Underlying this, don't ever answer these stupid 'account security' questions truthfully. Better to make something up and store it in your password manager along with other account info.
I'd normally be tempted to put in the same types of random passwords I normally use, eg:
> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj
Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it. Whether an attacker would know or try this I'm not sure, but I could also see a customer rep hinting towards this when they see it.
It's probably better to actually make up something plausble-sounding but incorrect, like "Summit Avenue". (Related: there's a website for this [1])
Ha. I had the pleasure(?) of calling Dish Network customer support a week ago. They asked for a security code. I gave them the number I had recently used successfully. Nope, that's wrong. I admitted I had no idea, since that was the code I used when I had to call them last summer.
So the customer support rep gave it to me! Judging by the code he told me, my wife had to have changed it at least 10 years ago (it was the name of her dead horse) and she had no recollection of doing so.
IOW, Dish had at least two different security codes under my account and they had no problem simply giving one out to someone on the phone who claims to be me. At least it actually was, in this case.
> Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it.
My issue is that most of the time, the available questions are just frustratingly dumb. I don't have a favorite song, favorite movie, or favorite food. I like lots of things and those things change over time. And seriously, favorite teacher? That's very common. How many people really have a favorite teacher.
"Underlying this, don't ever answer these stupid 'account security' questions truthfully. Better to make something up and store it in your password manager along with other account info.
I'd normally be tempted to put in the same types of random passwords I normally use, eg:
> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj"
that's what I do too:
Mother's maiden name: jklqedwsfjkl;ewdfq;jklqwe
First car: iohwrqefhiokqwefiohp0u-0ui
The best solution is to not show the secret answer to the representative. Let them type in guesses until they get it right. It’s so nonsensical that we put such a critical duty on tired, rushed, poorly trained, and poorly paid workers. I’m guessing that would cost the company more money, though, by adding friction and making the call take 3.5 seconds longer.
Another option is an XKCD-inspired[1] 'correct horse battery staple' passphrase. I understand that using such passphrases in other contexts like encryption is controversial due to their relatively low entropy, but I think customer support is an ideal application for them.
I believe the entropy problem is only that people don’t choose words randomly. I wrote a script to do it for me, with numbers separating words because some websites demand numbers, and assuming the random number generation is suitable, it’s 73 bits of entropy.
I only looked at the Python part, and no, it's not good.
Documentation for the random module¹ prominently warns:
The pseudo-random generators of this module should not be used for security purposes. Use os.urandom() or SystemRandom if you require a cryptographically secure pseudo-random number generator.
I'm no cryptographer, but while the warning is valid, I don't think it's crucial here.
There are two potential sources of problem, the seed and the PRNG. The seed should be OK, because Python will use urandom as long as it's available in the system. As for the PRNG, a non-secure one shouldn't be used in encryption because it has statistically predictable behavior, but as far as I know that requires access to the ciphertext, which isn't the case here.
Still, replacing random with SystemRandom is easy and would fix the problem.
Okay, I don't study this, but I don't think that's what "cryptographically secure pseudo-random number generator" means. Not all things vaguely related to cryptography are required a CSPRNG and these answers are not being used cryptographically at all in many cases (like you just reading it over the phone to the representative). Please correct me if I'm wrong.
A bog-standard RNG might generate passwords depending on what second you ran it, so an attacker can easily make a list of all the passwords generated in a specific month or year.
People have lost a lot of bitcoins this way.
It might be okay for a security question, but better safe than sorry. Just use a secure generator for everything.
More seriously, since you have your "random" numbers in non-fixed position (due to different length of the "random" strings/words and also the number themselves can be 1, 2 or three characters long), even if the built-in algorithm is not "random" enough mathematically, I don't think that it will actually affect password discoverability.
I'd normally be tempted to put in the same types of random passwords I normally use, eg:
> What was the name of the street you grew up on? L9Pro840Of9KNIGfKD4tf8tOwTG9Dcqj
Unfortunately, I've heard you can talk to customer support and say things like "I think I just typed in random garbage for that" and they'll accept it. Whether an attacker would know or try this I'm not sure, but I could also see a customer rep hinting towards this when they see it.
It's probably better to actually make up something plausble-sounding but incorrect, like "Summit Avenue". (Related: there's a website for this [1])
[1] https://www.randomlists.com/random-street-names