|
Why would you put answers that can be found in the public domain? Isn't your mom's maiden name supposed to be filled out with answers like, "PassTheBreadKnifePlease"? Oops - for you, that might be close to the public domain!
|
|
|
|
|
Yup, security 101: Never answer a security question with a real answer.
All that is required is an answer you can regurgitate when asked. The system doesn't care what the answer is, only that what you present matches what they have.
WARNING: If you answer the question: What is your first pet's name? with your spouse's name, DO NOT let her know this. Stuff like that comes back to life more often than Dracula.
|
|
|
|
|
+1 for KeePass - I love it
|
|
|
|
|
And backup your keepass file to dropbox/box/google drive so that you can
- access it from anywhere
- have a copy when your computer crashes beyond all repair
|
|
|
|
|
I answer the same for every question. Treat it as a password and it's no big deal.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Yeah, but the whole point of the questions is to use them when you FORGET your password. So then they're annoying AND useless.
|
|
|
|
|
kdmote wrote: So then they're annoying AND useless. Yes, when they are used as they were first designed, they are annoying.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
RyanDev wrote: Treat it as a password and it's no big deal. ..it's not like it is a security-risc, or that people would call you and ask for such private details. That is, for the questions not already answered by their FB/LinkedIn profiles
These questions would also only be relevant for your email-account - all other applications can safely assume that your email is private and send a simple reset-link.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Yes, but several site I deal with are now "smart" enough to detect the same answer to all questions, and complain bitterly until you change them
|
|
|
|
|
In those cases, my answers become "password1", "password2", "password3". No problem.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
So is it OK if I reset all your passwords, this week-end?
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Go for it.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I use a mental code to create the answers based upon the site, itself. Nothing to really remember - the site tells me its own answer.
Now my reason for not liking them is that they ask questions about me that are too 'intimate' (alas, in the non-sexual sense) that, aggregated, give out more about me than anyone but me should know.
They're thrown at me by financial institutions, in particular, when it wants to validate the machine I'm on for a few sessions (before it does it again).
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
kdmote wrote: Of course there will always be brain-dead users who make up a ridiculous question like "What's 2 + 2?". That's actually quite a good question as it allows obfuscation. The answer to that question is Desmond, as in Desmond Tutu.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
|
If you give a logical answer, it can be logically guessed, and the guesser will then own your account.
But what really makes me laugh is that facebook users typically give away every detail that's ever asked by these questions.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
But it makes it so much easier to steal your identity if we know what street you grew up on and what your high school mascot was.
|
|
|
|
|
Quote: Simply let the user write his/her OWN question and answer I remember some sites offer this way and it's not a bad idea too.
|
|
|
|
|
As in -
You don't think you're going out dressed like that, do you?
to which the answer is -
You can't tell me what to do, you're not my real dad.
|
|
|
|
|
I don't think they're absurd and don't find them annoying, and several of the sites that I use do allow you to add your own question/answer set.
#SupportHeForShe
Government can give you nothing but what it takes from somebody else. A government big enough to give you everything you want is big enough to take everything you've got, including your freedom.-Ezra Taft Benson
You must accept 1 of 2 basic premises: Either we are alone in the universe or we are not alone. Either way, the implications are staggering!-Wernher von Braun
|
|
|
|
|
You are, of course, entitled to your opinion... and maybe the questions aren't as absurd in the lovely land of Oz, but when I am asked to choose one of several questions, each asking for my "favorite" thing among categories in which I have no preferences (ice cream, sodas, sports teams, etc) I find it extremely frustrating.
Like you, I have run across a few sites that allow users to write their own questions, but these sites are by far the minority. May their tribe prosper!
|
|
|
|
|
Two Points:
1) I agree, and I much prefer Authenticator tools like AWS, Dwolla, and my banks use
(although my bank still asks the annoying questions)
2) Have fun with it. In order to make my answers hard to guess, I have created an imaginary friend with a consistent life, and I use his answers. You should see the looks I get from my wife when I have to verify something like my mothers maiden name. He grew up near a friend of mine, and went to a different grade school and everything.
The worse part is that they are doing 2 things:
1) Storing these as clear text in most cases
2) Sharing your answers with NSA, and potentially with others
PS: You can't let the users choose their own questions and answers... The average user?
- What is the Worst Bank Ever?
- What Bank Really Stinks?
- Is there a such thing as a Stupid Question?
- Question? (with the answer literally being: answer, then Q2,A2, Q3,A3 ... Then a NYT Article,lol)
|
|
|
|
|
I don't know if we can make our voice be heard. Just wanted to share the worst I've come across.
A while back, I was on united.com for some reason; they wanted me to update my account with security questions/answers. Sigh. I guess, ok.
Not only are the questions from an enumerated list of possibles, but the answers were as well.
Grrrr.
|
|
|
|
|
Use your own has its own issues. I was working at a company that runs websites for managing retirement accounts. One day the call center manager comes running into room where developers work, waving a piece of paper and yelling to shut everything down. She had a screenshot that had the nav and masthead of the site, but the content area had just one word, "f***" and a submit button. She and several other people thought the site had been hacked and that we should shut it down immediately to prevent data leakage or damage. So we shut it down.
The printout didn't show the text input that would have been on the original page, or the address bar to show the offending page location. Turns out some moron set "f***" as his security question and forgot about it. Then later he forgot his password and went to HR to figure out how to get into the site. The HR manager attempts to use the password reset feature which of course presents the security question and a box to give the answer. HR managers being highly sensitive types are easily offended by websites being profane, and so she sent an angry email with screenshot (without address bar of course).
Yes if we had put some phrase like "Your previously chosen security question:" it would have been more obvious what was going on. But at least it made the day exciting. Oh and his answer to that wonderful security question was "great".
|
|
|
|
|
Specifically responding to your update:
I wish it was that easy. I work at the customer service level of a financial business that recently implemented "build your own" style security questions. The form is as self-explanatory as can be...
Password Reset Security Question {input element}
Password Reset Answer {input element}
This just confuses the hell out of users. I have to walk an average of one person per day through the process, and thoroughly explain that "here you can type out your own question, which will be shown to you when you request a password reset. Below, you put in the answer to that question." This is a basic concept to those of us who have experience in site development and high-level security concepts... but to the average user, it's mind boggling. In some cases, I even end up recommending that the user leaves those fields blank (in that case, they simply cannot self-initiate a password reset, and must call or come in to one of our offices. It's more work for us, but doesn't add a security risk). There are plenty of people who are far too impatient to even attempt to figure it out, and for them, I'm glad our situation has a workaround for the concept.
This isn't to say that the concept needs reworking. Security questions as they are typically implemented are appallingly insecure, and depend on essentially public data. This is bad, and needs to be addressed by the industry at large. On that, we are completely agreed.
|
|
|
|