Hacker News new | past | comments | ask | show | jobs | submit login

> A hacker could try to reset my password for an online account by answering security questions like “What is your mother’s maiden name?” or “Which of the previous addresses did you live at?”

That's why you don't answer those questions honestly. My mother's maiden name is always a random 32 character string living in my KeePass database...

I'm not sure that's any safer. It should protect you from the automated prompt-response systems, where an absolute match is required. But call-center workers see those answers in plaintext. Eventually an attacker will probably reach one where answering, "It's a lot of random letters and numbers. I forgot what they were but the real name is Smith!" will be enough to pass.

So what's your solution? You have to put in something, and putting in the real maiden name seems like the worse option to me. Social engineering is going to be the weakest point no matter what you do, so I don't see how anything you do could defend against it and why you should account for it if there isn't anything you can do.

I use nonsense terms which are easily readable. Mother's maiden name: Lady of Amberly, first maid of countess Blue, inheritor of the golden bull.

Putting an actual name in there is probably a lot safer than anything that might be described by a human as "just some gibberish". Pick an uncommon name, maybe from another country, maybe spell it in a different way, as long as it's still recognizable as a plausible name. Most operators wouldn't fall for it if the attacker says "just some random characters". The important part is to not reuse the name between registrations.

Combine this with similar unique answers to other questions and the chances of someone guessing them all become really small.

One thing I never tried is to just put something like Anyone_trying_to_reset_this_password_is_a_hacker_DQWIqw12E^1&UTFD@&$. Might be an inconvenience if you actually need to reset yourself.

How about "Make_sure_the_person_says_this_exactly_AB2hyiL3BTlJptJQh5KnINqSfxfY2J3Mj"

If you use any kind of name you run the risk of it being guessed. Use a passphrase generator to get something completely random and easy to say over the phone.

There are thousands if not millions of possible names you could use. As long as you don't use something very common, you should be okay.

I like the historical characters reference.

Personally I include many literary/media characters. Even my name on this site.

go on...

Antonius Block is the knight who plays chess with death in the Seventh Seal.

Seems like a randomly selected fake name and fake address would work.

I always use valid but fictitious names. For example my mother's maiden name could be Roberts or my first car could be Chevy. Of course I use different and more obscure answers on different websites and save them all in a password manager.

> So what's your solution? You have to put in something, and putting in the real maiden name seems like the worse option to me.

Instead of a gibberish generator (ala password managers' defaultly-generated passwords), use a _word generator_. Something like "correct horse battery staple" except, you know, not the popular words.

Then, of course, make sure to include those secrets in your password manager.

> I forgot what they were but the real name is Smith!" will be enough to pass.

How would the call center know if your mother's maiden name is actually Smith if you never answered the question honestly?

I could see the "It's a lot of random letters and numbers" response working by itself though.

A few years back I cashed in the residue of a UK ISA (remaining balance just £1.50 but local tax laws forced it to be closed). No longer being in Blighty it transpired this would be a serious posterial pain involving sending of certified passport copies to validate signatures, etc, but their helpful man on the phone explained I could skip all that simply by registering for their internet banking access, then login and transfer the investment funds to wherever I liked. So off I toddled and being in a hurry and not overly concerned about the risk that some miscreant steal my half-a-cup-of-coffee's worth I pasted "sasquatch" into all the security question prompts. Clickety-click, done, now to close the account... "Please phone our banking service team for this request"

"Hello Mr Thombat, I can see your account number but first I just have to ask you some security questions...what was your grandfather's occupation?"


"That's fine ... now what was the name of your first school?"

"(nervous giggle) Sasquatch"

"Ahhh...and was your first pet's name?"

"Sasquatch, too. I mean too as in also, not two as in the number...I really didn't expect I'd be telling these to a person, it was just a nice word to say..."

He kindly overlooked my embarrassed tittering, didn't go all jobsworth about this horrific breach of security best practice, nor yet accuse me of lying to one of Her Majesty's civil servants for pecuniary advantage. And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit.

They wouldn’t, of course, but it’s painting the caller in a human light that call center employees may empathize with.

This statement confuses me, what are you proposing the call center employee empathize with me over? The reason I'm even calling, or the authentication and account verification answers and random bits of string that I enter into my account when signing up?

"You" in this case are a hacker / social engineer trying to break into someone's account. If your target puts gibberish as the answer to that question, here's how the conversation will go:

Operator: What is your mother's maiden name?

Hacker: Smith (let's say this is the real name, gleaned from public records)

Operator: That's not what I have here

Hacker: Oh, you know what, I think I just put gibberish when I signed up. I thought that would add some extra security, but I forgot what I wrote, ha ha, joke's on me. The real name is Smith though.

Operator: Story checks out, I'm giving you access to the account now.


Operator: Story checks out, I'm going to reset it to "Smith" for you.

Right now that really isn't a risk as very few people do this, so it would be a waste of time for a hacker to try this over testing relative's names.

Except OP just admitted to using this scheme on a public forum, so they are now essentially compromised.

It's security through obscurity, with a bonus that the people who use this technique can't seem to keep quiet about it so it's not even obscurity.

Security questions aren't really that secure anyway. A "real" hacker could just pretend to be helping out a friend after a debilitating accident and ask for everything to be reset.

Exactly, or the "crying baby/stressed out parent" example that made the rounds a few years ago. Hackers don't need to monitor every public comment you make, just trick 1 minimum wage call center worker for 5 minutes.

The answer could be: "Don't allow answering anything but this exact sequence of words: " then followed by a string of words.

Perhaps we need a reset contact whom they can call to confirm with a real human.

Like with nearly any topic on HN, an xkcd comic [0] comes to mind.

[0] https://xkcd.com/2176/

Until someone calls you out and says your're an imposter because your mother's maiden name is really XXXXXX. Then the imposter files a report against you. The research is done. They know enough about you to take your place and have you thrown out of your own home.

Random dictionary words would solve that issue.

"Oh, yeah... I found that question ridiculous, so I entered some garbage. Anyways, her real name is Smith, if that helps."

Social Engineering.

There is not really a good answer to social engineering, as far as I can tell. For example -- I do my banking with a big, reputable bank most everyone has heard of (and not one of the banks people like to hate) and I've got passwords, two factor authentication, etc. That's all great. And yet, about a year ago my wife's debit card got cloned at a compromised ATM and armed with that information (bank, and name) someone called up the customer service at my bank and asked them to reset the password to our account. According to a security investigation by the bank, it took them six attempts before they found someone who believed their sob story about being stuck in a hospital somewhere with no access to money, etc. Gave them our account login and reset our password for them. The person logged into the web site, transferred a bunch of money from savings into the compromised debit account and started pulling it out as fast as they could. I got instant notifications as they did it but was driving and didn't see them for about 20 minutes, by then the bank had deduced that something was wrong and shut it down, $5K later. Luckily the bank didn't really argue the point, they knew they were totally at fault for letting it happen, but still -- all the security in the world that I tried to use for that account and all it took was one bank employee to negate 100% of it.

Of course, the alternative is that you are actually in a hospital with no access to money, etc. and the bank will unwaveringly stick to a policy that you must show up at a bank office with valid ID or you'll have to wait for a letter to your physical address of record, etc.

Perhaps that's just the way it should go down in a case like this. But there are costs to making the decision to close off the potential for social engineering as thoroughly as possible.

Agree there should be a way, perhaps, to recover from a bad situation.

As a follow-up to my experience, I guess I should expand on the consequences for us. The bank admitted fault, but to protect themselves from a bad employee doing it again in the future, now when we call we have a special voice-only password and PIN, and we have to answer a battery of questions that are clearly pulled from a credit bureau (you know, the types of questions like "You had a mortgage in 2005, what was the street the property was on" and such things. Takes 10 minutes to get to "Thank you sir, how can I help you today" if we ever have to call customer service.

Based on that experience, I think perhaps the bank should make that the answer to recover a deeply lost account. They gave a stranger the credentials to our account -- not just the password, but they had to tell them the login, and disable two-factor authentication (because the login is built from a PIN and RSA code) based on a plea for help. I can see forgetting your password, but who forgets everything? That should be a huge red flag.

I could rant for a long time. I had a pointed discussion with a manager at the bank about how getting five repeated, fruitless requests to change credentials on an account didn't somehow trigger any protective response. How hard would it be to implement a counter that says "okay, after the second attempt to gain access by voice to an account that is denied for lack of authentication, all future calls for this account go directly to the security department for personal attention"? I got no good answer other than a lot of "yes sir, this was completely wrong, sir, I'm sorry, sir" etc.

I don't really disagree with any of that. I was just making the point that there are tradeoffs and the nature of those tradeoffs are going to depend on the situation.

Obviously, access to a banking account should have a pretty high bar even if that means some people may well end up in difficult situations where they've lost access to their money and the bank can't/won't do anything about it based on a phone conversation.

Presumably the answer to that is to use a long but plausible random string that sounds like a posh English name like "Saint-John Winsor-Rothschild"

Now I want someone to make a password generator that's just fancy hyphenated names. I can't imagine it would be too hard to make.

Just beware the Falsehoods Programmers Believe about Names: https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-...

This isn't particularly relevant to generating a limited subset of valid names.

Yeah, I misremembered the moral of this list. Ah well, my karmic price has been paid.

That's kinda the opposite side of this issue. No need to worry about it because the generator knows all the names, that listicle is about user-generated input.

That sounds like the right solution to me - it's the "correct horse battery staple" of this problem. I'm going to start using this. 4 names all put together - pronounceable over the phone, visibly viable, and uniquely generated for each instance.

Perhaps something like this?

Q: "What is your mothers maiden name?"

A: "Do not provide access under any circumstances unless this exact key is provided: WEWQEWQ321312"

muffled voice with strong accent, from call center, over long distance VOIP line which should be perfect clarity but mysteriously isn't, loud background noises, crackles

"Sorry I did not hear, but there seems to be a problem with our computer system I am getting an error message instead of a name, please can you call back later".

Screen shows them: "Do not provide access und" 25 character silent truncation.

But that doesn't give me an opportunity to say "Mrs. Sebastian Winifred Campershamp".

There are some quirky name generators elsewhere on the internet. Perhaps you could mash some of the firstname lastname combinations together?

That's my thought. Now we need to get a KeePass extension that does that. It'd be even better if it generated where you went to high school and your first pet's name as well. Though that too could be Mrs. Sebastian Winifred Campershamp.

> Mrs. Sebastian Winifred Campershamp

Definitely more plausible as a pets' name than a maiden name.


This is a very Corgi name.

"jglksadh3498ygha# and don't accept 'random string of numbers and letters,' that is not me"

I have actually had that experience. Really thought I was clever till the system asking me my secret wasn't a machine at all.

"Do not unlock my account unless I say exactly this" literally.

The bank person was really weirded out when I said it back.

I feel like you can either

a. Have your name tied to your Hackernews profile

b. Have your bank account security question tied to your Hackernews profile

You appear to have done both, which does not seem like an excellent idea.

First, for this vector, they would have to know before hand that it's random numbers. I don't tell anyone I do this.

I also use a random combination of words instead of just characters; Yellow Mountain Bad Hernia 13

Call center employees will generally think it's my own connotations (if it's school they will think there is a yellow mountain nearby and maybe I had a hernia... words tend to have associations)

I do this, and I actually had to use it for the first time yesterday when calling a credit card company. The rep said "I'll need your security question answer... is this right? It looks like it's just a bunch of numbers and letters?"

Then I confirmed and started reading it out to her, and she hung up on me. I think I should move to correct-horse-battery-staple style in the future.

> I think I should move to correct-horse-battery-staple style in the future.

The KeePass plugin Readable Passphrase Generator[1] is great for generating Diceware[2] passwords/usernames/security question & answers

Source: Found on KeePass plugins page[3]

[1] https://bitbucket.org/ligos/readablepassphrasegenerator/wiki...

[2] https://en.wikipedia.org/wiki/Diceware

[3] https://keepass.info/plugins.html#ppgen

> I confirmed and started reading it out to her, and she hung up on me.

That's... troubling. I would have called back specifically to complain about that person. That's absurd.

A small bank that I use sold itself to a slightly larger bank a few years ago; one of the things that I appreciated about the old bank was that they made this a "short arbitrary secret" field instead of "mother's maiden name" I had given them two randomly-chosen words, stored in my password manager.

Earlier this year, I opened a new account with the (new) bank and discovered that they already had my mother's maiden name, were going to use it for identity verification, and wouldn't allow me to change it to something arbitrary (even another fake name that I sometimes use). Quite frustrating, this security based on insecure information.

Good idea!

I know this is often asked over the phone, so that'll be a little awkward, especially if using non alphanumeric characters. Interestingly though, I wonder how easy is it to reset your mother's maiden name to a new name if it go out in the wild.

> that'll be a little awkward

For them, maybe, but I would relish reading each individual character to them in a slow deadpan monotone.

I use a somewhat different system. Each common interview question is mapped to what is effectively an inside joke about my life. Usually something related to the interview question, but the actual keyword is tangentially related in a manner that would be incredibly difficult for an attacker to guess.

This effectively allows using the security question as something that can be more reliably recalled by the user, but largely avoids the security issues of an easy to guess secret.

The reason I don’t store answers to security questions in my database is that it makes it a single point of failure. I want to have some recourse in case my password database is lost or broken into.

I did exact same thing for my Apple account. Later I found that even if I have access to my email and to my password, they still keep asking for these secret questions I dont remember the answers.

That’s possible if they asked you these questions in the first place, instead of getting the data from somewhere else.

Sometimes these questions come from a database that knows things about your name already - from which you had no input.

It's even more fun when the database for which you had no input is wrong.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact