

Why do websites require "secret questions"? - rangibaby

I wish Google (for example) would give me an option to provide no secret question.<p>They seem terribly insecure and an easy attack vector e.g. "What was your first phone number?" would be incredibly easy to coax out of a person simply by calling them and pretending to be from x phone company.<p>In the days of two-step verification, is making a security question compulsory obsolete?
======
epc
There’s no reason to answer such questions with the “right” answer. My
mother’s real maiden name is public information, so when asked for that I give
a different memorable name.

About the only time I tell the truth on such forms is when it’s legally
required (like a credit check form).

As far as two-step verification: of a sample set of my relatively savvy but
not necessarily hardcore tech friends, only two are using two–step
verification out of about 30 people. The others know about it but don’t get
why they need it.

------
antidoh
You can simulate the option of no secret question, by giving an extremely
wrong answer.

First phone number: Dwight Eisenhower.

------
ott2
The sensible treatment of a "secret question" is as a second password. Since
it acts in parallel with the password, like a second door to your house, it
should be at least as hard to guess as the "main" password.

I would go further than saying that this is obsolete: it is simply bad
security design.

