Hacker News new | past | comments | ask | show | jobs | submit login

Treating security questions like passwords and saving them in your password manager is correct, but make sure that your fake answers aren't autogenerated nonsense like ":s^Twd.J;3hzg=Q~". Many password reset flows involve communicating a security question over the phone, and it's easy enough for an attacker to guess "oh, it's just a bunch of random characters lol" and for the phone rep to just laugh and shrug their shoulders and let the person in. Make sure it's a sentence that makes sense (I would even avoid non-sequitur passphrases such as those generated by diceware), while also making sure that it has no relationship whatsoever to the question.



Maybe “:s^Twd.J;3hzg=Q~ if I don’t spell it, it’s not me”?


Will probably work about as well as that time when I was young and decided to spend about a week signing all receipts with a signature that looks nothing like my usual one, just to see if it would ever be challenged.

Many people are, contrary to all pretense, mostly paid to not give any actual fucks.


I once signed STOLEN on a pad at the grocery checkout. They let it ride and ran the charge.

But I was relieved to find my CC provider calling me to verify I was just up to shenanigans.

I was also curious how many thieves they had run across that signed for purchases as stolen in large cap letters.


What do you think the signature is for? If a store can provide a signed receipt, the bank eats a chargeback. If they can't, the business pays. No one verifies that it is your signature. It is just an anachronism of how contracts work.


My password generator can make pronounceable nonsense words. It has worked ok so far. Some of them are embarrassing though.


My password generator (or just do it manually) can generate word passwords like correct-horse-battery-staple using real words, which is probably a bit easier to read over the phone.


  grep --perl-regexp '^[a-z]{4,7}$' /usr/share/dict/words | \
    shuf -n 5 | tr '\n' ' '
Although maybe just 2 or 3 words would be best for avoiding a support agent skipping the question.

  bless clench moraine


Nice one there, much simpler than my nearly POSIX one (I think I rely on a GNU sed extension, but it was years since I wrote this):

  shuf /nix/store/ny99jkpl3r9zgkkdv5apprzl18i8rb4m-scowl-2019.10.06/share/dict/wbritish.txt \
    | grep '^[A-Za-z]\+$' \
    | head -n 3 \
    | sed -e 's|\(.\)\(.*\)|\u\1\2|g' \
    | tr -d '\n' \
    | sed -e 's|$|\n|g'
Which gives you for example:

  OmegasInsentientPantheons
I only use this for “secret” questions though, not passwords.


  openssl rand -hex 8 | sed 's/..../&-/g;s/-$//'
Or if you like upper-case letters:

  openssl rand -hex 8 | sed 's/..../&-/g;s/-$//;y/abcdef/ABCDEF/


This would still parse as "random letters and numbers" to your typical support agent, no?


Maybe, but it's close to what I use. It's a limited character set and more or less looks like a credit-card which people are used to seeing.

It's either that or pick a random dictionary word.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: