I got forced to setup similar things when I lost my iPad password. My problem was they only had a very limited set of questions and many of them I had no answer, or didn't know the answer... I've only ever owned one car, I didn't have a favourite or hated teacher, etc.
iTunes fanbois outraged by Apple's sex-life quiz probe
Apple iTunes users are peeved at being made to answer a three-part questionnaire about their cars and where they had their first kiss as part of a compulsory security regime. The new measures sparked outcry on the support forums with punters deriding the interrogation as easy to guess and inappropriate. Fanbois are required to …
-
-
-
Tuesday 1st May 2012 11:01 GMT Robert Carnegie
They don't say that.
In fact, some services have a contractual condition that you must provide true information.
Another service I've used wants to know the name of my favourite actor AND wants me to log in regularly and change the answer. What, so now I'm obliged to appreciate culture whimsically? Presumably they want me to be their loyal customer, but I can't be loyal to Ashton Kutcher? (...For example.) Also, presumably I have to keep the answers secret... the love that dare not speak its name... What if I secretly become a stalker (of whichever favourite actor we're talking about), and then, through no fault of my own, I get caught? Maybe I should just put down Glenn Beck no one will guess that.
-
-
-
-
Wednesday 2nd May 2012 06:50 GMT Steven Roper
@ Graham Marsden
Not really a good question, since it's a yes-no answer, giving crooks a 50% chance of getting it. Oh wait, scratch that: you're pretty guaranteed to get it right by simply answering "no", since given Apple's track record of deliberately bricking jailbroken devices, no fanboi would actually admit to having jailbroken one to Apple, even if they have.
-
-
Tuesday 1st May 2012 08:45 GMT alain williams
Least favourite job
For plenty of people that question is a complete non starter, it implies that they have had at least 2 jobs ... what about the lazy arses who have never bothered to work ? Ditto cars - unless you count the ones that they have nicked, or even know who their father is.
I suppose that they do need to provide a list of questions, most people would not be able to come up with things themselves - although it would be nice for those who are more able.
-
Tuesday 1st May 2012 08:53 GMT Anonymous Coward
Verify or die
The company I work for made us answer similar questions to verify our identities over the phone. They wanted the answers to six questions but we had to choose from their examples, a list they had to increase when people found it hard to pick good ones.
Alas there was no validation on the input form they used to collect the answers, so you could have the same question multiple times (a facility I used when I could only think of answers to five questions). You could also have a different answer to the same question so it will be interesting to see if anyone attempted that - I was sorely tempted.
That said I think a previous commentard said it best when they said you don't have to give "correct" answers. My first car was actually the space shuttle and my favourite music is the sound of a thousand tortured souls.
No I don't work for Microsoft.
-
-
Wednesday 2nd May 2012 06:50 GMT Steven Roper
@ItsNotMe
I always put my DOB as 20 July 1969 (the day of the Moon landing). It's only a few years+months after my actual birth date, so it doesn't arouse suspicion with regard to my physical age, and Dad getting me out of bed to watch Armstrong give his famous speech on the telly, is my earliest childhood memory - hence the day I was "born" to my own awareness.
Only my bank and certain government agencies have my real DOB (which given said agencies' propensity for USB sticks, laptops and trains probably means world+dog have it by now anyway!)
-
-
Tuesday 1st May 2012 08:55 GMT davefb
re making stuff up
well thats a genius idea isn't it.. because obviously in 6 months when asked for the answers again, I'm obviously going to know the same made up answers.
Got the same questions last week, only the first set was usable , the second set, I think I could answer, though it depends on the mood which childhood friend I'd pick ( I moved and thats the only question I think has a memorable answer) and the 3rd , that was hopeless.
grrreat..
-
Tuesday 1st May 2012 09:40 GMT jai
Re: re making stuff up
Making stuff up is the only safe way to do it - if you give a real answer, then someone is going to be able to guess it or work it out.
I've been doing it for years. By now, I have a set of answers for most of these types of questions, the answers are completely unrelated to my life, but I know them well. It's no harder than having to remember a dozen different passwords or differing complexity here at work. And at least these types of questions don't have to be changed every 30 days.
-
Wednesday 2nd May 2012 10:54 GMT FatGerman
Re: re making stuff up
"It's no harder than having to remember a dozen different passwords or differing complexity here at work."
I've got a pretty good memory for facts, but I struggle to remember two passwords because they have to be made-up stuff with "at least one digit and one capital letter". If I start making up answers to security questions as well I'll start doubting my own identity pretty soon.
-
-
-
-
Tuesday 1st May 2012 09:14 GMT Anonymous Coward
Re: I faced these questions last week
And don't forget Apple's new password which requires upper and lower case letters as well as numbers. I'm not sure how many times I've changed that in the last few weeks after wholly forgetting the last one.
Surely any true Apple fan will answer 'Who was your best childhood friend' with 'Steve Jobs'?
-
-
This post has been deleted by its author
-
-
-
Tuesday 1st May 2012 09:19 GMT Anonymous Coward
Had one of these sets of security questions a few years ago on some site ... asked me where I went on my first holiday - however "Ireland" was rejected as not being a valid answer!
Meanwhile Olympic ticketing site had "name of best friend" as backup question to get password reset. When I forgot what combination of capitalization/numeric/symbols I'd had to use in my password I had to go through the "forbot your password" routine and got asked the "name of best friend" ... my wife was not impressed that it took me a couple of wrong answers before I realized that I should be putting her name in!
-
Tuesday 1st May 2012 09:19 GMT adamgarretty
The older I get the less sympathy I have for people who continue to use products that aren't suited to them. Don't like iTunes or Facebook? Well, stop using them because it's the only way companies learn.
Usability is rarely tested, we adapt to how the device works instead. I'm a sucker for it too but it's amazing how easy it is to stop using something if you shorten your fuse and decide to just stop using them - I just adapt like I did before.
-
Tuesday 1st May 2012 09:23 GMT Jedit
"I literally cannot choose from the 2nd set of questions, none of them apply"
Fascinating. For none of the second set of questions to apply, you would have to have had no friends as a child and never have had a job or gone to school. While I can see someone buying into Apple because they have no mates and are desperately seeking approval, surely it's unlikely that the others don't apply?
-
Tuesday 1st May 2012 15:16 GMT Anonymous Coward
Also, you'd have to be 12 years old ...
... for the one about "where were you on 1st Jan 2000" not to apply.
So why is this kid trying to rent a movie anyway? And whose credit-card was he planning to use, because he clearly can't have one of his own? Sound to me like these questions have just prevented a kid from ordering stuff from itunes on his parent's credit-card, which is exactly what they were supposed to do in the first place.
So, everything is working exactly as intended and the questions are entirely fit for purpose.
-
Tuesday 1st May 2012 09:27 GMT Anonymous Coward
Oh look! Another excuse to bash apple!
Never let it be said that El Reg lets an opportunity to take a snide swipe at Apple and use 'Fanbois' repeatedly in an article! This is no exception. A non issue if ever I heard one.
There are billions of examples of crap password systems in the world, its just
A) The Reg hate Apple
B) THe Reg are Pro Android
C) The Reg lacks integrity.
Keep up the click bait fellas, you need to pay the bills somehow!
-
-
-
This post has been deleted by its author
-
Tuesday 1st May 2012 16:57 GMT Tom Maddox
Re: Oh look! Another excuse to bash apple!
I believe the tone of the review may have had something to do with it. You'll have noted that El Reg often uses rhetorical devices like sarcasm and irony, the intent of which is frequently lost on Jobsian cultists, resulting in Aggravated Butthurt in the First Degree, from which Apple has clearly not recovered.
-
Wednesday 2nd May 2012 04:31 GMT Arctic fox
@Tom Maddox RE: "I believe the tone of the review............"
It is interesting. Most of the majors realise that one of the ways that El Reg attracts readers from amongst professional (and enthusiastic amateur) techies is precisely it's style of insouciant satire and cynicism. It is an observable fact that all of them end up on the receiving end of the "treatment" on a regular basis. Plus the fact that those of the readership who do have a strong affinity for this or that company (note how politely I expressed that, -:P) do adore seeing the one they in fact love to hate being subjected to an "El Regging". In sum, the style attracts one of the key potential customer groups that these companies wish to attract the attention of. However, the former CEO of A Famous Mobile Device Company was of the type to take these matters very personally, something which perhaps explains why they (still) have a tendency to react to El Reg's mischief in the way they do.
-
-
-
This post has been deleted by its author
-
-
Tuesday 1st May 2012 09:31 GMT ukgnome
Typical El Reg
They do love to bait the apple users don't they.
Even I am getting bored of their "fanboi, fruity, jobsian, jesus mobe" load of old balls.
They do something to help protect missuse of iTunes, and the credit card details of it's users and they are branded pathetic or out of touch. A bit like El Reg of late!
-
-
This post has been deleted by its author
-
Tuesday 1st May 2012 09:49 GMT Anonymous Coward
Re: Typical El Reg
"They do something to help protect missuse of iTunes, and the credit card details of it's users and they are branded pathetic or out of touch."
I think you're missing the point; they aren't being slagged off for "doing something to help prevent misuse of iTunes"; they're being slagged off for doing it in a crap way.
You could probably Google for a set of questions that produce reliable, personal, and secure answers; but instead they've done the "quirky" thing and produced a set of questions that give unreliable results or are easily cracked.
-
-
Tuesday 1st May 2012 09:57 GMT Richard Jones 1
Dealing With The Silly Aspects of The World
OK in this case Apple can easily be criticised for the silly irrelevant fixed questions, and sorry if that or the next bit upsets you 'ukgnome', but Apple stupidity has upset me often enough in the past so it is no worse than one all. Yes the questions are stupid, my iPod using disabled daughter will never have a car, first second or third. Nor will many of this type of irrelevant questions apply to her.
However, several comments have already pointed out that stupid questions desire stupid answers and are only really a set of extra passwords. They may need to be recorded - and that probably breaks some rule or another, but hey so what?
I have often resorted to the tag '<name of company>Cr*p'. Oddly enough I have no trouble remembering that one! Obscene or other suggestive responses are quite useful as long as you tie them into the negative aspects, (or positive if you are that way inclined) of the company in question.
-
Tuesday 1st May 2012 10:05 GMT Steve King
Security
I know that prevention is better than cure, but it'd really help their security if they changed things so that once your account has been hacked and your computers de-authorised in favour of the hackers, you could either:
1. De-authorise their computers without waiting 12 months (yes, you do really have to wait that long)
2. Find some 'suspend this account' button to put a temporary halt on things while you got it sorted out
3. Find an email address or phone number to report the problem (if Amazon can, why can't Apple?).
4. Have a way to delete the account entirely as a last resort
Yes, it did happen to me, and my password was not as easy to guess as Joe Average's might be.
I changed the credit card and changed the account password to some random garbage and deleted iTunes from all my computers. I don't really miss it, but if they fix points 1-4 I might risk it again.
-
-
-
This post has been deleted by its author
-
-
-
Tuesday 1st May 2012 10:43 GMT hmmm
Security questions are hard
I know it's easy to laugh at Apple, but setting these sort of questions is difficult. I've worked in security, and I've had to set similar questions - particularly now in the era of Facebook and LinkedIn, it's harder and harder to find questions that are
i) Memorable
ii) Not available online or known to your friends
iii) Unique
iv) Won't change in the near future
Give the security guys a break - they don't want to be asking you where your first kiss was, but if people insist on putting the details of their life online what else can they do ;)
-
Tuesday 1st May 2012 10:47 GMT Anonymous Coward
Apple are funny
My daughter set the answers to our shared account (no credit card information on this account by the way so no fear of being made bankrupt by the little dear) and typically couldn't remember what she put (PS. Apple, my daughter doesn't have a favorite job, first car, first house, etc as she is 12!)..anyway I logged on a tried to reset the answers (no joy). I went on the support sites..."simple" they said, log on to you account and reset them at appleID...."ah, but you need to answer them first in order to change them...and ps you can;t make your own question up, like it suggests....". "Oh", they said "in that case we need you to send us some proof of who you are"......"Like, what" says me ......"Credit card, last purchase and answer one of the security questions" says they...."You don't know my credit card, I've never bought anything from Itunes and I DONT KNOW THE ANSWERS to the questions"...
My final e-mail basically said "thanks for nothing" - to which they replied that they were happy that they managed to solve my problem and that I was thanking them, and this would be added to their 'job well done' stats... LOL
What pisses me off the most was that the new questions were brought in without warning, and according to Apple, they would send an e-mail to confirm that you wanted to set/change the questions (i.e. that the e-mail owner would get a messages saying somebody was trying to change the answers, is this OK?) but no....they send a NOTIFICATION that the questions HAVE been changed....there's f**k all you can do about it after that.
Ho hum - luckily it's easy just to create a few more accounts - but they still aren't getting my credit card number,
PS. I recommend going for the theme suggestion somebody made earlier.
-
-
Tuesday 1st May 2012 12:45 GMT Anonymous Coward
Re: qwertyuiop
At work we have a system that forces password changes periodically, and for "added security" you can't repeat a character in the same position as previous passwords (not just the previous password.) In addition to this meaning I have to write all the passwords down so I can successfully get a new password, I have had to come up with an easily guessable 'theme' (qwertyui1, wertyuq2 etc) so I can change my pw without having to work out acceptable character combinations with pen and paper like it's a bloody crossword puzzle.
AC obviously as slagging work a bit.
-
Tuesday 1st May 2012 14:03 GMT Anonymous Coward
Re: qwertyuiop
AC for the same reason.
We have an automated password reset system. You get to choose three security questions from a list and provide the answers. When attempting to set it up, it forces that no common words be found in the answers and in the questions (a bug, I assume).
It's impossible to choose three questions from the canned list of which at least two do not contain some of the same words.........<slow handclap>
-
Tuesday 1st May 2012 17:33 GMT Anonymous Coward
Re: qwertyuiop
> for "added security" you can't repeat a character in the same
> position as previous passwords
Fantastic. That's password sadism.
My favourite is being asked "what are the 3rd, 9th and 17th characters" of $whatever. I really can't imagine how you could do that without writing it down.
Actually qwertyuiop works nicely in that case - the Nth character is right below the N key...
-
-
Tuesday 1st May 2012 13:27 GMT Handler
Quite amazing that people will scream and shout, call out the authorities and file lawsuits when their data is exposed due to weak security, but will balk whenever an attempt is made to improve that security, inane questions notwithstanding. It doesn't matter what the questions are, just the answers.
-
Tuesday 1st May 2012 13:43 GMT auburnman
Of course it matters what the questions are: they help you remember the answers. If you didn't have a memory fault you wouldn't be trying to recover your password would you?
I hate the ambiguity in the default questions same as others here; did I put down the answer to "my first job" as the shelf-stacking I did as a teenager, or my first salaried role when I moved to a city? Much better if you can set your own questions in a fill in the blanks style, i.e. "My first boss was Barry ______."
-
-
Tuesday 1st May 2012 16:05 GMT toadwarrior
I don't see what the issue is (aside from the reg gagging to anyway to mention apple) because all they did is create a positive & negative version of pretty much every standard reminder question.
The reason being is that is what most people would pick anyway. It would be nice to have it being free text but that won't necessarily fix the problem unless you pick something really obscure.
That's why I like the pre select question, you put something completely unrelated in and it will be much harder for them to get rather than your honest answer to "what colour are my mittens?" Or whatever you pick.
-
Tuesday 1st May 2012 19:19 GMT Marty McFly
I like the ones where I get to make up the question. I actually had my bank's call center ask me:
"How much wood would a woodchuck chuck if a woodchuck would chuck wood?"
The poor girl barely got through it without busting out laughing. And no, I won't tell you the correct answer as it is memorable only to me.
-
Tuesday 1st May 2012 21:18 GMT PJI
Customer respect.
The thing stinks of some young yank who has been no further than his nearest McD coming up with a clever wheeze.
Somebody should remind them that a lot of customers are over 16 and live a long way from USA. I abhor seeing American spelling and cultural assumptions used in my small country of jnearly 70 millions. I should have thought any yank firm should be able to translate to English just as well as they can to German or different dialects of Spanish, out of respect for customers often paying higher than USA prices.
-
Tuesday 1st May 2012 23:04 GMT GoGlen
I laugh at these simple "security" scenarios :(
OK, not; I envy them. I work in the civilian healthcare industry for the US Military. Our security must comply with Department Of Defense requirements.
15 character password, minimum 1 upper, 1 lower, 1 number, 1 special.
Must change every 60 days
Must change more than 4 characters/time
No dictionary words embedded in the password
Cannot re-use any of the last 24 passwords.
Account is locked after 3 failed attempts within 1 hour - meaning a max of 71 attempts/day if you were timing it for a guess every 20.05 minutes.
(so how can one "crack" a 15-char ugly password with 71 guesses/day?)
Security questions? Must supply 6 questions, unique answers, min 4 chars each. Answer like 4 of them to initiate a reset.
>means your first car better not be a BMW.
>my favorite movie shifts, as does my favorite music, food, etc.
>> Solution? Complex formula, I had to write a code for, so I can generate my pw. I'm a geek... how are doctors or nurses supposed to handle this? THEY WRITE IT ON A POST-IT NOTE.
-
Wednesday 2nd May 2012 03:03 GMT Richard 126
Re: I laugh at these simple "security" scenarios :(
I have a friend who works in a place with this sort of security. Every 2 months she changes her password 24 times in one day to clear the usage limits then reuses the password she started with and carries on. Not good but better than writing it down on a post it note.
-
-
Wednesday 2nd May 2012 00:48 GMT Smithson
I fell afoul of this change myself a couple of weeks back, and despite the disbelief of several commentards above, I also had a selection of questions for which I had no answer. Don't drive, didn't hate a teacher (more than any other), wouldn't describe any particular friend as being "better" than the others, don't remember where I was on 1st Jan 2000, etc. But then if you remember it, you weren't really there, or so I hear.
So if I ever come to forget my iTunes password, or whatever circumstance where you're expected to answer these questions, I'll have to guess at what my fictional answer/s were, undoubtedly get them wrong, and get banned for being no better than a News of the World account "hacker". There are several better ways to prevent children from running up big bills on iTunes. "Don't give them your sodding credit card number, you lunatic" being quite high on the list.
-
Wednesday 2nd May 2012 02:07 GMT Bilby
As security gets tougher to crack, the legitimate user gets more and more likely to destroy it himself, by writing the password/passphrase/answers to security questions/etc. on a post-it stuck on his monitor.
Increasing complexity is a diminishing returns game; the most secure system is therefore somewhere at the simple end of the spectrum. This is doubly true for 'unmonitored' security - the boss might come down on you for writing down your passwords at work, but no-one will know or care if you do the same with your iTunes passwords at home.
The old system was likely more secure than the new one. If you were the only person who knew your password, all was good - until you were required by poor memory and mandatory 'improved' security to have the information needed for your children/spouse/flatmate/etc. to change that password written down next to your computer.
-
Wednesday 2nd May 2012 06:34 GMT The MaJiK Man
Typical over blown non-issue by El-Reg
Slow news day for Apple bashing so lets try this one (El Reg motto).
If Apple had made it more difficult it would have been bashed for that.
Simple if you don't like Apple, use the many alternatives available. No one is forced to use Apple.
The questions are just a simple method to help you set up 3 new passwords. You can put any answer. If you can't remember 3 words then write them down some where and password protect that with any question you care to ask.
Get a Mac, Get a life.
Martin
-
Wednesday 2nd May 2012 07:35 GMT stanimir
security questions
1. copy/paste the text of security question.
2. add salt - the number (or combination of the digits) of the "first" bank card (keep it private and safe, it has expired long time ago)
2.5. use the salt in symmetric key algo like rc4
3. put the result into some non-popular hash function like twister.
....??
profit
-
Wednesday 2nd May 2012 08:41 GMT janimal
I used to be a developer at a chemical engineering firm.
They used to enforce a set of rules for password construction and you had to change it every 60 days. This ended up being far too much work for the limited IT staff.
They changed the system to remove the construction rules & enforced 60 day change and instead constantly ran brute force & dictionary attacks on everyone's passwords. If your password got cracked you had to change it.
I was able to retain mine for the remainig 5 years I stayed at the company.
-
Wednesday 2nd May 2012 09:41 GMT Anonymous Coward
Demonstrates three things which would otherwise be difficult to believe...
1. That anyone would get worked up in the first place over such innocuous security questions.
2. That an IT news site would consider it worth reporting what those worked-up asses were saying to each other.
3. That the readers of said news site would consider it worth writing (currently) 117 comments about the story.
Seem to be too many people in the IT business with not enough to do.