University admissions in the UK are handled by the University and College Admissions Service (UCAS). I’ve recently had the displeasure of the opportunity of using their website. First of all, the first screen presents you with 10 million different titles:
Titles include HRH (Her Royal Highness), Lady, Lord, Duke, Rear Admiral, Father, Colonel, Prof (would you really be applying to a university undergrad course?).
You’re asked to provide a secret questions. Now I never saw the point of secret questions: “What is your favourite food?” is one of those questions which good acquaintances should know the answer to. My password is fairly secure and I’m not going to forget it, so secret questions simply increase the attack surface of my account.
UCAS doesn’t ask for just one secret question, but four. Out of the provided questions, there were probably one or two questions which nobody else would have known the answer to. Four of them? No way. The worse thing is, a random secret question comes up when you try to recover a password. So all four secret questions need to be secure. That’s not gonna happen.
The UCAS website allows you to import your registration details from your UCAS card. This is kinda like a student card which offers you discounts in shops and things (in exchange for loads of junk mail). During the registration process, you can enter any UCAS card number and it’ll fill in the address of the owner of that card.
The thing is, your UCAS card number is displayed on your card. So anyone can type in your UCAS card number on the registration form and find out your address. That’s a security issue.
I don’t normally rant about these kind of things but seeing as everybody who is applying to university in the UK needs to use this website, things should really be changed.