
Don't give away historic details about yourself - zeveb
https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/
======
ConceptJunkie
The whole "secret question" thing seemed to me to a completely stupid idea
from the start. "Hey, give us password. If you forget your password, give us a
much, much less secure way to access your account."

I've always given false info to those, when I bother to fill them out at all.
If necessary, I just store this false info along with the password in the
encrypted file I keep my passwords in. The security questions they use are
often easily guessable (although it seems now they are using somewhat better
questions). Nevertheless, my attitude is that I'll just make sure to retain
the password.

I get the possible security risk of answering quizzes on places like Facebook,
but I've done it a few times because it's fun. It all boils down to passwords
being a hassle. Almost anything you do to make dealing with passwords easier
makes them less secure, but there's nothing better. The only improvements over
passwords come from additional authentication factors, like having to grab a
code messaged to your cell-phone, or using one of those little security token
devices (or the software equivalent). I don't think anything is going to be
replacing passwords any time soon.

~~~
simonw
I agree, secret questions are dumb... but what are the alternatives?

The majority of human beings now manage important parts of their lives online,
which means they have to remember passwords.

Humans are TERRIBLE at remembering passwords - those of us who use a password
manager represent a fraction of a percent of those who need one.

Secret questions may be revoltingly insecure, but they do at least let people
get back into their accounts. We need to do better, but I don't know what
"better" looks like.

~~~
gnulinux
> Humans are TERRIBLE at remembering passwords

 _This_ is the main problem and _we_ created this problem. Over the last 30
years we worked so hard to make passwords weird and not even that hard for
computers to try find. If your password is a sentence that you know by heart,
say your favorite quote, the motto of your country, of your school, or some
cool fact etc... your password would be (1) safer and (2) easier for you to
remember. That's what I do and I never have hard time remembering my 4 to 6
word password. I just use bunch of books/movies and remember my favorite
quotes. For example "one ring to rule them all" is a good password, or "may
the force be with you" or "call me ishmael".

~~~
Simon_says
Are you kidding? Those are terrible passwords, and there’s already some script
kiddie out there with a password list containing the top 10 billion book,
music, tv show, and movie quotes.

A good password has entropy, which is not a property of the alphanumeric
string but of the process used to create it. Could your password generation
method plausibly have produced 2^60 alternative passwords with equal
probability? Probably not.

Also, never reuse passwords.

~~~
bitwize
"One ring to rule them all" is a terrible password, but "the dark lord's
unique jewelry" might be a good one.

~~~
stordoff
For passwords I need to remember (rather than just putting in my password
manager), I've taken to using lines from foreign content, especially if it's
something I've translated myself or I've introduced some deliberate
misreadings in. I imagine very few dictionaries would have
"personawakokoronoka!" in them (not a password I've used, but illustrates the
idea). Derived from:

ペルソナは心の力 - read as "perusona wa kokoro no chikara"

Then I've replaced it with the English spelling of Persona -> "persona wa
kokoro no chikara"

Then I replace chikara with a misreading - when I first learnt the characters,
I mixed up 力 (chikara) with the katakana カ (ka) and often read both as ka ->
"persona wa koroko no ka"

Then remove the (unneeded) spaces and add a "!" for good measure ->
"personawakokoronoka!"

Dead easy for me to remember, but (I believe) difficult to derive/guess or
dictionary attack (especially if I start with a longer sentence).

------
gregmac
Underlying this, don't ever answer these stupid 'account security' questions
truthfully. Better to make something up and store it in your password manager
along with other account info.

I'd normally be tempted to put in the same types of random passwords I
normally use, eg:

> What was the name of the street you grew up on?
> L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj

Unfortunately, I've heard you can talk to customer support and say things like
"I think I just typed in random garbage for that" and they'll accept it.
Whether an attacker would know or try this I'm not sure, but I could also see
a customer rep hinting towards this when they see it.

It's probably better to actually make up something plausble-sounding but
incorrect, like "Summit Avenue". (Related: there's a website for this [1])

[1] [https://www.randomlists.com/random-street-
names](https://www.randomlists.com/random-street-names)

~~~
fenwick67
A heuristic where you transform a truthful answer might be better.

i.e. your first car was a Bronco, security answer =
hash('bronco'+secret).slice(6)

~~~
jjeaff
My issue is that most of the time, the available questions are just
frustratingly dumb. I don't have a favorite song, favorite movie, or favorite
food. I like lots of things and those things change over time. And seriously,
favorite teacher? That's very common. How many people really have a favorite
teacher.

------
mindslight
What is with perpetuating this idea that people have some duty to be
responsible for companies' broken security practices? You're unable to prevent
their fuckups - so you can only take steps to make sure you don't end up on
the hook or otherwise severely impacted due to their negligence.

It's not my job to avoid repeating _public_ information like mother's maiden
name, historical addresses, etc.

Nor is it my job to worry about whether a bank will bypass confirming "secret
question" strings for anyone stating they're just random letters.

As an _non-responsible_ third party to any possible identity-based fraud, the
only thing I see the need/ability to do to protect myself is watch
transactions on my accounts (automation helps here, eg OFX), and be prepared
to send demand letters/sue the surveillance companies for libel if they start
spouting off that "I" opened accounts that I did not.

Feeling any more responsible than this is just helping to continue their
negligent/lazy/broken-ass business processes.

~~~
philwelch
I don't really see "responsibility" as a useful lens. If you give away
information that can be used to reset your passwords, you make it more likely
that someone can reset your passwords.

Assigning blame is something people do to make themselves feel better _after_
bad things happen. Making it less likely for bad things to happen in the first
place may or may not be worth the time and effort, but whether or not you're
morally responsible is a pretty meaningless question.

~~~
mindslight
> _Assigning blame is something people do to make themselves feel better after
> bad things happen_

Eh, not really. Assigning responsibility is how we align incentives to prevent
things from happening in the first place. You are responsible for not
disclosing your bank password. You are not responsible for repeating public
information that a bank foolishly decided to consider an authentication token.

Personally fretting about whatever broken actions a bank decides to take uses
up a disproportionate amount of your time, as you're unable to actually change
them. And any success just encourages the bank to continue, as they suffer
less from their own idiocy.

~~~
philwelch
It may or may not be worth the time and effort never to tell anyone your
mother’s maiden name, but assigning blame is kind of beside the point. It’s
not my responsibility not to get my bike stolen, but if I don’t want my bike
stolen, I still lock it up, right?

------
cheschire
I've been really concerned about how freely people seem to give their DNA away
to testing services like 23andMe or Ancestry DNA.

I just get this feeling that in the next few decades genetic code may become
the pinnacle of biometrics as a part of multi-factor authentication. i.e.
something I know, something I have, and something I am.

And DNA databases that are potentially loosely secured, or at least secured as
well as credit bureau's data, seem like a great way to unwittingly expose
one's future self.

I bring this up because multi-factor authentication still seems to be a
struggle to implement well for the masses, and while people here complain
about these personal questions being insecure, I can't really think of a
reason why genetic code won't become the ubiquitous standard for the vast
majority of the population to prove their identity.

Yet here people are giving it away, and even paying for the privilege.

~~~
nanomonkey
DNA can be harvested from dead hair, skin or spit even, so anyone with access
to your physical environment could obtain your DNA.

~~~
logfromblammo
It should really be considered public information. You leave your DNA
everywhere you go.

Like all biometrics, the most it should be used for is identification, never
authentication.

You're still going to need a secret, and maybe also a token.

------
United857
United Airlines is probably one of the worst I've seen:
[http://www.slate.com/articles/technology/future_tense/2016/0...](http://www.slate.com/articles/technology/future_tense/2016/03/united_airlines_uses_multiple_choice_security_questions.html)

Not even free text but only allowing a limited set of answers via dropdown
menus (most of the provided answers don't apply to me either, so it's both
insecure for them and hard for me to remember as well)

~~~
et-al
I tweeted at them about this when those dropdown answers came out and they
actually responded to me, but never took action to change things.

The official United response on FlyerTalk (linked from the Slate article) is
naïve to say the least:

> _We purposely chose to use preregistered answers as our first form of
> enhanced authentication to protect against this keystroke logging. We need
> to ensure that all of our customers have a high degree of security and our
> research also indicated that some customers had self-entered security
> answers that would be very easy to guess._

Wow.

Source:
[https://www.flyertalk.com/forum/26212495-post233.html](https://www.flyertalk.com/forum/26212495-post233.html)

------
pwinnski
Using random characters for answers to "secret questions" only works when you
can be 100% sure you will never have to give the answers over the phone. If
you ever have to do that, random characters are worse than reality, because
phone reps will just say, yeah, you're right, it's gobbledygook.

I give arbitrary answers that would make sense to something like an AI. Like,
"Q: Who was your father's first employer? A: Avocado flesh" or "Q: What is
your mother's maiden name? A: Rutherford B. Hayes"

Of course, all such answers are stored in my password manager.

------
znpy
This is a bit paranoiac in my opinion, but I see the point. I mean, I cannot
in all honesty say he is wrong.

My approach to this problem is, given the fact that I use a password
manager[1], the following: I chose a random question from the proposed set,
and then generate a random password and use it as a "secret answer". Given the
fact that 99% of the time the security question will be checked by a computer,
the security question effectively becomes a secondary password.

But as I write I am just realizing that the security question is probably not
stored in a secure manner (salt + hash) anyway, so in the event of a data leak
well that account is f __*ed up anyway.

Also, this has always seemed problematic to me: my secret question is supposed
to be something I "just know" but... Let's assume the question is "what was
your favorite teacher at elementary school" and my answer is "Mrs Chtulu"...
What if I come back in a year and instinctively type "Miss Chtulu"? Do I have
to remember the spelling I used? The capitalization? What if when I was 13 i
did not bother capitalizing names and surnames properly but now I do ?

\--

[1] - if I happen to lose the password file, I'm probably in the middle of way
bigger problems.

------
abhiminator
A good idea to counteract privacy risks of this sort is to occasionally search
yourself by your full name or by username (one that can be traced back to you,
that is) across all major search engines and see if any of your data is out in
the open in any public forum.

Same goes for searching your phone numbers, physical addresses and your email
address (preferably in double-quotes for an exact match) -- I discovered mine
stashed in a blog full of random email address in which my ID was a part of --
reported it to Google and it was gone in a couple of days.

I perform this 'exercise in privacy' once every three months -- which for me
is the average time in which I sign-up for a new service or product using my
primary email address; YMMV.

A related article for those who're interested (shameless plug) --
[https://abhishekbalaji.wordpress.com/2016/09/24/why-you-
shou...](https://abhishekbalaji.wordpress.com/2016/09/24/why-you-should-
occasionally-google-yourself/)

~~~
yuriyb
Google provides a way to "subscribe" to email notifications of new search
results for a given term (don't have the link handy right now). I've been
subscribed to results for my full name for many years, and occasionally get an
email of a new mention here and there.

~~~
abhiminator
I think you're referring to Google search alerts[0]. I agree, that's a pretty
neat tool to be subscribed to, should be useful in drastically cutting down
the response time when responding to instances of one's personally
identifiable data leaking on the web.

[0]
[https://support.google.com/websearch/answer/4815696](https://support.google.com/websearch/answer/4815696)

------
lucb1e
So let's get rid of security questions and we can just carry on? There should
be no harm in disclosing information which is already known by dozens of
people, like your mother's maiden name or your first pet. Going around and
telling everyone " _keep your history concealed!_ " is just silly and will get
you the tinfoil hat label, making any future security advice useless.

I typically agree with him but this just seems like attacking the wrong
problem.

~~~
asfgionio
I am not entirely sure I agree. Maybe it's slightly paranoid, but I find it
shocking how much information people share on the Internet.

I still abide by the old idea that you _never_ share personal information on
the Internet.

------
Moodles
I'm filling out a visa application form right now. I kid you not, I'm supposed
to keep the username secret too.

And then if you do a password recovery, they email you a new password (which
is like 6 characters) WHICH YOU THEN CAN'T CHANGE (except if they email you
another new one).

It's a joke. I had to come up with a security question so I just make them
sarcastic: "In what world is this secure?"

------
Reedx
I don't know which annoys me more, the easy to guess security questions or
those with mutable answers.

Things like: What's your favorite vacation spot? What's your favorite food?

Often you're stuck having to choose between something other people know or can
figure out (where you were born) and something that may well change over time.

~~~
saalweachter
I like the idea of trolling people with security questions that you never
actually use in a password-recovery workflow.

What is your third favorite vacation spot? Would you rather fight a horse-
sized duck or 100 duck-sized horses? For how much money would you go to jail
for 1 year?

~~~
jgroszko
I was always a fan of these nihilist security questions:

[https://www.mcsweeneys.net/articles/nihilistic-password-
secu...](https://www.mcsweeneys.net/articles/nihilistic-password-security-
questions)

~~~
et-al
The New Yorker published a cartoon along that vein last year with "Insecurity
Questions":

[https://www.newyorker.com/humor/daily-shouts/insecurity-
ques...](https://www.newyorker.com/humor/daily-shouts/insecurity-questions)

------
zzm
As others in this thread have stated, security questions are less secure than
using a password, and thus, a poor way backup to passwords.

One interesting alternative that's been presented recently is Mooney Images
[1]. The example images in the linked slides are fun to test out on yourself
and others. They rely on a user's implicit memory of visual imagery and while
they are also susceptible to similar sorts of side-channel inquiries, they
would be much more obvious.

[1]
[https://www.mobsec.rub.de/media/mobsec/veroeffentlichungen/2...](https://www.mobsec.rub.de/media/mobsec/veroeffentlichungen/2017/03/08/MooneyAuth-
NDSS-2017.pdf)

------
EGreg
I think you have it backwards, here.

Instead of urging people to NOT reveal details about their life such as their
first pet’s name, you should urge them to answer all password reset questions
with at the very least irrelevant answers, or a password reset password.

------
dfxm12
Good security: Don't give away historic details about yourself.

Better security: Do give away many different fake historic details about
yourself.

------
trolliloquy
I don't know if it is right to post this here, but how many of you relate this
post to "Now You See Me" ?

URL:
[https://www.youtube.com/watch?v=95jHwnAhHgU](https://www.youtube.com/watch?v=95jHwnAhHgU)

This contains both scenes - how they steal the information and how they abused
it.

------
8bitsrule
The first thing to think, when a website (or stranger on the street) asks you
an out-of-the-blue personal question is: why is s/he asking? Cuz it's probably
not because they give a crap.

------
rabboRubble
I use 1Password as a password vault. Some years ago, I decided to start lying
for secret question answer challenges. I use 1Password to generate a string of
garbage (without numbers or symbols, 25 characters long) and keep that answer
in a custom field in the 1Password vault. I've tagged those entries with a
security tag to find all accounts with secret Q&A information.

I am paranoid about back ups because if god forbid I lost that vault, there
are accounts that would be permanently lost to me.

~~~
itakedrugs
One problem with this is social engineering... someone could call the company
to recover their password and say that they entered garbage for the security
question...

I started to enter passphrases instead

~~~
rabboRubble
Good point. I’ll have to think it over a bit. Since I have all the info should
be very easy to fix up the data. Just time consuming

------
PeterStuer
The 'secret questions' approach is also used by my bank to 'secure the line'
when you call them to unblock your pin-attempts (the card blocks after 3 wrong
guesses/mistypes) on your ATM card. These aren't questions that you had to
fill before, but rather questions from their CRM like the address on which you
first purchased fire-insurance with them etc.

While the risk isn't great (it just gives you 3 more attempts), it still feels
weird.

------
yuriyb
I've never provided literal, logical answers to security questions, as even
without sharing the answers elsewhere, the logical ones would be entirely too
easy to guess.

"Make of first car?" There are only so many vehicle brands reasonably
accessible in a geographical area - not hard to brute force.

"City of birth?" Common knowledge among all my friends.

It's too easy.

An appropriate answer to "Make of first car?" would be something like "red &5
Blueberry."

~~~
saalweachter
So it's a common trope in science fiction that super-intelligences will
resurrect historical people using DNA and mumble-mumble to get their memories.

We finally have a plausible answer to how computers a thousand years from now
will be able to reconstruct the details of your life: security questions.

------
makecheck
The thing they never get right is that the answer to a question is only useful
_if you can write the entire question_. You should never be forced to select a
question from a list.

Also, I can’t believe how stupid some of these sites’ questions are. While I
always make up the answers, frequently they require at least 3 questions and
only 1 or 2 even _apply_ to me (assuming I answered truthfully)! And one
airline wanted FIVE of them!!!

------
quantumfoam
I usually just do a random hash. Also, really, really hate the sites that do
not allow you free form text the question itself and rather populate a bunch
of commonly known ones. FFS, if you're a web developer working on security
questions, let the user make up the question. Agreed though, we should just do
away with this as an authentication factor.

~~~
PebblesRox
Let the user make up a question and remind them that they might need to answer
it over the phone so they don’t choose something embarrassingly personal.

------
rdiddly
That's why the answers to the security questions are always random strings,
and the answers to the quiz questions are always "your mother."

e.g. I learned to drive stick-shift on your mother. My first pet was your
mother. My special furry friend is your mother. And so forth.

------
HugoDaniel
I was born in 1900/1/1

~~~
pbhjpbhj
You must like scrolling, I was born in 19__/1/1 where the missing digits put
less wear on my mouse wheel.

------
arikrak
How often do websites just trust a security question for verification? I
thought they usually ask it along with something else like along with a
password reset email.

------
ourmandave
Stealing one account at a time is small time hoodlum level sh*t.

The pros just download the entire user table in one go. They don't care what
your first pet's name was.

~~~
Simon_says
Unless you’re famous or wealthy. Has happened numerous times.

------
jkingsbery
This article makes me appreciate that "what was the first programming language
you learned?" isn't a common security question.

------
andrewflnr
I can confirm that "first concert you went to" is a security question on at
least one site.

------
DataWorker
And don’t apply for any federal work. And don’t use credit cards. And...

------
hateful
I was born in the US, raised on TV and now I reside on the Internets.

------
benpiper
Don't give out your birthday either.

