I wrote the following post over a year ago for identity.net – but since that blog no longer exists, I want to re-post it here.
One of the most common ways to “hack†into somebody’s account actually doesn’t involve hacking at all. The easiest method is simply to learn some information about them and then use the “forgot username†and “forgot password†features that many sites now offer.
Implemented wrongly, these features can actually be a very big security liability. The right way to do it is to ask the question, then send an email with password reset instructions (but not the actual password). The wrong way is to validate the user and then simply tell them their password.
Why? Because most security questions are very common and easy to figure out – so if I know a little bit about you, I can easily answer them.
What makes a good security question? It’s not just about scarce information, it’s about non-public information.
Some of the most common questions are “What is your high school mascot?†“What city were you born in?†“What’s your favorite pet’s name?†“What was your first street name?†“What was your first phone number?†and “What is your company’s street name?â€
The problem with these questions is that they’re all easily answered on my Facebook page. Birth information is public record – it can easily be looked up. So can my previous addresses, phone number, and where I work. It’s all out there somewhere on the internet.
Better questions are things like “What is your frequent flyer number?†or “what are the last 4 digits of your credit card number?†But even these fail. Many people other than me know my FF number, including my secretary, airline attendants, and TSA employees. The last 4 of your credit card won’t work either since many sites list it as a way to identify transactions.
So what do you do? Simple: Let the user choose their own question.
A good questions should be something that can’t be guessed or looked up, doesn’t change over time, and is easily memorable.
As a user, you should choose something that nobody can easily figure out. My favorite question is “What is your favorite Prime Number?†Another great one I use is something like “Last 3 words on page 15.†It’s useless to you unless you know what book I’m talking about. You could even use a bible here, since there are so many versions in print that it’s almost impossible somebody else will have the same one as you. Another one I once used was “What’s my cell phone serial number?†It’s clearly printed on the back of my phone, and always in my pocket if I should need it. (Just remember to update your question if you get a new cell phone!)
Whether you’re implementing this feature on a website, or simply choosing your own security question – don’t pick something that others can easily guess or look up about you.
February 10th, 2010
In a fit of boredom the other day I went back and started reading questions posed to Matt Cutts in the latest Google Moderator grab bag. If you’re not familiar with this, it’s basically a forum where Matt takes questions from the community and answers them in videos on YouTube.
As I was reading through the questions, one theme kept popping up: Not only do many of you ask questions that you should already know the answer to, but a lot of you believe some crazy shit.
Now, there’s nothing wrong with trying to learn about SEO – I highly encourage everybody in any marketing related field do so, but most of you asking the questions had profiles where you refer to yourselves as ‘seo experts.’ There aren’t questions experts should ask.
The one question that ran rampant (and thankfully Matt finally Answered it ) is the one about “how does Google treat links from Twitter and Facebook?”
I was shocked at how many people not only asked this question, but didn’t seem to know the answer already. The answer (as anybody who actually tested this can tell you) is that Google doesn’t hand code a flag or a weight for any specific sites. It just doesn’t scale well at all, and it would be a nightmare to manage on Google’s side. There’s no way they can do that manually.
But that isn’t the craziest of them all. There’s tons of accusations out there about Google Chrome having an impact on the rankings. The best part here (as one of the commenters there points out) is that Chrome is open source. If anybody bothered to look at the code, they’d see that Chrome doesn’t phone home to Google about anything.
My other favorite SEO obsession is page speed. Google mentions something about how they like fast pages, and suddenly everybody goes off the deep end talking about how you need to ensure your pages load faster or you’re going to lose rankings. Seriously, think about that for a second. Would it make any sense at all for Google to show the faster page over the page that’s more relevant to the user’s query? Something tells me that users would be more interested in pages that relate to what they searched, not pages that load fast. Sure, if all else is equal then page speed can matter – but I’d rather spend my time working on making a useful page than a fast page.
Nofollow is another fun one. I’ve never understood why so many people obsess about something that, when it comes down to it, is completely out of their control. As an SEO, you have very little control over who links to you and whether or not they use a nofollow – so why even worry about it?
Do you really believe that registering a domain name for 10 years makes it somehow more relevant or useful to the user?
How many of you still talk about keyword density or the “google sandbox?”
Guess what, Adwords has nothing to do with your rankings. Neither does your choice of .com, .net, or .org. You don’t need to submit your site to the search engines, META keywords are useless, and there’s nothing (short of hacking) that your competitor can do to harm your rankings.
How do I know all of that? I’ve not only tested it, but I’ve applied common sense into my reasoning and asked myself some very relevant questions:
isotretinoin without prescription 1. Does this make sense from Google’s perspective?
and
Would this result in more useful results for searchers?
You’d be amazed at what those questions can tell you.
If you’ve ever wondered why SEO has a “snake oil” reputation maybe it’s because of all these crackpot theories that some of you believe.
It’s amazing how often people over-react to anything Matt Cutts says or how easily anything that Rand Fishkin or Danny Sullivan says is taken as truth. These guys don’t know everything, and they occasionally make mistakes.
Please, for the love of god, let’s start doing our own reasoning and testing before we subscribe to any more wacky theories.
February 10th, 2010
