Years ago for my university student account, you were allowed to provide the question.
I figured I would never need to use it, so I set the question to "Dicks?". I was very immature and thought that was funny.
A few years later after the semester break I forgot my password. I had to email IT to reset it, and they replied "Please provide the answer to your security question: Dicks?". And I had to reply "Yes no problem, the answer is Dicks". It was an awkward email exchange, but in my defence I had immediately remembered the answer so it served its purpose.
As someone who forges security questions, and at the risk of playing No True Scotsman, we keep these answers in the database with our passwords
And yeah, if we lose the database I guess we're screwed, but tbh, after ample backups, the risk of the database being leaked is way higher than the risk of losing it despite replication.
> I ran into one once that a 6 character minimum length for the answer
This is a problem too, but at least it works if you manage to talk to a living person - even if you don't remember exactly how did you wrote something you can prove you know the answer for the security question. With 'cp359-qreor-534wej' as an answer you have no chance.
Same. I use random passwords for any required security questions. It is funny when you call customer support and they ask you to verify a security question though.
I have had this problem, and failed the security check when I told them I had to look it up. Which was a little silly because I just hung up and called back and did it again with the list in front of me.
I've done something like this with my bank, I tell them it's a bunch of nonsense because the security question recovery is just a variation of a weak password so we'll need to validate me some other way. They always can
I was on a first date and forgot my wallet so the first place we went was the bank. I had to repeat all my info 3x. I leveled with them and pointed to my date and said I need $100. They gave me the $100.
I've certainly heard people speculate that would be the case. I always just put together 2-3 words unrelated to the question, e.g. my first grade schoolteacher is "Antique Campfire".
Anecdotally I've heard of this type of social engineering working. It's probably better to use some randomly generated real words. Another poster suggested diceware.
I haven't tried, but I am not on the phone with support much as I go to great lengths to avoid calling haha. The one time I had to verify my security question, I told the representative that its a long, random character string and they waited for me to open up my password manager to read it out to them.
I think the best way to do this is to use a passphrase so that it's clear that it's not just gibberish but you have the benefit that it's random text. Obviously at the end of the day, it all comes down to the person on the other end of the phone but I suspect they'd be more suspicious of someone saying "it's a bunch of gibberish" when they can see "grumpily siberian pampers panorama unroll aloof masculine mandatory" versus "YpZVpyQHsmPATt1P" (also the former is much easier to read over the phone).
I didn't even have to try. I was prepared to read off the random string, and the operator went with some other piece of information from my profile instead.
How do you keep track of phony answers to security questions if they are different for each site? If it is the same phony answer for every site, it is not any safer to use real answers to the security questions.
Yup. You pretty much have to do this. I love signing into my bank's bill payment system. "You appear to know your password and possess your second factor. But what's your favorite book? <all lowercase favorite book> WRONG YOUR FAVORITE BOOK IS ACTUALLY <starts with an uppercase book> NOW YOUR ACCOUNT IS LOCKED."
Even if you're using real answers, you will be locked out of your account if you don't treat them like passwords. Eventually.
Worse yet, real answers are just weaker passwords. Mother's maiden name? Childhood friend? Elementary / high school? For a targeted attack, against most people, this is very insecure in the all information online age. Nobody needs to know your 20 character password if they have your social media page.
I generate the password and stored them in my password manager under the notes. 1Password added functionality seemingly recently to add security questions and generate a random word string that I use these days.
Note that you should not generate a random password like D27fX$0f7RyD for your security questions. These are designed to give to a human operator on the other end of a phone. If an attacker calls up the account recovery line, gets asked for a security question, and just says "heh, I think it was a string of random characters", there's a decent chance the human operator will let them into the account. As you say, use an actual word string (passphrase) generator, which is a bit less susceptible to this attack.
Yep, if you can choose the question, choose something like "What was your first pet's name?" and then make up something silly like "Mister Poopy Eyes" (a conceivable child-given pet name).
My work provides me with a 1Password subscription (for both work personal use) that I take advantage of that is pretty good. I think they only require you to reauthenticate with your master password once every two weeks or something. I use a PIN, biometrics, or my Apple Watch to unlock it when it timeouts in between that two week period, and I've had no problems syncing between several of my devices.
Pick your three favorite movie characters for which there is a lot of information about them (name, town where they grew up, age, dog with a name, etc.). Rotate through these three. Append the name of the service. Dog's name? buddylastpass
There will be no reuse, because for Facebook it would be buddyfacebook or dugfacebook, or something else… but you will always be able to guess it in three tries. A computer system doing some kind of pentest isn't going to parse out the "facebook" or "lastpass". A human might, but that's why you rotate through three names. At the point where you have a human targeting your account and actually thinking about your inputs you are probably !@#$ed anyway.
I have a small orange password book… oddly. If that gets stolen I think I’d be in big trouble. However it doesn’t have my email address in it. Answers to those inquisitions of a password reset nature are within.
I used to do something like this. I avoid it now, and use a pass phrase of a few words as answers to these questions, stored as a password.
It was clear to me after I had to read such a security question answer over the phone to unlock an account the CSR was perfectly happy with "gibberish over the phone == gibberish in front of me", meaning my attempt to secure things made it less secure in the end.
