Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I was thinking about this for a while. Say we have an app for which there is an

ID: 655575 • Letter: I

Question

I was thinking about this for a while. Say we have an app for which there is an admin console, and we need to provide access to the admin console over the browser (yes, HTTPS).

For authentication, instead of asking for a password, would the following be more secure?

1. Prepare a set of very uncommon questions of very very wide scope the answers to which hardly friends or family would know. And at-least it is safe to assume that no one person would know the answer to all those questions altogether. These questions can be stuff like minor stuff that happens in your life, and don't matter enough that you will tell anyone.
2. Store answers to these questions in a normalized form. So trim whitespace, remove punctuation etc. And hash-salt them just like you do with passwords.
3. On login, ask these questions in random order, (and ask only a part of the questions, so that the set is different the next time the hacker attempts to login). At the end, verify all the answers together, and if they are valid, log the user in.

I am wondering if this will be any more secure than the present methods around. If not, is there something I am missing?

Explanation / Answer

Some issues with this:

Signup would take a long time. That would be a major deterrent for many websites.
Privacy, you get a lot of information about someone and if it's not something that everyone knows then obviously it's personal. It's one thing if your password table ends up on the streets, it's another when I can find out all kinds of tidbits about someone's personal life. Which brings me to the next point.
Re-use. For passwords at least you have the option to use a different one, but the answers to the questions won't change for the next site. If more websites would do this and just one gets hacked, what's preventing anyone from logging in left and right? Or even malicious administrators looking at the answers, either before hashing or after some form of bruteforce attack.

Related Questions

I was reading the Scrum documents and it says that the tasks in Sprint should be
Question #651607
I was reading the \"C++ Coding Standards\" and this line was there: Variables in
Question #653098
I was reading the answers to the question: How and where, in the human brain, ar
Question #30671
I was reading the article about the SHA1 hashing function (I know it is not secu
Question #651138
I was reading the book \"The singularity is near\" written by Kurzweil and he me
Question #649388
I was reading the introduction to quantum mechanics in my physics book and it be
Question #1379337
I was reading this article this morning: http://www.bbc.co.uk/news/science-envir
Question #2287952
I was reading this paper by Cretekos et al (2008), in which they state that wing
Question #31823
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I was thinking about sending some sensitive data (temperature) from an arduino (
Next
I was thinking about this for quite some time. Is function memoization really on

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.