The whole "secret question" thing seemed to me to a completely stupid idea from the start. "Hey, give us password. If you forget your password, give us a much, much less secure way to access your account."
I've always given false info to those, when I bother to fill them out at all. If necessary, I just store this false info along with the password in the encrypted file I keep my passwords in. The security questions they use are often easily guessable (although it seems now they are using somewhat better questions). Nevertheless, my attitude is that I'll just make sure to retain the password.
I get the possible security risk of answering quizzes on places like Facebook, but I've done it a few times because it's fun. It all boils down to passwords being a hassle. Almost anything you do to make dealing with passwords easier makes them less secure, but there's nothing better. The only improvements over passwords come from additional authentication factors, like having to grab a code messaged to your cell-phone, or using one of those little security token devices (or the software equivalent). I don't think anything is going to be replacing passwords any time soon.
I used to answer secret questions with bogus answers that I deemed unguessable. Then I discovered that when my bank asks me the questions back it does multiple choice, displaying the answer I gave along with 4 other possible options! Sometimes my answer would not be shown and the correct answer is "none of the above", but otherwise my answer sticks out like a sore thumb.
Who in the world thought this was a good idea!? I can hardly think of a less secure way to ask security questions. You should name and shame; there’s a minimum bar everyone should uphold and this is far below it.
The problem they were trying to solve is someone typing in “Woodbridge Lane” as the answer and then later typing “Wood Bridge” or “Woodbridge Ln” or “Woodbridge Ln.” when prompted.
This, too, was my problem. I don't want to give out real answers to my security question for two (slightly contradictory) reasons. The first is: what if this site is hacked? Now my security question answers are floating around for use on other sites that ask similar questions. The second is: some of these questions are pretty easy to find the answer to, or guess. So I used a generated string for those questions, too. Generally worked, but sometimes made for some interesting phone calls. "My mothers maiden name is <random string>. You can guess why she took my father's."
Then they started reading back random choices, which made it pretty easy to guess what I picked.
I have a third problem -- often times, the list of questions they ask are non-sense to me. "What is your favorite food?" I don't have a favorite, and can't think of anything that I'd remember later. "What was the name of your first pet?" I never had a pet. "What was the name of your high school sweetheart?" Gee, thanks a lot for stirring up bad memories.
Funny story - I had an old short-length insecure password on a website that I hadn't used for years.
I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.
The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.
So I put in:
* Old: 12345
* New: 717&t!1XFCWJWk!q@ut3B
* Confirm: 717&t!1XFCWJWk!q@ut3B
And got an error "your password must be 8 characters or greater".
After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.
I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.
I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.
Just go with the snark and out in a joke answer that you will find funny. Some of my security questions are hilariously inapplicable, so the first silly, snarky thing I think up is likely to be memorable. It is also a little hard to guess unless you know me really well to an unlikely degree, and it won't stick out as much as a sore thumb in multi-choice situations.
Yesterday, I was logging onto Australian MyGov site, and forgot the password, it sent SMS code for reset to my mobile phone, but then would not let me proceed without answering the secret questions. I usually put last word of the question sentence as an answer itself because I can't be bothered, but it was not the case this time. Not a great experience when they threaten lock out of account, and you have to go link all services again on a new account. Also, the site has no option to change mobile number for SMS code, and you will have to create a new account if you change your number.
Some of it is legacy - integrating systems built throughout the last three decades.
Some of it is management - they fired multiple teams partway through, with 100% turnover. They also massively underfunded said teams, devoting the majority of funding to PR. Also some... Interesting technical policies, like banning version control and advocating regular backups instead. (Something to do with code "theft protection").
Some of it was technical issues - different integration teams were given different browser compatibility goals. Some teams were told they must use PHP and Apache, others they must use NodeJS and nginx. Often for related parts of the UI.
If you want to know how to screw up a multi-million dollar project, look no farther.
(Source: Worked with a team leader during one of the "fire everyone" times.)
Some people think they're too smart for putting a random string as their mother's maiden name. I'd rather just put something that looks like a name there.
I agree with you and for accounts that matter (bank, etc), I'll generally generate additional passwords with my PW manager for each question and store them there.
That said, I have a peeve with one of the standard questions they ask, which is the "favorite" question. Favorite movie, favorite band, favorite song, etc. Besides the fact that I don't have One Favorite anything, does anyone actually have life-long singular favorite things? How the hell should I know what my favorite movie was 3 years ago when I rushed through some account creation process on some random website?
> I'll generally generate additional passwords with my PW manager for each question and store them there.
You have to be a bit careful with that, since some banks like to use those answers as "second factors"* when you call them. So I've gotten in the habit of using diceware-style passphrases for those, as those work over the phone better than pure white noise passwords.
I also generate additional passwords, but after reading my additional password over the phone to an agent that pretty clearly would have accepted (it's giberish), I've since started storing what I deem to be a reasonable answer to the question. A random movie for the 'favorite movie' question, random name for best friend, etc.
That's probably the best solution. It would be nice to have a dictionary of answers to these sorts of things (a dictionary of names, a dictionary of cities, etc) to quickly generate these in a truly random way to try and eke a little bit more entropy out of it.
KeePassXC comes with a Password Generator button in the toolbar and has a Passphrase option. Just max out the word count and choose your new favourite for each account.
That still doesn't stop you stumbling across an older film that you've never watched before, and then finding that you like it more than your "favourite".
Simple - we'll destroy every film in existence after you've asked that question. You get to be "the movie guy". That guy over there is "the book guy". The one in the corner who everybody hates? He's the one who had to use his first girlfriend's name...
The ones I love are those with questions like "What was the first city you visited" and they give you a multiple choice of like ten cities, none of which you may ever actually have visited.
When I signed up for a new bank account the bank rep had me set up online banking on their computer. When she asked me for my security questions and answers she was baffled when I told her the question selected didn't matter, and the answer was a seemingly random alphanumeric string. I told her that I don't know her, or her machine. For now, I'll be setting it as quick, easy for me to remember, string and I'll change it to a different one when I get home.
I do this too, I was told to add something like "PLEASE MATCH THIS TEXT, THIS IS NOT A RANDOM STRING" at the beginning. Apparently when some very incompetent bank workers ask your security questions if the frauder says "oh it was just a random string, I do not remember" they give access to your account.
> Apparently when some very incompetent bank workers ask your security questions if the frauder says "oh it was just a random string, I do not remember" they give access to your account.
This has actually worked for me more than once, so...yeah.
I find nonsense/ridiculous answers to be safer than than random letters.
Make and model of first car? 2047 MAIBATSU MONSTROSITY
Where did you meet the love of your life? A METH-FUELED SWINGER PARTY IN A CHEAP MOTEL
My problem with that is remembering and generating it. First problem is easy to solve with password managers but you still have to generate an ideally long car name with no bias. If you put some bias, then it might be backtracked. You can have a dictionary of possible car names but then you're open to attack if that dictionary is found or predictable enough that someone else can compile that list. It just doesn't feel secure enough to me.
A security question doesn't need to have a huge amount of entropy. It's probably not hashed in the first place, so computerized brute forcing isn't a worry. It just needs to stand up against a limited number of fake logins or password reset attempts.
What about those programs that generate a Markov model out of a corpus of text? You could use that to generate the answers (provided the randomness source is secure).
To be fair, to actually exploit this the scammers would have to know you put in a random string. A human customer service process is not really subject to dictionary attacks.
Except customer service is often trying to help you remember, and you can guess a few times.... a scammer will say something like, "Oh man, I can't remember what I picked... sometimes I choose a random car model, but sometimes I just put random characters", and if either is true, the customer service rep might confirm it.
Incidentally, I've also had customer service go the other way. I was doing a security check, and one of the questions was how long have you lived at your current address. We moved when I was about 10, so I said "I think it's XX years, let me double check: Mum, how long have we lived here, is it XX or XX+1 years?", only to get "It has to be YOUR answers". Despite knowing all the other relevant answers (random characters of password, memorable name and date, amount of last Direct Debit, down to the pence, first line of address and post code) first time and without prompting, it ended up with my account being locked.
Definitely more security, but _maybe_ slightly too far in the other direction.
Mistakes happen, people miss-key, database entries get put in the wrong field, ... I imagine that if the entry didn't match the format for the field then you're open to the bank clerk being socially engineered more easily.
It's like if a password field said 'no punctuation, maximum 8 characters' and your password was much longer with lots of characters; particularly if it looks random it could appear to be a corruption.
I imagine the range of given names gives most password entropy, so "family pet" might be the best question to choose, especially if you never had a family pet.
For that reason I basically use a fake identity for security questions - all perfectly plausible answers, but actually have nothing to do with me. It's not as secure, because they are shared, but it at least removes the ability to research the answers.
I also just avoid setting them where ever possible -- it's basically only for banks (some random website isn't going to get real answers to security questions).
You could have predefined mappings of characters to strings so that they appear non-random, e.g.
SBNLWPXMZ -> Seattle Boston Newcastle Lagos Washington Paramaribo Xanadu Montreal Zagreb.
Hashing a salted string of "an answer" usually works. Phone operators try to ask you the question, though, and you sit there for five minutes reading off hundreds of characters, and everyone is suddenly having a bad day, which I find hilarious. The people that expect you to maintain retardedly formatted passwords with stupid character mixtures, and expiration/re-use rules are obstacles, and I like making them as miserable as they make me.
The obvious corollary though, is that there really are organizations with systems that using publicly available information about, mixed with misinformation to see if you can discern an "accurate-ish" (which is sometimes not correct at all, even if you know what they think the correct answer is), and they don't even give you options about what public information they're going to select, to verify your identity.
It's usually a brief questionnaire about previous addresses, associated last names, states you paid your taxes in, and it deeps the impression that there are simply gaping, flawed security gaps at the core of everyone's financial factoids, because it's also sourced from poorly conceived paper-based bureaucratic files that never had any hope of being accurate from the outset.
>The people that expect you to maintain retardedly formatted passwords with stupid character mixtures, and expiration/re-use rules are obstacles, and I like making them as miserable as they make me.
The person on the other end of the phone had nothing to do with it.
For me, as an early stage startup, my devs are actually doing some customer service. I find it has helped our UI/UX immensly because they have to deal with all the problems directly. I actually think it is a great idea to let your developers spend at least a little bit of time each week (or day) doing customer service. It's amazing how much faster little bugs get fixed and processes get streamlined.
My hope is that the ambient animosity seeps through, via high turn-over, leading to increased personnel costs for the organization.
In general, hopefully this uncooperative behavior adds to the general misery distributed throughout the world, and all just because security goons need to feel like they're smarter than the people subject to their policies.
Consider this, oh reader, should you have the opportunity to alter password policies for a project your working on.
SMS-based 2FA should be avoided as much as possible, since there are many ways to take over a phone number and get a hold of the code. Passwords, while being a huge hassle, is probably going to be the defacto authentication mechanism for sites and services (unfortunately). Maybe some sort of distributed PKI authentication + 2FA combo would be an interesting solution, but the problem would be adoption.
In Norway we have "BankID" which is a 2FA solution for authentication and digital signature. It started as a normal 2FA solution with a hardware token combined with username (social security number) and password. A few years ago they introduced a mobile solution where you don't get a SMS or get prompted by an app, but rather it's some kind of functionality on the SIM card. Very convenient and works on all banks, most finance institutions and everywhere else you need to sign things.
Lately there have been attacks on BankID in Sweden.
They call you up and pretend to be from your bank, then ask you to open your BankID app and verify your identity so that they can share some very important information with you.
You open your app, and ID yourself, thereby logging them into your bank account on their end.
In fact this is a method of stealing people's investment accounts -- a victim with an investment account is identified. That person's phone number is then "captured". The investment account asks for 2FA and the thief now has that phone #, and "authenticates." The next step is to transfer all the money in the account to a third party and disappear.
It's disgusting how twisted these criminal activities have become.
I remember a reading about an activist that had all of their online accounts wiped by this vary mechanism. They had 2FA protecting everything, but someone called their cellular carrier and switched their account over to a new SIM. They then did password resets on all the accounts and wiped them.
I got a Yubikey a few weeks ago and thought I'd switch to an online bank that offered Yibikey login... I spent hours looking and couldn't find any. Not even one. Couldn't even find any offering Google Authenticator. I saw that a few of the biggest banks will ship you an RSA token/similar device if you ask, but not quite what I had in mind.
I'm assuming "SMS" means true, original SMS. Most people with iPhones, for instance, are using encrypted iMessage, but the code sent to you from a service provider (Microsoft, etc) will be done over straight SMS, not iMessage. Those basic SMS messages can be intercepted by a duplicated SIM card or setting a phone up with different firmware to basically listen to everything around it, including receiving SMS messages. This is probably not casual identity theft tactics though, right? I wonder if mainstream providers shouldn't start using things like Signal and WhatsApp for the 2FA code rather than SMS.
SMS can also be captured by calling the customer service for your cell company and saying "I'm out of the country and lost my phone, can you forward texts to INSERT NUMBER HERE for me?"
The Twilio SIM card is not as useful as you might expect. Unfortunately, Twilio cannot receive SMS messages from short codes [1], which are often used used by the kinds of places (banks etc) that rely on SMS for 2FA.
Also, keep in mind that an adversary can grab your text messages even without any social engineering skills; they just need to rent a cell tower somewhere in the world and advertise your number as roaming there [2]
As you implied, it is probably safer to use a different number than your main one for SMS-based 2FA (the much-maligned security through obscurity), but before you go out and buy a second phone plan, consider issues such as whether you will be able to receive SMS messages while traveling internationally.
You could use https://jmp.chat/ instead - JMP does support short codes, and you can use is anywhere you have Internet access, regardless of whether you have a SIM or not.
Depends on your country doesn’t it? Where I live you need to identify yourself with your national 2factor ID if you want to do anything phone related. Both for security reasons, but also because of big brother tracking us.
But the side effect of this is that you can’t highjack a phone number unless you highjack the cell tower between it and the network.
I agree, secret questions are dumb... but what are the alternatives?
The majority of human beings now manage important parts of their lives online, which means they have to remember passwords.
Humans are TERRIBLE at remembering passwords - those of us who use a password manager represent a fraction of a percent of those who need one.
Secret questions may be revoltingly insecure, but they do at least let people get back into their accounts. We need to do better, but I don't know what "better" looks like.
Even if humans were excellent at remembering passwords - I look into my pwd manager and I have over 500 passwords. OK, I am not a common case - I have passwords from various systems, logins, keys, etc. there. But even a common person can have accounts on a hundred sites. And now add rotation requirements. Nobody outside of trained mnemotechnic performers can remember those - and keep them up to date for years. It's not just humanly possible in current environment. Either you use one password virtually everywhere, or you don't remember any of them.
If it is a password to a bank account or a brokerage account I would love to be able to set the system up to only be able to reset my password in person at a branch or office. Charge me for the reset if you think it's too expensive to have that service for free.
For other passwords people should just write them down and store them in a safe place (like in there desk at home).
> I agree, secret questions are dumb... but what are the alternatives?
Unless you are running a system intended as the users primary email provider, 2FA + email covers basically all the things that “security question” auxiliary passwords are used for, with both better usability and better security. For high security cases, 2FA + in person recovery may be more appropriate.
I'd love the option to at least use Touch ID. Facebook is a huge example. I have a long complicated password, and when I switch Messenger accounts, it likes to ask for it. Why can't I just use my thumbprint and Touch ID? Same with Barclays. The app wants my password 2/3 of the time, even though I have it set to use Touch ID.
I'd at least like the option to use Touch ID/Face ID only.
There's an easy trick for that: you use a random password of that style, then you add some weird characters at the end to comply, like "A!5#" - but you use the same weird characters for every site, so you only need to memorize a single sequence.
Except for the sites which prohibit special characters, or limit to a max of 16 characters (I ran into this last week, was genuinely surprised it was still a thing).
This is the main problem and we created this problem. Over the last 30 years we worked so hard to make passwords weird and not even that hard for computers to try find. If your password is a sentence that you know by heart, say your favorite quote, the motto of your country, of your school, or some cool fact etc... your password would be (1) safer and (2) easier for you to remember. That's what I do and I never have hard time remembering my 4 to 6 word password. I just use bunch of books/movies and remember my favorite quotes. For example "one ring to rule them all" is a good password, or "may the force be with you" or "call me ishmael".
Are you kidding? Those are terrible passwords, and there’s already some script kiddie out there with a password list containing the top 10 billion book, music, tv show, and movie quotes.
A good password has entropy, which is not a property of the alphanumeric string but of the process used to create it. Could your password generation method plausibly have produced 2^60 alternative passwords with equal probability? Probably not.
For passwords I need to remember (rather than just putting in my password manager), I've taken to using lines from foreign content, especially if it's something I've translated myself or I've introduced some deliberate misreadings in. I imagine very few dictionaries would have "personawakokoronoka!" in them (not a password I've used, but illustrates the idea). Derived from:
ペルソナは心の力 - read as "perusona wa kokoro no chikara"
Then I've replaced it with the English spelling of Persona -> "persona wa kokoro no chikara"
Then I replace chikara with a misreading - when I first learnt the characters, I mixed up 力 (chikara) with the katakana カ (ka) and often read both as ka -> "persona wa koroko no ka"
Then remove the (unneeded) spaces and add a "!" for good measure -> "personawakokoronoka!"
Dead easy for me to remember, but (I believe) difficult to derive/guess or dictionary attack (especially if I start with a longer sentence).
"Blamm0!One ring to rule them all" would be better, in that it adds a personal salt. If your personal salt satisfies length and character class requirements by itself, so much the better.
Or maybe "One And ring in to the rule darkness them bind all, them." in that it applies a personal transformation rule.
Or do both.
It's not as secure as other methods of password generation, but makes yours more resistant to (unabridged) dictionary attacks. If an attacker learns your personal salt, they could create a special dictionary attack just for your passwords, but this is another case of not outrunning the tiger when you can outrun your friend. Far easier to run the vanilla dictionary attack against everyone else who doesn't salt/transform.
There's a hell of a lot more words in any language than there are characters that make them up.
N case insensitive words is far better than N character password from the normal set of characters (alphanumeric + special characters).
Even if you restrict the combinations of words to grammatically correct sentences there's still more combinations than there are of for the same number of characters
That still holds even if you make assumptions about sentence structure, common word combinations, etc, etc. There's a lot of words out there.
I nearly lost my google account that way. I gave a nonsense answer totally unrelated to the question as I knew I would never forget my password.
Was in a different country, got locked out, had to give my security question answer.... oh dear. After about 3 months occasionally sitting down and just trying out random things I meant have entered I managed to get it back.
I've lost an account on another service this way. They did a forced password reset. To set a new password, you had to go through the forgot password flow, receive the email, and then answer the security questions. You would think that if the passwords were compromised, the (probably plain text) security questions were certainly compromised.
I do the same. Once, a bank asked me over the phone what my high school mascot was (or whatever) to verify that I was really me. I hadn't expected them to use the question in this way, so I wasn't prepared to look up my answer. Knowing whatever randomly generated string I'd used was likely unpronounceable I answered, "I could teach you to pronounce it, but first you'd need to cut out your tongue." which they accepted.
This happened to me but I’d chosen the “write your own question” option, so the lady asked me “what is [childhood imaginary friend]’s middle name?” I told her the answer and she said “that was cute.” I never expected an actual person to ask me the question!
Exactly. But having to come up with fake answers to stupid questions and track them, is just proof of how bad some people are at their job.
Apple still does this kind of crap. Actual questions:
In what city did your parents meet?What is the first name of your best friend in high school?
Recently an airport public WiFi in a major city in Europe wanted my birthdate and the agreement language said that I acknowledge everything I'm stating is true and correct. It's so blatantly asinine. I didn't even bother to look if it cited some EU law that lying is a crime, I just said fuck it, and went without Internet for a few hours.
One thing that really drives me crazy is that Apple asks me my security questions even if I enter my correct password because I haven't logged in for a while.
I didn't saved the answers (and this is my fault) but anyway I would have done it in the KeePass database that contains also the password, so no additional security.
They could prompt you with the security questions as some other services does for master passwords for example, but usually there's the possibility to skip it.
Now I'm locked out even though I know both username and password: this is BIG logic flaw in my opinion.
Do I still need to remember any security questions?
No. With two-factor authentication, you don't need to choose or remember any security questions. Your identity is verified exclusively using your password and verification codes sent to your devices and trusted phone numbers. When you enroll in two-factor authentication, we will keep your old security questions on file for two weeks in case you need to return your account to its previous security settings. After that, they will be deleted.
I have always wondered what happens if the receiving site is someone like IRS or any such government entity. If one of the questions was "where was your father/mother born?" and you gave a fake answer.. are you now "lying to the government"?
There are lot of questions that can have provable right/wrong answers - assuming someone powerful is out to get you. Imagine that being used against someone!
I'm not even 100% sure where my mother was born. Her family moved around a lot back then (military) and her and each of her siblings were born in a different city. She passed away almost two decades ago, so it's not like it would ever come up now. I guess I could try to find her birth certificate somewhere in my dad's papers assuming he still/ever had a copy.
I don't think lying to the government is automatically illegal (ymmv, ianal, probably varies with jurisdiction). They are generally pretty explicit about the contexts in which lying is illegal (certain signed forms, being under oath etc) which would imply that lying is at least not illegal in other cases.
This is not, by the way, a strictly government related concern. If you lie on a credit card application (and are caught), you're going to have a bad time. But the signed bit of the application is usually completely different from where you're asked to set up "security questions".
Indeed, they're only slightly less stupid than considering SSNs to be secret and then using those.
As others also suggest, I always make up the answers, different per counterparty - there's no way I fully trust places like my work to keep these details securely, so it's worth compartmentalizing the risk
The funny thing is the search space for most of these questions is so narrow. I mean, they ask for colors (how many are there? how many average person can name?), city names, personal names, baseball teams, school mascots, etc. How easy is it to compile a dictionary for all of those? Probably won't take more than a day.
> I've always given false info to those, when I bother to fill them out at all
Average person, not trained in using password managers, won't do it. In fact, most password managers don't support those, so you need secondary secure storage. Chances of a layperson setting up one properly and consistently using it is close to zero.
> Nevertheless, my attitude is that I'll just make sure to retain the password.
The problem is, on some sites, if you know these questions you can just reset the password. Which is insane, but unfortunately happens.
What's worse these days is, ever since the Equifax breach, certain institutions have taken to asking me for the last 6 digits of my social (or even worse... all of them...)
SSN isn't even a 'secret' number. Military folk have it on their ID tags and you're supposed to give it up if you're a POW. If you're supposed to give it to your enemies, then how is it private info?
The last 4 or 6 are the ones with the most information. The preceding 3-5 digits are handed out in blocks to the states. So if you roughly know when and where someone is born, you can guess their prefix.
The pupose of the “security question” is simple.. if a user needs to recover their password then the next best way to verify authenticity of the password reset request is to verify they know the answer to a few pieces of information they have previously shared with the service. In the age of mobile devices and 2FA, this becomes a lot less relevant but is still a very viable alternative because it’s accessible and difficult to crack if done right.
also if answers to those questions alone has given you access to your account it is most certainly implemented poorly.
Typically access to the account would come in a 2nd factor form like clicking on a reset password link from an email account that is yours and previously configured for such service. Only then would you be allowed to provide a new password to recover the account. Brute force protections like ensuring only a finite amount of failed attempts are necessary.
I know it may be to my detriment some day, but I just use the same answer for all secret questions everywhere. It has nothing to do with anything I've ever encountered, anywhere I've ever been, or anyone I've ever known. I do use a password manager, but my bank will ask secret questions to register new devices, so I've resorted to this tactic to reduce the hassle.
I've always given false info to those, when I bother to fill them out at all. If necessary, I just store this false info along with the password in the encrypted file I keep my passwords in. The security questions they use are often easily guessable (although it seems now they are using somewhat better questions). Nevertheless, my attitude is that I'll just make sure to retain the password.
I get the possible security risk of answering quizzes on places like Facebook, but I've done it a few times because it's fun. It all boils down to passwords being a hassle. Almost anything you do to make dealing with passwords easier makes them less secure, but there's nothing better. The only improvements over passwords come from additional authentication factors, like having to grab a code messaged to your cell-phone, or using one of those little security token devices (or the software equivalent). I don't think anything is going to be replacing passwords any time soon.