According to an older study entitled "It's no secret: Measuring the security and reliability of authentication via 'secret' questions," 17 percent of participants were not only able to answer the 'secret questions' of strangers, but also, that the most popular questions were in fact the easiest ones to answer.
But here's the thing, there's "secret," then there's plain silly. And last Friday afternoon, I encountered silliness.
Ever since Microsoft bought Skype, things have been weird. It's not just a collection of my friends and me gripping about it, either. Run a quick Twitter search on the subject to unveil some gems.
Skype has become one of the worst apps/services available now. Thanks, Microsoft. You've ruined yet another good thing.
— Jesse Ⓦ Petersen (@jpetersen) March 6, 2014For me, the "good thing" is using Skype daily to work with clients. A "bad thing" is when I've reboot my system, forgotten my password, and run through a series of Microsoft authentication tasks to try and retrieve it. That's what happened last week.
As a precursor to this, let me just confess, I do need a better password management solution. Sure. I can concede to that. But the rest of this escapade is bizarre, nonetheless.
After three failed attempts, I was logged out of Skype. Makes sense. But the team at Skype can't go through a series of identity-confirming questions over the phone or on chat to unlock an account, and issue a temporary password. Users are required to complete a "verification form."
I'm no expert on cyber security like my friends over at Narus (who developed the finest B2B content marketing I've ever seen for such a dry subject). However, I do know common sense. And this, my friends, is a ridiculous mandatory question for your processes:
A quick glance back at Garry Scoville's GoodSecurityQuestions.com criteria, and this kind of "secret" question fails on a very practical measure.
Like any well-networked techie, what's the first thing you do? Call up some friend who works at Microsoft and blame it solely on them! In this case, it was a tweet, and my former Intel colleague was coming to my rescue.
But it was all in vain. Alas, I didn't possess the necessary identifying credentials.
@mattwoodget @Yammer 31 hours, I'm either voting in the GOP South or trying to get on @Skype but I'm "unidentifiable" pic.twitter.com/zHth0ZLqJT
— Andre F Bourque ♕ (@SocialMktgFella) November 16, 2014The weekend passed and I felt a sense of relief no to hear Skype's version of "You've got mail" on my dashboard. And Monday morning, the blessings of the IT gods were bestowed upon me, and one savvy customer support guy did what a half dozen others could not: Made a spelling correction to my account email address.
Today I Skype again, and I've promised my former colleague I'll find a better password management solution. But for the rest of you out there who rely on Skype for your everyday business, know your facts.
.@skype wants users to verify the mo.+ yr their Skype account was setup, for acct verification #SkypeDay #security pic.twitter.com/mQPH6p2NaL
— Andre F Bourque ♕ (@SocialMktgFella) November 17, 2014Know your #SkypeDay. What's yours?