
Ask HN: Why do companies still not let you choose your security questions? - CM30
Like for example, Apple with their Apple ID setup? These old cliched questions don&#x27;t help anything, and are stupidly easy to defeat for anyone wanting to socially engineer your account details.<p>So why don&#x27;t these companies just give you a few text boxes and let you set them yourself? That way, they&#x27;d at least be somewhat secure for thos who know what you&#x27;re doing, and those who use them for impromptu passwords could just use them as that.<p>P.S. Why do we still have these silly things in general?
======
pwg
> P.S. Why do we still have these silly things in general?

One possibility is a belief that having a security question allows for users
to reset a forgotten password without having to involve a help-desk person on
a phone call to do a password reset.

> These old cliched questions don't help anything

If your answers are the output from this:

    
    
      $ sort --random-source=/dev/urandom --random-sort /usr/dict/words | head -5
      spindled
      antiquities
      tumblers
      teasing
       
    

Which makes (for this example) the answer "spindled antiquities tumblers
teasing halter". So you have words for the times you are talking to the human
on the phone when they want you to give the answer, but you have random words
that joe-hacker is not likely to guess while trying to do social-engineering
on the same help desk human.

With a password manager, storing these "random" answers to security questions
along with a randomly generated password, is trivial. And if these are your
answers, you don't really care what the question happens to be, because the
answer you give will have nothing to do with the actual question anyway.

------
Kazooie_Bird
Storing custom questions requires a larger persistence footprint.

