I have learned the hard way that these are just easy-to-guess extra passwords that let attackers bypass my hard-to-guess password. I dump them in my password manager so I don't get locked out, but I know they're a ticking security time bomb. Every site asks the same questions, so if the database gets compromised, it lets someone compromise other accounts. And, they're probably not even one-way-hashed, because customer service people ask for them on the phone and can probably see the answers. I don't even know how it's legal to use these things anymore. They set the field of information security back two decades.
(I have always assumed that they exist to save money on call centers. You get locked out, you have to talk to a real person, and real people want salary and benefits. But with the abysmal success rate that the paper shows, I'm not even sure it's saving people money. It just seems wrong on every level. For that reason, I know they're here to stay for good.)
Question: what is the name of your first car's cousin?
For those cases, generators for random answers that read legit would be better.
I started putting in random word sentences like 'DoYouHaveAPetCalledPeter', stored in pwdstore metadata to the accounts.
Whenever you think you've seen the dumbest bit of anti-secure design, some bank, airline, or government will provide a "hold my beer" topper.
Think of it as "falsehoods programmers believe about personal information security".
Depends on what you're looking for.
Secure password written on a monitor (or on a pad in a locked drawer) is better than using "Passw0rd" (or some other trivial to the point of uselessness password that all the scripts will try) for most use cases assuming you have some semblance of physical security. Your coworker might login as you and F up something but some guy in Nigeria or Belarus is much less likely to encrypt the network share than if you had chosen the former. Just like everything else in security it's all about what your threat model is and what the trade-offs are.
Edit: do any of the people who are offended by my statement care to explain why it is so disagreeable to them?
Passwords that have no hashing or other protections against disclosure, and which use non-private information by design.
They don't say the answer, but it has to be pizza, right?
Synchrony financial still takes top honors for locking out my account when I use a vpn, and giving a menu of phone numbers from Transunion to choose where to send SMS auth attempts - you don’t even have to ask my phone provider to port my number to your phone, just fill out a raffle ticket at the mall and wait for it to turn up on the report.
I can gripe about Google a lot but no denying they have done more then anyone to improve the security of the average user - TOTP, yubikey, per-device passwords for e-mail. Wish the banks would catch up.
That's why I lie whenever I see them, and I keep track of the lies in my password manager's notes, which are regularly printed and stored off-site for disaster recovery purposes.
If a site is going to require precise answers (and I suppose any other method probably creates additional bugs, reduces security...), then I might as well generate random responses and put those in my password manager, too.
Then, the proactive thing you can do is plan for how you will deal with the fallout.
My childhood best friend: Ender Wiggen
City I was born in: Moscow, ID
and then log the specific lie in my password manager. They work if I need to read one off to a service rep over the phone, and they are in no way connected to my personal history...
More recently I’ve started changing my answers to “I don’t know” which blows people’s minds when they type it in and it works.
For example, I would really like to know the "other" reasons for providing false answers to security questions. The top reasons are obvious, and a couple of them are my reasons. For privacy, and better security, I would put, say, B7eoaOHv2se as my father's middle name, and store it in a password manager.
My guess is that "other" breaks out into:
- I have one or more of the above reasons but I don't want to reveal it/them.
- I don't have one of the above reasons but I don't want to reveal my reasons.
- I am lazy.
- I like to troll security questions even though I am just trolling a script program on the internet.
- I am trolling your survey.
- I use it as a chance to express my creativity.
- I have never encountered such a question.
- I forget how I answered and why.
These may overlap.
But it would be interesting to see if there are other sensible reasons.
This cost-benefit analysis is strictly from the point of view of the provider. If their costs for a customer security breach are low, they will be willing to trade lots of insecurity for a little bit of reduced customer support.