I've always given false info to those, when I bother to fill them out at all. If necessary, I just store this false info along with the password in the encrypted file I keep my passwords in. The security questions they use are often easily guessable (although it seems now they are using somewhat better questions). Nevertheless, my attitude is that I'll just make sure to retain the password.
I get the possible security risk of answering quizzes on places like Facebook, but I've done it a few times because it's fun. It all boils down to passwords being a hassle. Almost anything you do to make dealing with passwords easier makes them less secure, but there's nothing better. The only improvements over passwords come from additional authentication factors, like having to grab a code messaged to your cell-phone, or using one of those little security token devices (or the software equivalent). I don't think anything is going to be replacing passwords any time soon.
This was the wrong solution.
Then they started reading back random choices, which made it pretty easy to guess what I picked.
According to them, it's impossible for your mothers maiden name to have less than six characters :/
I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.
The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.
So I put in:
* Old: 12345
* New: 717&t!1XFCWJWk!q@ut3B
* Confirm: 717&t!1XFCWJWk!q@ut3B
And got an error "your password must be 8 characters or greater".
I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.
You probably broke law there O_O
Some of it is legacy - integrating systems built throughout the last three decades.
Some of it is management - they fired multiple teams partway through, with 100% turnover. They also massively underfunded said teams, devoting the majority of funding to PR. Also some... Interesting technical policies, like banning version control and advocating regular backups instead. (Something to do with code "theft protection").
Some of it was technical issues - different integration teams were given different browser compatibility goals. Some teams were told they must use PHP and Apache, others they must use NodeJS and nginx. Often for related parts of the UI.
If you want to know how to screw up a multi-million dollar project, look no farther.
(Source: Worked with a team leader during one of the "fire everyone" times.)
wtaf. embarrased to be aussie
Some people think they're too smart for putting a random string as their mother's maiden name. I'd rather just put something that looks like a name there.
That said, I have a peeve with one of the standard questions they ask, which is the "favorite" question. Favorite movie, favorite band, favorite song, etc. Besides the fact that I don't have One Favorite anything, does anyone actually have life-long singular favorite things? How the hell should I know what my favorite movie was 3 years ago when I rushed through some account creation process on some random website?
You have to be a bit careful with that, since some banks like to use those answers as "second factors"* when you call them. So I've gotten in the habit of using diceware-style passphrases for those, as those work over the phone better than pure white noise passwords.
*extreme air quotes
This has actually worked for me more than once, so...yeah.
I find nonsense/ridiculous answers to be safer than than random letters.
Make and model of first car? 2047 MAIBATSU MONSTROSITY
Where did you meet the love of your life? A METH-FUELED SWINGER PARTY IN A CHEAP MOTEL
Definitely more security, but _maybe_ slightly too far in the other direction.
It's like if a password field said 'no punctuation, maximum 8 characters' and your password was much longer with lots of characters; particularly if it looks random it could appear to be a corruption.
I imagine the range of given names gives most password entropy, so "family pet" might be the best question to choose, especially if you never had a family pet.
I also just avoid setting them where ever possible -- it's basically only for banks (some random website isn't going to get real answers to security questions).
The obvious corollary though, is that there really are organizations with systems that using publicly available information about, mixed with misinformation to see if you can discern an "accurate-ish" (which is sometimes not correct at all, even if you know what they think the correct answer is), and they don't even give you options about what public information they're going to select, to verify your identity.
It's usually a brief questionnaire about previous addresses, associated last names, states you paid your taxes in, and it deeps the impression that there are simply gaping, flawed security gaps at the core of everyone's financial factoids, because it's also sourced from poorly conceived paper-based bureaucratic files that never had any hope of being accurate from the outset.
The person on the other end of the phone had nothing to do with it.
In general, hopefully this uncooperative behavior adds to the general misery distributed throughout the world, and all just because security goons need to feel like they're smarter than the people subject to their policies.
Consider this, oh reader, should you have the opportunity to alter password policies for a project your working on.
They call you up and pretend to be from your bank, then ask you to open your BankID app and verify your identity so that they can share some very important information with you.
You open your app, and ID yourself, thereby logging them into your bank account on their end.
It's disgusting how twisted these criminal activities have become.
Every alternative way in is a larger attack area.
Also, keep in mind that an adversary can grab your text messages even without any social engineering skills; they just need to rent a cell tower somewhere in the world and advertise your number as roaming there 
As you implied, it is probably safer to use a different number than your main one for SMS-based 2FA (the much-maligned security through obscurity), but before you go out and buy a second phone plan, consider issues such as whether you will be able to receive SMS messages while traveling internationally.
But the side effect of this is that you can’t highjack a phone number unless you highjack the cell tower between it and the network.
The majority of human beings now manage important parts of their lives online, which means they have to remember passwords.
Humans are TERRIBLE at remembering passwords - those of us who use a password manager represent a fraction of a percent of those who need one.
Secret questions may be revoltingly insecure, but they do at least let people get back into their accounts. We need to do better, but I don't know what "better" looks like.
For other passwords people should just write them down and store them in a safe place (like in there desk at home).
Unless you are running a system intended as the users primary email provider, 2FA + email covers basically all the things that “security question” auxiliary passwords are used for, with both better usability and better security. For high security cases, 2FA + in person recovery may be more appropriate.
I'd at least like the option to use Touch ID/Face ID only.
I have yet to see a site allow me to “correct horse battery staple” my password for instance (xkcd), which I’ve found very memorable.
This is the main problem and we created this problem. Over the last 30 years we worked so hard to make passwords weird and not even that hard for computers to try find. If your password is a sentence that you know by heart, say your favorite quote, the motto of your country, of your school, or some cool fact etc... your password would be (1) safer and (2) easier for you to remember. That's what I do and I never have hard time remembering my 4 to 6 word password. I just use bunch of books/movies and remember my favorite quotes. For example "one ring to rule them all" is a good password, or "may the force be with you" or "call me ishmael".
A good password has entropy, which is not a property of the alphanumeric string but of the process used to create it. Could your password generation method plausibly have produced 2^60 alternative passwords with equal probability? Probably not.
Also, never reuse passwords.
ペルソナは心の力 - read as "perusona wa kokoro no chikara"
Then I've replaced it with the English spelling of Persona -> "persona wa kokoro no chikara"
Then I replace chikara with a misreading - when I first learnt the characters, I mixed up 力 (chikara) with the katakana カ (ka) and often read both as ka -> "persona wa koroko no ka"
Then remove the (unneeded) spaces and add a "!" for good measure -> "personawakokoronoka!"
Dead easy for me to remember, but (I believe) difficult to derive/guess or dictionary attack (especially if I start with a longer sentence).
Or maybe "One And ring in to the rule darkness them bind all, them." in that it applies a personal transformation rule.
Or do both.
It's not as secure as other methods of password generation, but makes yours more resistant to (unabridged) dictionary attacks. If an attacker learns your personal salt, they could create a special dictionary attack just for your passwords, but this is another case of not outrunning the tiger when you can outrun your friend. Far easier to run the vanilla dictionary attack against everyone else who doesn't salt/transform.
Which is longer, the alphabet or the dictionary?
There's a hell of a lot more words in any language than there are characters that make them up.
N case insensitive words is far better than N character password from the normal set of characters (alphanumeric + special characters).
Even if you restrict the combinations of words to grammatically correct sentences there's still more combinations than there are of for the same number of characters
That still holds even if you make assumptions about sentence structure, common word combinations, etc, etc. There's a lot of words out there.
You're using an analysis for random words, which is completely different.
Also in general a random word is worth around as much as two random characters. There's no clear-cut winner, use whatever you like more.
> may the force be with you
> call me ishmael
These are all in my password cracking dictionary.
Was in a different country, got locked out, had to give my security question answer.... oh dear. After about 3 months occasionally sitting down and just trying out random things I meant have entered I managed to get it back.
That's not great.
Apple still does this kind of crap. Actual questions:
In what city did your parents meet?
What is the first name of your best friend in high school?
Recently an airport public WiFi in a major city in Europe wanted my birthdate and the agreement language said that I acknowledge everything I'm stating is true and correct. It's so blatantly asinine. I didn't even bother to look if it cited some EU law that lying is a crime, I just said fuck it, and went without Internet for a few hours.
Not for users who've opted into two-factor authentication: https://support.apple.com/en-us/HT204915
From the page:
Do I still need to remember any security questions?
No. With two-factor authentication, you don't need to choose or remember any security questions. Your identity is verified exclusively using your password and verification codes sent to your devices and trusted phone numbers. When you enroll in two-factor authentication, we will keep your old security questions on file for two weeks in case you need to return your account to its previous security settings. After that, they will be deleted.
There are lot of questions that can have provable right/wrong answers - assuming someone powerful is out to get you. Imagine that being used against someone!
This is not, by the way, a strictly government related concern. If you lie on a credit card application (and are caught), you're going to have a bad time. But the signed bit of the application is usually completely different from where you're asked to set up "security questions".
> I've always given false info to those, when I bother to fill them out at all
Average person, not trained in using password managers, won't do it. In fact, most password managers don't support those, so you need secondary secure storage. Chances of a layperson setting up one properly and consistently using it is close to zero.
> Nevertheless, my attitude is that I'll just make sure to retain the password.
The problem is, on some sites, if you know these questions you can just reset the password. Which is insane, but unfortunately happens.
Typically access to the account would come in a 2nd factor form like clicking on a reset password link from an email account that is yours and previously configured for such service. Only then would you be allowed to provide a new password to recover the account. Brute force protections like ensuring only a finite amount of failed attempts are necessary.
Question: What was the name of your first cat?
Q: what city were you born in
Q: what is your moms maiden name?
and the like.
I'd normally be tempted to put in the same types of random passwords I normally use, eg:
> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj
Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it. Whether an attacker would know or try this I'm not sure, but I could also see a customer rep hinting towards this when they see it.
It's probably better to actually make up something plausble-sounding but incorrect, like "Summit Avenue". (Related: there's a website for this )
So the customer support rep gave it to me! Judging by the code he told me, my wife had to have changed it at least 10 years ago (it was the name of her dead horse) and she had no recollection of doing so.
IOW, Dish had at least two different security codes under my account and they had no problem simply giving one out to someone on the phone who claims to be me. At least it actually was, in this case.
or even better
- "Dear support agent, DON'T reset my passwort on any security question!"
I also write "passport required" on top of all my bank saving books with a ballpoint pen.
i.e. your first car was a Bronco, security answer = hash('bronco'+secret).slice(6)
> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj"
that's what I do too:
Mother's maiden name: jklqedwsfjkl;ewdfq;jklqwe
First car: iohwrqefhiokqwefiohp0u-0ui
and so on
Taxi (now Uber and Lyft) drivers in your city must have had lots of fun ;).
I have no idea if the random number generation is sufficient: https://github.com/BenWheatley/HighEntropyPassword
Documentation for the random module¹ prominently warns:
The pseudo-random generators of this module should not be used for security purposes. Use os.urandom() or SystemRandom if you require a cryptographically secure pseudo-random number generator.
There are two potential sources of problem, the seed and the PRNG. The seed should be OK, because Python will use urandom as long as it's available in the system. As for the PRNG, a non-secure one shouldn't be used in encryption because it has statistically predictable behavior, but as far as I know that requires access to the ciphertext, which isn't the case here.
Still, replacing random with SystemRandom is easy and would fix the problem.
People have lost a lot of bitcoins this way.
It might be okay for a security question, but better safe than sorry. Just use a secure generator for everything.
It all gets stored in the password manager anyway...
Sure it is, to remain in the same XKCD realm, this works fine:
More seriously, since you have your "random" numbers in non-fixed position (due to different length of the "random" strings/words and also the number themselves can be 1, 2 or three characters long), even if the built-in algorithm is not "random" enough mathematically, I don't think that it will actually affect password discoverability.
It's not my job to avoid repeating public information like mother's maiden name, historical addresses, etc.
Nor is it my job to worry about whether a bank will bypass confirming "secret question" strings for anyone stating they're just random letters.
As an non-responsible third party to any possible identity-based fraud, the only thing I see the need/ability to do to protect myself is watch transactions on my accounts (automation helps here, eg OFX), and be prepared to send demand letters/sue the surveillance companies for libel if they start spouting off that "I" opened accounts that I did not.
Feeling any more responsible than this is just helping to continue their negligent/lazy/broken-ass business processes.
Assigning blame is something people do to make themselves feel better after bad things happen. Making it less likely for bad things to happen in the first place may or may not be worth the time and effort, but whether or not you're morally responsible is a pretty meaningless question.
Eh, not really. Assigning responsibility is how we align incentives to prevent things from happening in the first place. You are responsible for not disclosing your bank password. You are not responsible for repeating public information that a bank foolishly decided to consider an authentication token.
Personally fretting about whatever broken actions a bank decides to take uses up a disproportionate amount of your time, as you're unable to actually change them. And any success just encourages the bank to continue, as they suffer less from their own idiocy.
I just get this feeling that in the next few decades genetic code may become the pinnacle of biometrics as a part of multi-factor authentication. i.e. something I know, something I have, and something I am.
And DNA databases that are potentially loosely secured, or at least secured as well as credit bureau's data, seem like a great way to unwittingly expose one's future self.
I bring this up because multi-factor authentication still seems to be a struggle to implement well for the masses, and while people here complain about these personal questions being insecure, I can't really think of a reason why genetic code won't become the ubiquitous standard for the vast majority of the population to prove their identity.
Yet here people are giving it away, and even paying for the privilege.
Like all biometrics, the most it should be used for is identification, never authentication.
You're still going to need a secret, and maybe also a token.
Not even free text but only allowing a limited set of answers via dropdown menus (most of the provided answers don't apply to me either, so it's both insecure for them and hard for me to remember as well)
The official United response on FlyerTalk (linked from the Slate article) is naïve to say the least:
> We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.
I give arbitrary answers that would make sense to something like an AI. Like, "Q: Who was your father's first employer? A: Avocado flesh" or "Q: What is your mother's maiden name? A: Rutherford B. Hayes"
Of course, all such answers are stored in my password manager.
My approach to this problem is, given the fact that I use a password manager, the following: I chose a random question from the proposed set, and then generate a random password and use it as a "secret answer". Given the fact that 99% of the time the security question will be checked by a computer, the security question effectively becomes a secondary password.
But as I write I am just realizing that the security question is probably not stored in a secure manner (salt + hash) anyway, so in the event of a data leak well that account is f*ed up anyway.
Also, this has always seemed problematic to me: my secret question is supposed to be something I "just know" but... Let's assume the question is "what was your favorite teacher at elementary school" and my answer is "Mrs Chtulu"... What if I come back in a year and instinctively type "Miss Chtulu"? Do I have to remember the spelling I used? The capitalization? What if when I was 13 i did not bother capitalizing names and surnames properly but now I do ?
 - if I happen to lose the password file, I'm probably in the middle of way bigger problems.
Same goes for searching your phone numbers, physical addresses and your email address (preferably in double-quotes for an exact match) -- I discovered mine stashed in a blog full of random email address in which my ID was a part of -- reported it to Google and it was gone in a couple of days.
I perform this 'exercise in privacy' once every three months -- which for me is the average time in which I sign-up for a new service or product using my primary email address; YMMV.
A related article for those who're interested (shameless plug) -- https://abhishekbalaji.wordpress.com/2016/09/24/why-you-shou...
My apologies, should have made that clear in my earlier response.
I typically agree with him but this just seems like attacking the wrong problem.
I still abide by the old idea that you never share personal information on the Internet.
And then if you do a password recovery, they email you a new password (which is like 6 characters) WHICH YOU THEN CAN'T CHANGE (except if they email you another new one).
It's a joke. I had to come up with a security question so I just make them sarcastic: "In what world is this secure?"
Things like: What's your favorite vacation spot? What's your favorite food?
Often you're stuck having to choose between something other people know or can figure out (where you were born) and something that may well change over time.
What is your third favorite vacation spot? Would you rather fight a horse-sized duck or 100 duck-sized horses? For how much money would you go to jail for 1 year?
One interesting alternative that's been presented recently is Mooney Images . The example images in the linked slides are fun to test out on yourself and others. They rely on a user's implicit memory of visual imagery and while they are also susceptible to similar sorts of side-channel inquiries, they would be much more obvious.
Instead of urging people to NOT reveal details about their life such as their first pet’s name, you should urge them to answer all password reset questions with at the very least irrelevant answers, or a password reset password.
Better security: Do give away many different fake historic details about yourself.
This contains both scenes - how they steal the information and how they abused it.
I am paranoid about back ups because if god forbid I lost that vault, there are accounts that would be permanently lost to me.
I started to enter passphrases instead
While the risk isn't great (it just gives you 3 more attempts), it still feels weird.
"Make of first car?" There are only so many vehicle brands reasonably accessible in a geographical area - not hard to brute force.
"City of birth?" Common knowledge among all my friends.
It's too easy.
An appropriate answer to "Make of first car?" would be something like "red &5 Blueberry."
We finally have a plausible answer to how computers a thousand years from now will be able to reconstruct the details of your life: security questions.
Also, I can’t believe how stupid some of these sites’ questions are. While I always make up the answers, frequently they require at least 3 questions and only 1 or 2 even apply to me (assuming I answered truthfully)! And one airline wanted FIVE of them!!!
e.g. I learned to drive stick-shift on your mother.
My first pet was your mother.
My special furry friend is your mother.
And so forth.
The pros just download the entire user table in one go. They don't care what your first pet's name was.