Hacker News new | more | comments | ask | show | jobs | submit login
Don't give away historic details about yourself (krebsonsecurity.com)
532 points by zeveb 10 months ago | hide | past | web | favorite | 200 comments

The whole "secret question" thing seemed to me to a completely stupid idea from the start. "Hey, give us password. If you forget your password, give us a much, much less secure way to access your account."

I've always given false info to those, when I bother to fill them out at all. If necessary, I just store this false info along with the password in the encrypted file I keep my passwords in. The security questions they use are often easily guessable (although it seems now they are using somewhat better questions). Nevertheless, my attitude is that I'll just make sure to retain the password.

I get the possible security risk of answering quizzes on places like Facebook, but I've done it a few times because it's fun. It all boils down to passwords being a hassle. Almost anything you do to make dealing with passwords easier makes them less secure, but there's nothing better. The only improvements over passwords come from additional authentication factors, like having to grab a code messaged to your cell-phone, or using one of those little security token devices (or the software equivalent). I don't think anything is going to be replacing passwords any time soon.

I used to answer secret questions with bogus answers that I deemed unguessable. Then I discovered that when my bank asks me the questions back it does multiple choice, displaying the answer I gave along with 4 other possible options! Sometimes my answer would not be shown and the correct answer is "none of the above", but otherwise my answer sticks out like a sore thumb.

Who in the world thought this was a good idea!? I can hardly think of a less secure way to ask security questions. You should name and shame; there’s a minimum bar everyone should uphold and this is far below it.

The problem they were trying to solve is someone typing in “Woodbridge Lane” as the answer and then later typing “Wood Bridge” or “Woodbridge Ln” or “Woodbridge Ln.” when prompted.

This was the wrong solution.

The real problem is that "security questions" are bad security.

Because calculating a Levenshtein distance is to complicated...

Still rather unsafe, right? "Cambridge" would be closer to "Woodbridge" than "Woodbridge Lane".

But randomly guessing Cambridge is not that likely. A bit of a pointless exercise though since security questions are dumb.

Someone who had no skin in the game.

If my bank had such weak security I wouldn't want to tell the internet where I bank.

This, too, was my problem. I don't want to give out real answers to my security question for two (slightly contradictory) reasons. The first is: what if this site is hacked? Now my security question answers are floating around for use on other sites that ask similar questions. The second is: some of these questions are pretty easy to find the answer to, or guess. So I used a generated string for those questions, too. Generally worked, but sometimes made for some interesting phone calls. "My mothers maiden name is <random string>. You can guess why she took my father's."

Then they started reading back random choices, which made it pretty easy to guess what I picked.

I have a third problem -- often times, the list of questions they ask are non-sense to me. "What is your favorite food?" I don't have a favorite, and can't think of anything that I'd remember later. "What was the name of your first pet?" I never had a pet. "What was the name of your high school sweetheart?" Gee, thanks a lot for stirring up bad memories.

Here's a fourth that was actually responsible for me starting to just use generated passwords for those as well. They told me my answer wasn't valid.

According to them, it's impossible for your mothers maiden name to have less than six characters :/

Funny story - I had an old short-length insecure password on a website that I hadn't used for years.

I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.

The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.

So I put in:

* Old: 12345

* New: 717&t!1XFCWJWk!q@ut3B

* Confirm: 717&t!1XFCWJWk!q@ut3B

And got an error "your password must be 8 characters or greater".

After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.

I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.

> edited the javascript validation

You probably broke law there O_O

How can there be a law that prevents running abritary code on my own box?

I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.

Oh no! My mother's maiden name is _invalid_!

Just go with the snark and out in a joke answer that you will find funny. Some of my security questions are hilariously inapplicable, so the first silly, snarky thing I think up is likely to be memorable. It is also a little hard to guess unless you know me really well to an unlikely degree, and it won't stick out as much as a sore thumb in multi-choice situations.

Except too often the strings have to exactly match. That has turned out to be a problem for me with longer answers.

Yesterday, I was logging onto Australian MyGov site, and forgot the password, it sent SMS code for reset to my mobile phone, but then would not let me proceed without answering the secret questions. I usually put last word of the question sentence as an answer itself because I can't be bothered, but it was not the case this time. Not a great experience when they threaten lock out of account, and you have to go link all services again on a new account. Also, the site has no option to change mobile number for SMS code, and you will have to create a new account if you change your number.

MyGov is a dumpster fire of bad choices.

Some of it is legacy - integrating systems built throughout the last three decades.

Some of it is management - they fired multiple teams partway through, with 100% turnover. They also massively underfunded said teams, devoting the majority of funding to PR. Also some... Interesting technical policies, like banning version control and advocating regular backups instead. (Something to do with code "theft protection").

Some of it was technical issues - different integration teams were given different browser compatibility goals. Some teams were told they must use PHP and Apache, others they must use NodeJS and nginx. Often for related parts of the UI.

If you want to know how to screw up a multi-million dollar project, look no farther.

(Source: Worked with a team leader during one of the "fire everyone" times.)

> banning version control

wtaf. embarrased to be aussie

holy crap, NOW it makes sense.

yup, folks should give plausible but wrong answers to those questions and then put them in your password manager because you'll definitely forget.

Right. That's the obvious solution.

Then don't make it stick out.

Some people think they're too smart for putting a random string as their mother's maiden name. I'd rather just put something that looks like a name there.

What bank is it?

I agree with you and for accounts that matter (bank, etc), I'll generally generate additional passwords with my PW manager for each question and store them there.

That said, I have a peeve with one of the standard questions they ask, which is the "favorite" question. Favorite movie, favorite band, favorite song, etc. Besides the fact that I don't have One Favorite anything, does anyone actually have life-long singular favorite things? How the hell should I know what my favorite movie was 3 years ago when I rushed through some account creation process on some random website?

> I'll generally generate additional passwords with my PW manager for each question and store them there.

You have to be a bit careful with that, since some banks like to use those answers as "second factors"* when you call them. So I've gotten in the habit of using diceware-style passphrases for those, as those work over the phone better than pure white noise passwords.

*extreme air quotes

I also generate additional passwords, but after reading my additional password over the phone to an agent that pretty clearly would have accepted (it's giberish), I've since started storing what I deem to be a reasonable answer to the question. A random movie for the 'favorite movie' question, random name for best friend, etc.

That's probably the best solution. It would be nice to have a dictionary of answers to these sorts of things (a dictionary of names, a dictionary of cities, etc) to quickly generate these in a truly random way to try and eke a little bit more entropy out of it.

That's a good point, and a great reason to try the "make pronounceable" option on my password generator.

KeePassXC comes with a Password Generator button in the toolbar and has a Passphrase option. Just max out the word count and choose your new favourite for each account.

They stop making new movies when you answer that question, thus ensuring your answer will remain valid.

That still doesn't stop you stumbling across an older film that you've never watched before, and then finding that you like it more than your "favourite".

Wait, you answer the question before having seen every single movie? How irresponsible.

I tried my best but the session timed out before I had even finished one movie.

Simple - we'll destroy every film in existence after you've asked that question. You get to be "the movie guy". That guy over there is "the book guy". The one in the corner who everybody hates? He's the one who had to use his first girlfriend's name...

The ones I love are those with questions like "What was the first city you visited" and they give you a multiple choice of like ten cities, none of which you may ever actually have visited.

Bruce Springsteen - Born in the USA lifelong favorite song. (although I must say that the Eye of the Tiger comes very very close)

Now we know your age, too!

And a pretty strong hint to "his" gender...

When I signed up for a new bank account the bank rep had me set up online banking on their computer. When she asked me for my security questions and answers she was baffled when I told her the question selected didn't matter, and the answer was a seemingly random alphanumeric string. I told her that I don't know her, or her machine. For now, I'll be setting it as quick, easy for me to remember, string and I'll change it to a different one when I get home.

I do this too, I was told to add something like "PLEASE MATCH THIS TEXT, THIS IS NOT A RANDOM STRING" at the beginning. Apparently when some very incompetent bank workers ask your security questions if the frauder says "oh it was just a random string, I do not remember" they give access to your account.

> Apparently when some very incompetent bank workers ask your security questions if the frauder says "oh it was just a random string, I do not remember" they give access to your account.

This has actually worked for me more than once, so...yeah.

I find nonsense/ridiculous answers to be safer than than random letters.

Make and model of first car? 2047 MAIBATSU MONSTROSITY

Where did you meet the love of your life? A METH-FUELED SWINGER PARTY IN A CHEAP MOTEL


My problem with that is remembering and generating it. First problem is easy to solve with password managers but you still have to generate an ideally long car name with no bias. If you put some bias, then it might be backtracked. You can have a dictionary of possible car names but then you're open to attack if that dictionary is found or predictable enough that someone else can compile that list. It just doesn't feel secure enough to me.

A security question doesn't need to have a huge amount of entropy. It's probably not hashed in the first place, so computerized brute forcing isn't a worry. It just needs to stand up against a limited number of fake logins or password reset attempts.

What about those programs that generate a Markov model out of a corpus of text? You could use that to generate the answers (provided the randomness source is secure).

To be fair, to actually exploit this the scammers would have to know you put in a random string. A human customer service process is not really subject to dictionary attacks.

Except customer service is often trying to help you remember, and you can guess a few times.... a scammer will say something like, "Oh man, I can't remember what I picked... sometimes I choose a random car model, but sometimes I just put random characters", and if either is true, the customer service rep might confirm it.

Incidentally, I've also had customer service go the other way. I was doing a security check, and one of the questions was how long have you lived at your current address. We moved when I was about 10, so I said "I think it's XX years, let me double check: Mum, how long have we lived here, is it XX or XX+1 years?", only to get "It has to be YOUR answers". Despite knowing all the other relevant answers (random characters of password, memorable name and date, amount of last Direct Debit, down to the pence, first line of address and post code) first time and without prompting, it ended up with my account being locked.

Definitely more security, but _maybe_ slightly too far in the other direction.

Mistakes happen, people miss-key, database entries get put in the wrong field, ... I imagine that if the entry didn't match the format for the field then you're open to the bank clerk being socially engineered more easily.

It's like if a password field said 'no punctuation, maximum 8 characters' and your password was much longer with lots of characters; particularly if it looks random it could appear to be a corruption.

I imagine the range of given names gives most password entropy, so "family pet" might be the best question to choose, especially if you never had a family pet.

For that reason I basically use a fake identity for security questions - all perfectly plausible answers, but actually have nothing to do with me. It's not as secure, because they are shared, but it at least removes the ability to research the answers.

I also just avoid setting them where ever possible -- it's basically only for banks (some random website isn't going to get real answers to security questions).

You could have predefined mappings of characters to strings so that they appear non-random, e.g. SBNLWPXMZ -> Seattle Boston Newcastle Lagos Washington Paramaribo Xanadu Montreal Zagreb.

So use passphrases that adhere to your security requirements (upper/lower/symbol etc)

Hashing a salted string of "an answer" usually works. Phone operators try to ask you the question, though, and you sit there for five minutes reading off hundreds of characters, and everyone is suddenly having a bad day, which I find hilarious. The people that expect you to maintain retardedly formatted passwords with stupid character mixtures, and expiration/re-use rules are obstacles, and I like making them as miserable as they make me.

The obvious corollary though, is that there really are organizations with systems that using publicly available information about, mixed with misinformation to see if you can discern an "accurate-ish" (which is sometimes not correct at all, even if you know what they think the correct answer is), and they don't even give you options about what public information they're going to select, to verify your identity.

It's usually a brief questionnaire about previous addresses, associated last names, states you paid your taxes in, and it deeps the impression that there are simply gaping, flawed security gaps at the core of everyone's financial factoids, because it's also sourced from poorly conceived paper-based bureaucratic files that never had any hope of being accurate from the outset.

>The people that expect you to maintain retardedly formatted passwords with stupid character mixtures, and expiration/re-use rules are obstacles, and I like making them as miserable as they make me.

The person on the other end of the phone had nothing to do with it.

For me, as an early stage startup, my devs are actually doing some customer service. I find it has helped our UI/UX immensly because they have to deal with all the problems directly. I actually think it is a great idea to let your developers spend at least a little bit of time each week (or day) doing customer service. It's amazing how much faster little bugs get fixed and processes get streamlined.

My hope is that the ambient animosity seeps through, via high turn-over, leading to increased personnel costs for the organization.

In general, hopefully this uncooperative behavior adds to the general misery distributed throughout the world, and all just because security goons need to feel like they're smarter than the people subject to their policies.

Consider this, oh reader, should you have the opportunity to alter password policies for a project your working on.

Clearly you haven't done customer support, if you think having to listen to a long string of characters is what's going break them :)

SMS-based 2FA should be avoided as much as possible, since there are many ways to take over a phone number and get a hold of the code. Passwords, while being a huge hassle, is probably going to be the defacto authentication mechanism for sites and services (unfortunately). Maybe some sort of distributed PKI authentication + 2FA combo would be an interesting solution, but the problem would be adoption.

In Norway we have "BankID" which is a 2FA solution for authentication and digital signature. It started as a normal 2FA solution with a hardware token combined with username (social security number) and password. A few years ago they introduced a mobile solution where you don't get a SMS or get prompted by an app, but rather it's some kind of functionality on the SIM card. Very convenient and works on all banks, most finance institutions and everywhere else you need to sign things.

Lately there have been attacks on BankID in Sweden.

They call you up and pretend to be from your bank, then ask you to open your BankID app and verify your identity so that they can share some very important information with you.

You open your app, and ID yourself, thereby logging them into your bank account on their end.

In fact this is a method of stealing people's investment accounts -- a victim with an investment account is identified. That person's phone number is then "captured". The investment account asks for 2FA and the thief now has that phone #, and "authenticates." The next step is to transfer all the money in the account to a third party and disappear.

It's disgusting how twisted these criminal activities have become.

I remember a reading about an activist that had all of their online accounts wiped by this vary mechanism. They had 2FA protecting everything, but someone called their cellular carrier and switched their account over to a new SIM. They then did password resets on all the accounts and wiped them.

Every alternative way in is a larger attack area.

You mean how incompetent the banks have become? Everyone has a phone that can a proper 2fa app like Authenticator. using SMS is inexecusable.

I got a Yubikey a few weeks ago and thought I'd switch to an online bank that offered Yibikey login... I spent hours looking and couldn't find any. Not even one. Couldn't even find any offering Google Authenticator. I saw that a few of the biggest banks will ship you an RSA token/similar device if you ask, but not quite what I had in mind.

How does the phone number get identified? You would think that'd be confidential.

I'm assuming "SMS" means true, original SMS. Most people with iPhones, for instance, are using encrypted iMessage, but the code sent to you from a service provider (Microsoft, etc) will be done over straight SMS, not iMessage. Those basic SMS messages can be intercepted by a duplicated SIM card or setting a phone up with different firmware to basically listen to everything around it, including receiving SMS messages. This is probably not casual identity theft tactics though, right? I wonder if mainstream providers shouldn't start using things like Signal and WhatsApp for the 2FA code rather than SMS.

SMS can also be captured by calling the customer service for your cell company and saying "I'm out of the country and lost my phone, can you forward texts to INSERT NUMBER HERE for me?"

use a burner sim like: https://www.twilio.com/wireless/pricing. presumably twillio is harder to social engineer than [big telecom]

The Twilio SIM card is not as useful as you might expect. Unfortunately, Twilio cannot receive SMS messages from short codes [1], which are often used used by the kinds of places (banks etc) that rely on SMS for 2FA.

Also, keep in mind that an adversary can grab your text messages even without any social engineering skills; they just need to rent a cell tower somewhere in the world and advertise your number as roaming there [2]

As you implied, it is probably safer to use a different number than your main one for SMS-based 2FA (the much-maligned security through obscurity), but before you go out and buy a second phone plan, consider issues such as whether you will be able to receive SMS messages while traveling internationally.

[1] https://support.twilio.com/hc/en-us/articles/223181668-Can-T...

[2] https://news.ycombinator.com/item?id=16773171

You could use https://jmp.chat/ instead - JMP does support short codes, and you can use is anywhere you have Internet access, regardless of whether you have a SIM or not.

Depends on your country doesn’t it? Where I live you need to identify yourself with your national 2factor ID if you want to do anything phone related. Both for security reasons, but also because of big brother tracking us.

But the side effect of this is that you can’t highjack a phone number unless you highjack the cell tower between it and the network.

Doesn’t 2fa mean password + phone? How is getting the phone sufficient?

You can often reset the password if you can intercept the chosen token generator, like SMS.

I agree, secret questions are dumb... but what are the alternatives?

The majority of human beings now manage important parts of their lives online, which means they have to remember passwords.

Humans are TERRIBLE at remembering passwords - those of us who use a password manager represent a fraction of a percent of those who need one.

Secret questions may be revoltingly insecure, but they do at least let people get back into their accounts. We need to do better, but I don't know what "better" looks like.

Even if humans were excellent at remembering passwords - I look into my pwd manager and I have over 500 passwords. OK, I am not a common case - I have passwords from various systems, logins, keys, etc. there. But even a common person can have accounts on a hundred sites. And now add rotation requirements. Nobody outside of trained mnemotechnic performers can remember those - and keep them up to date for years. It's not just humanly possible in current environment. Either you use one password virtually everywhere, or you don't remember any of them.

If it is a password to a bank account or a brokerage account I would love to be able to set the system up to only be able to reset my password in person at a branch or office. Charge me for the reset if you think it's too expensive to have that service for free.

For other passwords people should just write them down and store them in a safe place (like in there desk at home).

> I agree, secret questions are dumb... but what are the alternatives?

Unless you are running a system intended as the users primary email provider, 2FA + email covers basically all the things that “security question” auxiliary passwords are used for, with both better usability and better security. For high security cases, 2FA + in person recovery may be more appropriate.

I'd love the option to at least use Touch ID. Facebook is a huge example. I have a long complicated password, and when I switch Messenger accounts, it likes to ask for it. Why can't I just use my thumbprint and Touch ID? Same with Barclays. The app wants my password 2/3 of the time, even though I have it set to use Touch ID.

I'd at least like the option to use Touch ID/Face ID only.

Trusted third parties with time lock and N of M confirmations for unlock. Nominate contacts that can jointly unlock your account after a set delay.

No...humans are terrible at remembering passwords given inane “security” requirements that vary from site to site.

I have yet to see a site allow me to “correct horse battery staple” my password for instance (xkcd), which I’ve found very memorable.

There's an easy trick for that: you use a random password of that style, then you add some weird characters at the end to comply, like "A!5#" - but you use the same weird characters for every site, so you only need to memorize a single sequence.

Except for the sites which prohibit special characters, or limit to a max of 16 characters (I ran into this last week, was genuinely surprised it was still a thing).

> Humans are TERRIBLE at remembering passwords

This is the main problem and we created this problem. Over the last 30 years we worked so hard to make passwords weird and not even that hard for computers to try find. If your password is a sentence that you know by heart, say your favorite quote, the motto of your country, of your school, or some cool fact etc... your password would be (1) safer and (2) easier for you to remember. That's what I do and I never have hard time remembering my 4 to 6 word password. I just use bunch of books/movies and remember my favorite quotes. For example "one ring to rule them all" is a good password, or "may the force be with you" or "call me ishmael".

Are you kidding? Those are terrible passwords, and there’s already some script kiddie out there with a password list containing the top 10 billion book, music, tv show, and movie quotes.

A good password has entropy, which is not a property of the alphanumeric string but of the process used to create it. Could your password generation method plausibly have produced 2^60 alternative passwords with equal probability? Probably not.

Also, never reuse passwords.

"One ring to rule them all" is a terrible password, but "the dark lord's unique jewelry" might be a good one.

For passwords I need to remember (rather than just putting in my password manager), I've taken to using lines from foreign content, especially if it's something I've translated myself or I've introduced some deliberate misreadings in. I imagine very few dictionaries would have "personawakokoronoka!" in them (not a password I've used, but illustrates the idea). Derived from:

ペルソナは心の力 - read as "perusona wa kokoro no chikara"

Then I've replaced it with the English spelling of Persona -> "persona wa kokoro no chikara"

Then I replace chikara with a misreading - when I first learnt the characters, I mixed up 力 (chikara) with the katakana カ (ka) and often read both as ka -> "persona wa koroko no ka"

Then remove the (unneeded) spaces and add a "!" for good measure -> "personawakokoronoka!"

Dead easy for me to remember, but (I believe) difficult to derive/guess or dictionary attack (especially if I start with a longer sentence).

"Blamm0!One ring to rule them all" would be better, in that it adds a personal salt. If your personal salt satisfies length and character class requirements by itself, so much the better.

Or maybe "One And ring in to the rule darkness them bind all, them." in that it applies a personal transformation rule.

Or do both.

It's not as secure as other methods of password generation, but makes yours more resistant to (unabridged) dictionary attacks. If an attacker learns your personal salt, they could create a special dictionary attack just for your passwords, but this is another case of not outrunning the tiger when you can outrun your friend. Far easier to run the vanilla dictionary attack against everyone else who doesn't salt/transform.

Are you kidding?

Which is longer, the alphabet or the dictionary?

There's a hell of a lot more words in any language than there are characters that make them up.

N case insensitive words is far better than N character password from the normal set of characters (alphanumeric + special characters).

Even if you restrict the combinations of words to grammatically correct sentences there's still more combinations than there are of for the same number of characters

That still holds even if you make assumptions about sentence structure, common word combinations, etc, etc. There's a lot of words out there.

If you're using a famous quote, after a few words you're adding next to zero entropy per word.

You're using an analysis for random words, which is completely different.

Also in general a random word is worth around as much as two random characters. There's no clear-cut winner, use whatever you like more.

> one ring to rule them all

> may the force be with you

> call me ishmael

These are all in my password cracking dictionary.

I nearly lost my google account that way. I gave a nonsense answer totally unrelated to the question as I knew I would never forget my password.

Was in a different country, got locked out, had to give my security question answer.... oh dear. After about 3 months occasionally sitting down and just trying out random things I meant have entered I managed to get it back.

I've lost an account on another service this way. They did a forced password reset. To set a new password, you had to go through the forgot password flow, receive the email, and then answer the security questions. You would think that if the passwords were compromised, the (probably plain text) security questions were certainly compromised.

I do the same. Once, a bank asked me over the phone what my high school mascot was (or whatever) to verify that I was really me. I hadn't expected them to use the question in this way, so I wasn't prepared to look up my answer. Knowing whatever randomly generated string I'd used was likely unpronounceable I answered, "I could teach you to pronounce it, but first you'd need to cut out your tongue." which they accepted.

> which they accepted

That's not great.

Yeah, this is why I use "lies" rather than "randomly generated string".

I confirm here. Another bank accepted for me.

This happened to me but I’d chosen the “write your own question” option, so the lady asked me “what is [childhood imaginary friend]’s middle name?” I told her the answer and she said “that was cute.” I never expected an actual person to ask me the question!

Exactly. But having to come up with fake answers to stupid questions and track them, is just proof of how bad some people are at their job.

Apple still does this kind of crap. Actual questions:

In what city did your parents meet? What is the first name of your best friend in high school?

Recently an airport public WiFi in a major city in Europe wanted my birthdate and the agreement language said that I acknowledge everything I'm stating is true and correct. It's so blatantly asinine. I didn't even bother to look if it cited some EU law that lying is a crime, I just said fuck it, and went without Internet for a few hours.

One thing that really drives me crazy is that Apple asks me my security questions even if I enter my correct password because I haven't logged in for a while. I didn't saved the answers (and this is my fault) but anyway I would have done it in the KeePass database that contains also the password, so no additional security.

They do that to remind you of the security answers. Still a broken model over all.

They could prompt you with the security questions as some other services does for master passwords for example, but usually there's the possibility to skip it. Now I'm locked out even though I know both username and password: this is BIG logic flaw in my opinion.

Apple still does this kind of crap.

Not for users who've opted into two-factor authentication: https://support.apple.com/en-us/HT204915

From the page:

Do I still need to remember any security questions?

No. With two-factor authentication, you don't need to choose or remember any security questions. Your identity is verified exclusively using your password and verification codes sent to your devices and trusted phone numbers. When you enroll in two-factor authentication, we will keep your old security questions on file for two weeks in case you need to return your account to its previous security settings. After that, they will be deleted.

I have always wondered what happens if the receiving site is someone like IRS or any such government entity. If one of the questions was "where was your father/mother born?" and you gave a fake answer.. are you now "lying to the government"?

There are lot of questions that can have provable right/wrong answers - assuming someone powerful is out to get you. Imagine that being used against someone!

I'm not even 100% sure where my mother was born. Her family moved around a lot back then (military) and her and each of her siblings were born in a different city. She passed away almost two decades ago, so it's not like it would ever come up now. I guess I could try to find her birth certificate somewhere in my dad's papers assuming he still/ever had a copy.

I don't think lying to the government is automatically illegal (ymmv, ianal, probably varies with jurisdiction). They are generally pretty explicit about the contexts in which lying is illegal (certain signed forms, being under oath etc) which would imply that lying is at least not illegal in other cases.

This is not, by the way, a strictly government related concern. If you lie on a credit card application (and are caught), you're going to have a bad time. But the signed bit of the application is usually completely different from where you're asked to set up "security questions".

Indeed, they're only slightly less stupid than considering SSNs to be secret and then using those. As others also suggest, I always make up the answers, different per counterparty - there's no way I fully trust places like my work to keep these details securely, so it's worth compartmentalizing the risk

The funny thing is the search space for most of these questions is so narrow. I mean, they ask for colors (how many are there? how many average person can name?), city names, personal names, baseball teams, school mascots, etc. How easy is it to compile a dictionary for all of those? Probably won't take more than a day.

> I've always given false info to those, when I bother to fill them out at all

Average person, not trained in using password managers, won't do it. In fact, most password managers don't support those, so you need secondary secure storage. Chances of a layperson setting up one properly and consistently using it is close to zero.

> Nevertheless, my attitude is that I'll just make sure to retain the password.

The problem is, on some sites, if you know these questions you can just reset the password. Which is insane, but unfortunately happens.

Honestly you need a better password manager if it doesn’t allow you to store arbitrary notes or secret question/answer pairs.

What's worse these days is, ever since the Equifax breach, certain institutions have taken to asking me for the last 6 digits of my social (or even worse... all of them...)

SSN isn't even a 'secret' number. Military folk have it on their ID tags and you're supposed to give it up if you're a POW. If you're supposed to give it to your enemies, then how is it private info?

The last 4 or 6 are the ones with the most information. The preceding 3-5 digits are handed out in blocks to the states. So if you roughly know when and where someone is born, you can guess their prefix.


Typically using a secret question also requires you to have access to the email account you signed up with, so it's almost 2FA at that point.

Square Cash is passwordless. They move money around.

The pupose of the “security question” is simple.. if a user needs to recover their password then the next best way to verify authenticity of the password reset request is to verify they know the answer to a few pieces of information they have previously shared with the service. In the age of mobile devices and 2FA, this becomes a lot less relevant but is still a very viable alternative because it’s accessible and difficult to crack if done right.

also if answers to those questions alone has given you access to your account it is most certainly implemented poorly.

Typically access to the account would come in a 2nd factor form like clicking on a reset password link from an email account that is yours and previously configured for such service. Only then would you be allowed to provide a new password to recover the account. Brute force protections like ensuring only a finite amount of failed attempts are necessary.

Does Apple still do this? I always wondered how they're glorified for Privacy and Security while pulling this off...

I know it may be to my detriment some day, but I just use the same answer for all secret questions everywhere. It has nothing to do with anything I've ever encountered, anywhere I've ever been, or anyone I've ever known. I do use a password manager, but my bank will ask secret questions to register new devices, so I've resorted to this tactic to reduce the hassle.

Let's hope you won't have to regret sharing this information too publicly...

I store my automatically generated secret answers in my password manager.

I love the following technique:

Question: What was the name of your first cat?

A: cat

Q: what city were you born in

A: city

Q: what is your moms maiden name?

A: name

and the like.

Now that you shared it here though, someone might try this on you.

Underlying this, don't ever answer these stupid 'account security' questions truthfully. Better to make something up and store it in your password manager along with other account info.

I'd normally be tempted to put in the same types of random passwords I normally use, eg:

> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj

Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it. Whether an attacker would know or try this I'm not sure, but I could also see a customer rep hinting towards this when they see it.

It's probably better to actually make up something plausble-sounding but incorrect, like "Summit Avenue". (Related: there's a website for this [1])

[1] https://www.randomlists.com/random-street-names

Ha. I had the pleasure(?) of calling Dish Network customer support a week ago. They asked for a security code. I gave them the number I had recently used successfully. Nope, that's wrong. I admitted I had no idea, since that was the code I used when I had to call them last summer.

So the customer support rep gave it to me! Judging by the code he told me, my wife had to have changed it at least 10 years ago (it was the name of her dead horse) and she had no recollection of doing so.

IOW, Dish had at least two different security codes under my account and they had no problem simply giving one out to someone on the phone who claims to be me. At least it actually was, in this case.

> Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it.

I suggest:

- "L9Pro840Of9KNI...This.entrophy.is.intentionally...GfKD4tf8tOwTG9Dcqj"

or even better

- "Dear support agent, DON'T reset my passwort on any security question!"

I also write "passport required" on top of all my bank saving books with a ballpoint pen.

A heuristic where you transform a truthful answer might be better.

i.e. your first car was a Bronco, security answer = hash('bronco'+secret).slice(6)

My issue is that most of the time, the available questions are just frustratingly dumb. I don't have a favorite song, favorite movie, or favorite food. I like lots of things and those things change over time. And seriously, favorite teacher? That's very common. How many people really have a favorite teacher.

The problem with that is that it goes back to being gobbledygook for which the operator will accept "I just smashed the keyboard for it".

"Underlying this, don't ever answer these stupid 'account security' questions truthfully. Better to make something up and store it in your password manager along with other account info.

I'd normally be tempted to put in the same types of random passwords I normally use, eg:

> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj"

that's what I do too:

Mother's maiden name: jklqedwsfjkl;ewdfq;jklqwe First car: iohwrqefhiokqwefiohp0u-0ui

and so on

The best solution is to not show the secret answer to the representative. Let them type in guesses until they get it right. It’s so nonsensical that we put such a critical duty on tired, rushed, poorly trained, and poorly paid workers. I’m guessing that would cost the company more money, though, by adding friction and making the call take 3.5 seconds longer.

> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj

Taxi (now Uber and Lyft) drivers in your city must have had lots of fun ;).

Yep! I use the secret questions as secondary passwords that are also saved to the safe.

Another option is an XKCD-inspired[1] 'correct horse battery staple' passphrase. I understand that using such passphrases in other contexts like encryption is controversial due to their relatively low entropy, but I think customer support is an ideal application for them.

1. https://xkcd.com/936/

I believe the entropy problem is only that people don’t choose words randomly. I wrote a script to do it for me, with numbers separating words because some websites demand numbers, and assuming the random number generation is suitable, it’s 73 bits of entropy.

I have no idea if the random number generation is sufficient: https://github.com/BenWheatley/HighEntropyPassword

I only looked at the Python part, and no, it's not good.

Documentation for the random module¹ prominently warns:

The pseudo-random generators of this module should not be used for security purposes. Use os.urandom() or SystemRandom if you require a cryptographically secure pseudo-random number generator.

¹ https://docs.python.org/2/library/random.html

I'm no cryptographer, but while the warning is valid, I don't think it's crucial here.

There are two potential sources of problem, the seed and the PRNG. The seed should be OK, because Python will use urandom as long as it's available in the system. As for the PRNG, a non-secure one shouldn't be used in encryption because it has statistically predictable behavior, but as far as I know that requires access to the ciphertext, which isn't the case here.

Still, replacing random with SystemRandom is easy and would fix the problem.

Okay, I don't study this, but I don't think that's what "cryptographically secure pseudo-random number generator" means. Not all things vaguely related to cryptography are required a CSPRNG and these answers are not being used cryptographically at all in many cases (like you just reading it over the phone to the representative). Please correct me if I'm wrong.

A bog-standard RNG might generate passwords depending on what second you ran it, so an attacker can easily make a list of all the passwords generated in a specific month or year.

People have lost a lot of bitcoins this way.

It might be okay for a security question, but better safe than sorry. Just use a secure generator for everything.

Thanks! I’ll update it shortly.

I just use one of many password managers to generate the passphrase, then enrich with symbol(s) and uppercasing.

It all gets stored in the password manager anyway...

>I have no idea if the random number generation is sufficient

Sure it is, to remain in the same XKCD realm, this works fine:


More seriously, since you have your "random" numbers in non-fixed position (due to different length of the "random" strings/words and also the number themselves can be 1, 2 or three characters long), even if the built-in algorithm is not "random" enough mathematically, I don't think that it will actually affect password discoverability.

What is with perpetuating this idea that people have some duty to be responsible for companies' broken security practices? You're unable to prevent their fuckups - so you can only take steps to make sure you don't end up on the hook or otherwise severely impacted due to their negligence.

It's not my job to avoid repeating public information like mother's maiden name, historical addresses, etc.

Nor is it my job to worry about whether a bank will bypass confirming "secret question" strings for anyone stating they're just random letters.

As an non-responsible third party to any possible identity-based fraud, the only thing I see the need/ability to do to protect myself is watch transactions on my accounts (automation helps here, eg OFX), and be prepared to send demand letters/sue the surveillance companies for libel if they start spouting off that "I" opened accounts that I did not.

Feeling any more responsible than this is just helping to continue their negligent/lazy/broken-ass business processes.

I don't really see "responsibility" as a useful lens. If you give away information that can be used to reset your passwords, you make it more likely that someone can reset your passwords.

Assigning blame is something people do to make themselves feel better after bad things happen. Making it less likely for bad things to happen in the first place may or may not be worth the time and effort, but whether or not you're morally responsible is a pretty meaningless question.

> Assigning blame is something people do to make themselves feel better after bad things happen

Eh, not really. Assigning responsibility is how we align incentives to prevent things from happening in the first place. You are responsible for not disclosing your bank password. You are not responsible for repeating public information that a bank foolishly decided to consider an authentication token.

Personally fretting about whatever broken actions a bank decides to take uses up a disproportionate amount of your time, as you're unable to actually change them. And any success just encourages the bank to continue, as they suffer less from their own idiocy.

It may or may not be worth the time and effort never to tell anyone your mother’s maiden name, but assigning blame is kind of beside the point. It’s not my responsibility not to get my bike stolen, but if I don’t want my bike stolen, I still lock it up, right?

In a perfect world, sure. But unfortunately so many companies don't do security right, so if we want to be safe we have to take the initiative. I mean, it doesn't have to be an either/or thing, we can pressure companies to change while adhering to best practices like not publicly posting your first car and name of your first pet.

Yes, that initiative is checking your own transactions in a timely manner, so you don't end up losing money. Due to banks' insistence on clinging to an outdated security paradigm (permissive w/ rollback), you can't actually prevent fraudulent transactions from showing up on your account.

I've been really concerned about how freely people seem to give their DNA away to testing services like 23andMe or Ancestry DNA.

I just get this feeling that in the next few decades genetic code may become the pinnacle of biometrics as a part of multi-factor authentication. i.e. something I know, something I have, and something I am.

And DNA databases that are potentially loosely secured, or at least secured as well as credit bureau's data, seem like a great way to unwittingly expose one's future self.

I bring this up because multi-factor authentication still seems to be a struggle to implement well for the masses, and while people here complain about these personal questions being insecure, I can't really think of a reason why genetic code won't become the ubiquitous standard for the vast majority of the population to prove their identity.

Yet here people are giving it away, and even paying for the privilege.

DNA can be harvested from dead hair, skin or spit even, so anyone with access to your physical environment could obtain your DNA.

It should really be considered public information. You leave your DNA everywhere you go.

Like all biometrics, the most it should be used for is identification, never authentication.

You're still going to need a secret, and maybe also a token.

Yeah, I was considering more along the lines of massive compromising of remote authentication mechanisms, not spycraft targeting.


United Airlines is probably one of the worst I've seen: http://www.slate.com/articles/technology/future_tense/2016/0...

Not even free text but only allowing a limited set of answers via dropdown menus (most of the provided answers don't apply to me either, so it's both insecure for them and hard for me to remember as well)

I tweeted at them about this when those dropdown answers came out and they actually responded to me, but never took action to change things.

The official United response on FlyerTalk (linked from the Slate article) is naïve to say the least:

> We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.


Source: https://www.flyertalk.com/forum/26212495-post233.html

Using random characters for answers to "secret questions" only works when you can be 100% sure you will never have to give the answers over the phone. If you ever have to do that, random characters are worse than reality, because phone reps will just say, yeah, you're right, it's gobbledygook.

I give arbitrary answers that would make sense to something like an AI. Like, "Q: Who was your father's first employer? A: Avocado flesh" or "Q: What is your mother's maiden name? A: Rutherford B. Hayes"

Of course, all such answers are stored in my password manager.

This is a bit paranoiac in my opinion, but I see the point. I mean, I cannot in all honesty say he is wrong.

My approach to this problem is, given the fact that I use a password manager[1], the following: I chose a random question from the proposed set, and then generate a random password and use it as a "secret answer". Given the fact that 99% of the time the security question will be checked by a computer, the security question effectively becomes a secondary password.

But as I write I am just realizing that the security question is probably not stored in a secure manner (salt + hash) anyway, so in the event of a data leak well that account is f*ed up anyway.

Also, this has always seemed problematic to me: my secret question is supposed to be something I "just know" but... Let's assume the question is "what was your favorite teacher at elementary school" and my answer is "Mrs Chtulu"... What if I come back in a year and instinctively type "Miss Chtulu"? Do I have to remember the spelling I used? The capitalization? What if when I was 13 i did not bother capitalizing names and surnames properly but now I do ?


[1] - if I happen to lose the password file, I'm probably in the middle of way bigger problems.

A good idea to counteract privacy risks of this sort is to occasionally search yourself by your full name or by username (one that can be traced back to you, that is) across all major search engines and see if any of your data is out in the open in any public forum.

Same goes for searching your phone numbers, physical addresses and your email address (preferably in double-quotes for an exact match) -- I discovered mine stashed in a blog full of random email address in which my ID was a part of -- reported it to Google and it was gone in a couple of days.

I perform this 'exercise in privacy' once every three months -- which for me is the average time in which I sign-up for a new service or product using my primary email address; YMMV.

A related article for those who're interested (shameless plug) -- https://abhishekbalaji.wordpress.com/2016/09/24/why-you-shou...

Google provides a way to "subscribe" to email notifications of new search results for a given term (don't have the link handy right now). I've been subscribed to results for my full name for many years, and occasionally get an email of a new mention here and there.

I think you're referring to Google search alerts[0]. I agree, that's a pretty neat tool to be subscribed to, should be useful in drastically cutting down the response time when responding to instances of one's personally identifiable data leaking on the web.

[0] https://support.google.com/websearch/answer/4815696

What was the mechanism by which you reported it?

I reported the blog that was hosting the violating content, not the particular search result in question.

My apologies, should have made that clear in my earlier response.

So let's get rid of security questions and we can just carry on? There should be no harm in disclosing information which is already known by dozens of people, like your mother's maiden name or your first pet. Going around and telling everyone "keep your history concealed!" is just silly and will get you the tinfoil hat label, making any future security advice useless.

I typically agree with him but this just seems like attacking the wrong problem.

I am not entirely sure I agree. Maybe it's slightly paranoid, but I find it shocking how much information people share on the Internet.

I still abide by the old idea that you never share personal information on the Internet.

I'm filling out a visa application form right now. I kid you not, I'm supposed to keep the username secret too.

And then if you do a password recovery, they email you a new password (which is like 6 characters) WHICH YOU THEN CAN'T CHANGE (except if they email you another new one).

It's a joke. I had to come up with a security question so I just make them sarcastic: "In what world is this secure?"

I don't know which annoys me more, the easy to guess security questions or those with mutable answers.

Things like: What's your favorite vacation spot? What's your favorite food?

Often you're stuck having to choose between something other people know or can figure out (where you were born) and something that may well change over time.

I like the idea of trolling people with security questions that you never actually use in a password-recovery workflow.

What is your third favorite vacation spot? Would you rather fight a horse-sized duck or 100 duck-sized horses? For how much money would you go to jail for 1 year?

I was always a fan of these nihilist security questions:


The New Yorker published a cartoon along that vein last year with "Insecurity Questions":


I've just chuckled for far too long visualizing your horses and your ducks. Now everyone here at this cafe thinks I'm some kind of animal murderer.

As others in this thread have stated, security questions are less secure than using a password, and thus, a poor way backup to passwords.

One interesting alternative that's been presented recently is Mooney Images [1]. The example images in the linked slides are fun to test out on yourself and others. They rely on a user's implicit memory of visual imagery and while they are also susceptible to similar sorts of side-channel inquiries, they would be much more obvious.

[1] https://www.mobsec.rub.de/media/mobsec/veroeffentlichungen/2...

I think you have it backwards, here.

Instead of urging people to NOT reveal details about their life such as their first pet’s name, you should urge them to answer all password reset questions with at the very least irrelevant answers, or a password reset password.

Good security: Don't give away historic details about yourself.

Better security: Do give away many different fake historic details about yourself.

I don't know if it is right to post this here, but how many of you relate this post to "Now You See Me" ?

URL: https://www.youtube.com/watch?v=95jHwnAhHgU

This contains both scenes - how they steal the information and how they abused it.

The first thing to think, when a website (or stranger on the street) asks you an out-of-the-blue personal question is: why is s/he asking? Cuz it's probably not because they give a crap.

I use 1Password as a password vault. Some years ago, I decided to start lying for secret question answer challenges. I use 1Password to generate a string of garbage (without numbers or symbols, 25 characters long) and keep that answer in a custom field in the 1Password vault. I've tagged those entries with a security tag to find all accounts with secret Q&A information.

I am paranoid about back ups because if god forbid I lost that vault, there are accounts that would be permanently lost to me.

One problem with this is social engineering... someone could call the company to recover their password and say that they entered garbage for the security question...

I started to enter passphrases instead

Good point. I’ll have to think it over a bit. Since I have all the info should be very easy to fix up the data. Just time consuming

I used to do that but sometimes you have to read them over the phone. Now I use the “Words” recipe to generate a 2-3 word answer for each field. For example, if I had to fill out my answers right now, my high school would be “Popcorn Gizzard”, my childhood friend would be “Procure Drowse”, and my first car would be “Sextant Overflow”.

The 'secret questions' approach is also used by my bank to 'secure the line' when you call them to unblock your pin-attempts (the card blocks after 3 wrong guesses/mistypes) on your ATM card. These aren't questions that you had to fill before, but rather questions from their CRM like the address on which you first purchased fire-insurance with them etc.

While the risk isn't great (it just gives you 3 more attempts), it still feels weird.

I've never provided literal, logical answers to security questions, as even without sharing the answers elsewhere, the logical ones would be entirely too easy to guess.

"Make of first car?" There are only so many vehicle brands reasonably accessible in a geographical area - not hard to brute force.

"City of birth?" Common knowledge among all my friends.

It's too easy.

An appropriate answer to "Make of first car?" would be something like "red &5 Blueberry."

So it's a common trope in science fiction that super-intelligences will resurrect historical people using DNA and mumble-mumble to get their memories.

We finally have a plausible answer to how computers a thousand years from now will be able to reconstruct the details of your life: security questions.

The thing they never get right is that the answer to a question is only useful if you can write the entire question. You should never be forced to select a question from a list.

Also, I can’t believe how stupid some of these sites’ questions are. While I always make up the answers, frequently they require at least 3 questions and only 1 or 2 even apply to me (assuming I answered truthfully)! And one airline wanted FIVE of them!!!

I usually just do a random hash. Also, really, really hate the sites that do not allow you free form text the question itself and rather populate a bunch of commonly known ones. FFS, if you're a web developer working on security questions, let the user make up the question. Agreed though, we should just do away with this as an authentication factor.

Let the user make up a question and remind them that they might need to answer it over the phone so they don’t choose something embarrassingly personal.

That's why the answers to the security questions are always random strings, and the answers to the quiz questions are always "your mother."

e.g. I learned to drive stick-shift on your mother. My first pet was your mother. My special furry friend is your mother. And so forth.

I was born in 1900/1/1

You must like scrolling, I was born in 19__/1/1 where the missing digits put less wear on my mouse wheel.

How often do websites just trust a security question for verification? I thought they usually ask it along with something else like along with a password reset email.

Stealing one account at a time is small time hoodlum level sh*t.

The pros just download the entire user table in one go. They don't care what your first pet's name was.

Unless you’re famous or wealthy. Has happened numerous times.

It doesn't matter if the person after your account is a skid, or is a government-backed entity, you lose all your data and online accounts either way.

This article makes me appreciate that "what was the first programming language you learned?" isn't a common security question.

I can confirm that "first concert you went to" is a security question on at least one site.

And don’t apply for any federal work. And don’t use credit cards. And...

I was born in the US, raised on TV and now I reside on the Internets.

Don't give out your birthday either.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact