For government purposes, Name and DoB has sometimes been considered "unique enough". There was an article[1] about two women in NYC that ran into this issue; it caused one of them (the one with good credit) lots of heartache.
It's stupid, but "mother's maiden name", "name of your first pet", "street that you lived on when you were young", etc are now de facto sensitivedata by virtue of the fact that they can be frequently used to bypass your website passwords. In 2008, Sarah Palin's Yahoo mail account was breached because the answers to all of her security questions were effectively on her Wikipedia page.
My response to "your first car?" is a plausible-for-someone-a-generation-older-than-I-am make and a completely made-up model. The same with all my other security questions; the data fits what is being asked for but is almost completely fictional. That's "good enough" for me.
I've long since moved my family to password vaults to store nonsense strings for these password recovery questions and answers, for shielding against precisely this attack vector. Now if I could only get them to adopt 2FA for the master password of the vault.
TIL, thanks for pointing out that social engineering could probably penetrate lax security operational standards at some companies. All someone has to do is state it's random on every account they already put through with known information but can't answer the password recovery questions upon, put on a flustered & angry act, and I bet some percentage of call center reps will buy it. I'll modify my practice accordingly.
Thanks so much for pointing me to that. If I had an always-air-gapped ORWL, I'd probably put a generator on it to be able to quickly generate them; I generate an absurd number of accounts each week, since I don't tie into SSO offers over public sites.
Only concern I need to solve for is sifting these lists for confusing words like homophones that are difficult to clearly say the words over an audio-only connection. This drives down the convenience and increases the time to call out the passphrase, since I then revert to the phonetic alphabet. Unfortunately, I've only found various lists [1], but not something that grabs the list, looks up the ExtIPA pronunciation [2] for each word, then applies rules to rank the clarity of each word when spoken over the phone.
That last part is where I am stumbling. I can't find the rules that govern what we know about clarity over telephone links, though AT&T must have has studied this at some point. I can come close, with this article [3] about factors that explain why the sounds “f”, “th”, and “s” are difficult for hearing-impaired to hear. Ideally, a ranking of not just individual words in a selected Diceware list, but also ranking of the clarity of a selected passphrase as well, would come out of such a systematic categorization.
It's stupid, but "mother's maiden name", "name of your first pet", "street that you lived on when you were young", etc are now de facto sensitive data by virtue of the fact that they can be frequently used to bypass your website passwords. In 2008, Sarah Palin's Yahoo mail account was breached because the answers to all of her security questions were effectively on her Wikipedia page.
[1] https://www.theguardian.com/us-news/2017/apr/03/identity-the...