Hacker News new | past | comments | ask | show | jobs | submit login

I strongly second this concern. I generate random strings as answers to my recovery questions. When I recently got asked one of the questions the support rep let out a sigh when asking (presumably because he saw the "crazy" answer) and then said "yeah yeah, alright" when I was about half way through the answer. That any company even suggests these insane security questions that anyone can trivially research is completely beyond me.



An idea I just had which is buried in a deep thread lower down...

Not that I trust the "security questions", but if Amazon lets you use freeform questions as well as answers, it might help to make your first security question "Have you noticed this account has two factor authentication turned on?" with an answer like "Yes, so Amazon Customer Service will take additional care when being asked to reveal account information, right?"

Even if you can't do freeform questions, perhaps the answer to "What's your mother's maiden name?" could be something like "Have you noticed this account has two factor authentication turned on? Please take extra care before disclosing account details to anyone, Thanks."


I would recommend strongly against that. You'd be far better off picking something plausible, so if someone does impersonate you it's obvious.

Remember it's a human verifying this. The attacker just needs to answer: "oh, yeah i just spammed the keyboard with some jibberish" and he's in.

The other thing I noticed by the attacker going after me, sometimes he'd call/contact the service multiple times in a row. All he needs to do is find out from 1 support rep that the reset password is randomly generated. Then tell another support rep that its "some jibberish" and he's in.


For those sort of "mother's maiden name" type questions, I generally use a fake but plausible name. Probably not as secure as a random string (especially as the name is reused across a few services), but makes it near impossible to research, and avoids a random string not being accepted/treated as an error/truncated like your example etc.


> I generate random strings as answers to my recovery questions.

What's your favourite football team? -> Genghis Khan 2nd XI What was your first school called? -> Little Horrors School for Hackers

etc. Easier to say, you won't lose the customer service rep's attention either :)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: