Hacker News new | past | comments | ask | show | jobs | submit login

For anything that involves human interaction for the verification, this doesn't really work.

I generate random strings for these and store them in my password manager. On several occasions I've called companies for whatever reason and they've asked these questions to verify my identity. When I say "oh it's a random string let me open my password manager to confirm it" they often reply with "oh it's ok, you're right it's gibberish" and consider me verified.




You can generate a pronouceable password based on dictionary words for such cases and get something that you can say over the phone like `leaf-auto-drunk-horse-zebra`. This is supported by any modern password manager.


I've taken to making them say "this is not random (insert password here)". Still haven't seen if that actually works in practice.


You’re probably still better off with reasonable but fake answers. First pet was named October, your parents met in Tennessee City, etc.


Had the same experience with blizzard support a while ago. Now I follow the above poster's advice and use it as a secondary password, but make it pronounceable at least.


Yeah, I shouldn't have said 'gibberish' but rather random words / lies.

Just don't answer the questions basically.


Would an attacker know that you're the kind of person to type in gibberish?

Also, you don't need to type gibberish. If your mothers maiden name is Jones, you can enter her maiden name as Steenberger and store that in your password manager.


An attacker wouldn't have to know you are the kind of person who puts gibberish... "oh, shoot... sometimes I make up a fake name but sometimes I put gibberish... I can't remember which I used here"


You can always use a fake name/city/etc and store that in your pm.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: