Secret Security Questions Are a Joke

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

Simple solution

Let people design their own question.

Re:Simple solution

[MightyYar]

But the lazy will make questions like "What is 2+2?" or other such nonsense.

Re:Simple solution

[NeutronCowboy]

Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.

Re:Simple solution

[mkraft]

That's actually being done by a number already by some companies. That still doesn't help though if someone enters a question with an easy answer.

The "best" thing people can do is put in wrong answers to their security questions. Unfortunately if someone does so and forgets the answer, then that person can't get access to his or her account. Unless of course that person has an account with Apple or Amazon in which case the secret answers aren't needed. Hence the problem with the entire password system.

I'm not sure what the solution to this problem really is. Gaining access to an account without a password should be difficult, but not impossible since what is a spouse needs access to an account of someone who has died. Maybe password resets should require a court order if the person can't answer the security questions.

Re:Simple solution

[Hognoxious]

The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.

On trick is to give true answers, but for someone else, i.e. you answer as if you were Linus Torvalds or Queen Victoria. But then you still have to remember who ...

Re:Simple solution

So now you have to remember nonsensical answers to every important site you use, in addition to a password. You can't use the same answers everywhere, because when one gets hacked, all other account security questions are vulnerable.

In other words, passwords aren't secure, so lets use even more of them! This is like saying credit card numbers get stolen, so the solution is to add some more to the back of the card.

Re:Simple solution

[fredprado]

And they are within their rights to do so and suffer the consequences for it.

Re:Simple solution

[Krneki]

NO

Security questions are completely pointless. They were implemented because idiots used the same username / email adress and passwords across different websites. So once a hacker got all the info from a poorly secured website he was able to access all the user accounts.

All you need is a username and password, if you want a 2nd security check use the email you can't replace in 5 min within the account (put a 2 months delay). If the user is so stupid to use the same password on the email let him pay the price, don't force people who use secure logins to suffer the mandatory secure questions as it is not needed.

Re:Simple solution

[PerfectionLost]

I had a friend who built an entire fake persona that she used to answer her security questions. Address, parents, pets, you name it.

In hind site she was probably a little schizophrenic.

Re:Simple solution

[Qzukk]

I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.

When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.

I never managed to recover my password.

Re:Simple solution

Yup. I had an embarassing phone conversation with my state's tax department because a year earlier I set the secret question to "What is the password?" and a year later I had naturally forgotten the answer.

Re:Simple solution

[Isaac-1]

And as long as you always answer 42, or 416 what is the problem with that?

Re:Simple solution

[cpu6502]

I use my GRANDmother's maiden name. Since she hasn't used it since circa 1925 I figure it will be very difficult to locate.

Re:Simple solution

Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care. And security is only as good as you care about it. It is impossible to force people to use security despite the attempts.

Re:Simple solution

[MightyYar]

I don't think that would fly. If a person's bank account gets hacked, the bank usually (always?) picks up the tab. It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers. If I were on the hook for security flaws at the bank, I'd never bank online.

Re:Simple solution

[shadowrat]

Hmm, i never thought i would have to give the answer to my security questions over the phone. I always fill them in with an 8 - 12 char alphanumeric jumble.

Re:Simple solution

[taustin]

Why do people always assume that they answer to the security question has to be correct? Or even remotely connected to the question, for that matter? Do all the internet searches you want, you'll never figure out that my high school was "Never give guns to ducks."

Re:Simple solution

[Hythlodaeus]

The purpose of security questions is not security - its reducing customer service workload due to forgotten passwords.
In most implementations its an overall reduction in security, since the security questions constitute a backdoor to the password, rather than an additional factor of authentication.

Re:Simple solution

[MightyYar]

At the same time, expecting people to be security experts is not going to be successful. You might have a good grasp of it, but chances are you have some exposure to it. It might not occur to your proverbial grandma that people can track down her mother's name.

Re:Simple solution

User made questions are awesome until your a customer service rep who has to ask to a woman "what you would never do" knowing the answer will be "take it in the rear". It happened to a colleague at a past job.

Re:Simple solution

[zero.kalvin]

Happened to me a week ago! My contact on the bank told me that it will take at least a month for the bank to pick up the tab but I checked my account last night and they gave me back the money ( about 1400 euros or 1700 USD ). If people wind up thinking that banks are not secure and you don't get reimbursed then who in their right mind will ever use one again ?

Re:Simple solution

[Sqr(twg)]

Or go to passwordmaker.org, and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.

Re:Simple solution

[bluefoxlucid]

I usually put garbage in my security questions. And forget it. "Where were you born?" "In the back seat of a greyhound bus rollin' down highway 41." "What high school did you go to?" "Blowjob High." "What is your mother's maiden name?" "*@^*@G*UHU

Please answer your security question: where were you born? Uh. Somewhere? Hospital? Chicken? Dokoka ...

Re:Simple solution

[drobety]

I don't mind the stock question, I use a password generator to create the answers, which I store in my local password agent.

Re:Simple solution

[bluefoxlucid]

The problem with that is I've got a 50% chance of getting it right. "Templates" or "operator overloading."

Re:Simple solution

Come on. Use common sense.

There's a remote possibility that you might have to engage in this phone call in some semi-public setting. So don't use something obscene.

For me, "what you would never do" could be "run for president". Because I was born outside the USA (not Kenya).

Re:Simple solution

[bluefoxlucid]

For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.

Re:Simple solution

[Geoffrey.landis]

Mine is, "What do you hate about c++?" when it is optional.

That's no good, there has to be only one answer !

Re:Simple solution

[fast+turtle]

which is exactly what I do with critical accounts. Was the really nice thing about configuring my online access with my credit union. Standard Qestions but off the wall answers and I actually have a copy of the form with them on it. Spelling wasn't an issue since that's their problem but it did work when their online systems puked and forced pw resets on all of us.

Re:Simple solution

[bluefoxlucid]

CSR Chick: "What high school did you go to?" Your answer: "The same one you lost your virginity at!"

Re:Simple solution

[jhoegl]

Banks can require other methods, like security tokens, for online access.
Hell I did it with Blizzard for what, $30 and I got a plush toy.
If banks wanted to mitigate the risk, they could justify the cost easily.

Re:Simple solution

[Geoffrey.landis]

Another simple solution, always capitalize the third-from-last letter of the answer.

Re:Simple solution

You mean the cute customer service Indian guy.

Re:Simple solution

[defaria]

One company's security question is "What's your favorite hobby?" and my answer is "Pissing off support people". It really sets the tone!

Re:Simple solution

In Québec, Caisse Desjardins already does that. My question is "Which Microsoft product doesn't suck?".

Re:Simple solution

[Yvan256]

I never managed to recover my password.

That proves their system works!

Re:Simple solution

[Pope]

I did that when I signed up for my first online banking account way back when. Of course, since I didn't use "real" answers, I had to write them down somewhere. Then I lost that notebook. I signed in recently and of course couldn't remember the fake answers I'd given! So, again, somewhat pointless.

Re:Simple solution

[Hatta]

That doesn't solve the real problem, that banks think that these question and answers provide any sort of security whatsoever. What is the difference between this Q&A scheme and a password? Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?

We know that this is bad practice for passwords. Why do we tolerate it for "security questions"?

Re:Simple solution

[BobNET]

I did that for a site that wanted to know my best friend's name when I was growing up. Except a few years later when I needed to answer it, I couldn't remember what I used.

Turns out, it was Tuttle.

Re:Simple solution

[Yvanhoe]

Congratulations, you were hacked by the Mormons : https://familysearch.org/

Re:Simple solution

[KhabaLox]

It might not occur to your proverbial grandma that people can track down her mother's name.

That's because, as everyone knows, people from Proverbia are idiots.

Re:Simple solution

[MightyYar]

Agreed. But obviously they have done a cost-benefit analysis and decided against this so far.

I personally like the Google 2-step authentication. Send a temporary code to my phone.

Re:Simple solution

[stating_the_obvious]

Nice approximation of 2 factor authentication: from a selection of questions you need to know (1) which one to answer, and (2) the answer.

Re:Simple solution

[Cinder6]

Hell I did it with Blizzard for what, $30 and I got a plush toy.

This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.

My solution to bad security questions? Answer unasked questions. What's your mother's maiden name? Pepperoni pizza. What street did you live on? Empire State Building. Then use different answers for different sites, like you should your passwords. Just be sure you can keep track of them--either an encrypted file or a password manager program.

Re:Simple solution

[stating_the_obvious]

slightly off topic, but what do you have about c++? Also, I think I've seen you here before, what's your actual screen name?

Re:Simple solution

[Sentrion]

That's why everybody should just use "banana" as their default answer to all such security questions.

Of course my advice is not driven by any personal desire to hack into random accounts hoping that "banana" will get me past the security questions.

Re:Simple solution

[Cinder6]

A good idea, but I'd hate having to remember--exactly--a 5,000 word essay in case I need to reset my password.

Re:Simple solution

[KhabaLox]

As many others have noted, these are simply another password you have to remember. And if you re-use the fake answer across sites, well then what's the point? If you use something like LastPass or KeePass, you can (manually) store the Q&A, but then if you are using those programs then you can have a sufficiently secure password (and not forget it) in the first place and don't need a security question. All the security Q&A is, no matter how you structure it, is another password to remember. If you have trouble with the first password, chances are you will have trouble with the second. Double authentication does not mean using the same method twice.

One of my banks uses security questions in a somewhat unusual way. When you are prompted with the security question, you are given a choice of 10-15 answers from which to pick. This works OK for questions like "Who is your favorite author," as long as you don't pick someone extremely obscure. However, all of their fake answers to "What was your first school" end in the word "Elementary." I didn't know that when I crafted my answer, so the correct answer sticks out from the list like a sore thumb.

Re:Simple solution

[smooth+wombat]

It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers.

So like ATMs and how they were supposed to save everyone time and money because you didn't have to visit a bank with a live person but which now you have to pay to get your money out if the ATM isn't from your bank?

Re:Simple solution

That Blizzard Authenticator is practically a necessity since all Blizzard accounts are not case sensitive

Re:Simple solution

[Shikaku]

"Everything"

Re:Simple solution

[shugah]

Sounds good, but when you have a dozen different bank accounts, investment accounts, business and personal email accounts, several social media accounts (facebook, twitter, plus), login accounts on several different computer systems, screen lock codes (or gestures) for your smart phone, accounts for Craigslist, Paypal, eBay and several different online support/user/interest forums, it is simply impossible to remember strong and unique passwords for all of them. Not to mention ATM cards and chip + PIN credit cards. I use a variation of 2 different passwords, substituting numbers for letters or letters for numbers in a manner that makes sense to me.

Re:Simple solution

[Sentrion]

Since most sites use the same questions, like city of birth or favorite pet, this is a real threat to people who use factual answers. Just a little research on google, facebook, and maybe just a few phone calls to your contacts on linkedin and I could probably hack just about anyone's account. I could even set up a website with a login and require visitors to enter a username, password, and security questions. There are many people who use the same username, password, and security questions for all of their online services, so if I started to harvest these I could hack into a lot of accounts.

Most people now have to remember multiple passwords for multiple sites, and since "grouchybird" is too 'weak' because it doesn't have a capital letter, number, or special character, now people have to write down all of their passwords and constantly look them up. And since the standard changes from site to site (site A requires a special character, but site B doesn't allow, and site C requires a new password every month and you can't reuse old passwords) there are often just too many to ever memorize them all. This is a real security risk now for most people since all I have to do is sift through their stuff and I then have enough info to hijack all of their important accounts.

Re:Simple solution

I was hacked by the Mormons once; they defragged my hard drive, cleaned off all the malware, and installed an anti-porn webfilter.

Re:Simple solution

[glodime]

She is you.

Re:Simple solution

[dywolf]

even better when they let you choose the questions to answer...then they ask you one you never chose. *cough* swtor *cough*

Re:Simple solution

There is only one, correct answer to that question. It's one word and rhymes with schmeverything.

Re:Simple solution

[Culture20]

I did that once. When I called up phone support, they gave me the green light for getting close (with no other authentication). Now I salt and hash the security questions and send back the hash. Hopefully they don't start invoking a time limit.

Re:Simple solution

[Vellmont]

Let people design their own question.

It sounds like a good idea until you think it through.

Security professionals often times make up very bad questions, and don't realize how easy it is to guess, or find the correct answer. How would you expect the general public to do it right?

The point of the security question should NEVER be to just reset the password, no matter how many questions you ask. It should be simply an additional layer to prevent attacks. You still need to provide another means of authentication, be it email or phone.

Re:Simple solution

[gewalker]

Oh no, according to the Mormons, I don't exist. In put in my name and birthyear. None of the matches had anything to do with me. Fortunately, I am not depending upon Mormon theology to save my immortal soul.

Re:Simple solution

[fwarren]

I use close answers that I won't forget.

When asked the name of my first pet, I give the name of my dads first pet.
When asked my mothers maiden name, I give my ex mother-in-law's maiden name

There is a list of about 15 or 20 standard qustions. For each of them I have a standard answer that is a real "fact" from somthing close but not something someone else will guess. After all, who else will know my best friends tavorite book, or my uncles favorite band.

Re:Simple solution

[Reverand+Dave]

This. Is. Brilliant.

Re:Simple solution

[orgelspieler]

Exactly. I always choose this option when available, and I always make it something only my wife or myself would be able to answer. Normally inside jokes. Like "Who are Fred and George?", or "What's behind the orange spots?" or "Who has got it going on?" And if any of you think you know the answer to these, you're wrong.

Another important thing for these questions is that the answer can't change over time. For instance, my favorite restaurant, book, or whatever. will change from when I answer the question to ten years down the road when I need to reset my account.

Re:Simple solution

[jandrese]

So if you need to reset your password you keep calling until you get someone who sounds cute?

It would seem to be a problem when you call and the person on the other end picks up with "Hello, this is Biff-Joe, I will be helping you today."

Re:Simple solution

[jandrese]

You would be surprised how many people drop email addresses regularly though. Generally they're calling Customer Service because they need their password reset and the "email your password" doesn't work because they don't have that account anymore. Maybe it was their old ISP, maybe they forgot the password, maybe they shut it down because it got too much spam, but people lose email addresses all the time.

Re:Simple solution

[wesk]

How do you know that she's cute? I didn't realize customer service departments were using Skype nowadays.

Re:Simple solution

[TejWC]

For one company I used to work for, they would have us make our own questions. If we needed our password to be reset, we had to call IT department and answer the questions we made. If the IT rep believes that the questions are "bad", they would force the employee to make a trip to the IT department and show their badge to prove who they are.

Re:Simple solution

[hawguy]

Agreed. But obviously they have done a cost-benefit analysis and decided against this so far.

I personally like the Google 2-step authentication. Send a temporary code to my phone.

I too like the Google 2-step authentication, but I'm probably screwed if someone steals my phone since they'll have access to my email and SMS verification. I have a 5 digit PIN on the phone, but I don't know how secure a phone PIN is against a determined hacker. If my phone is lost or stolen, hopefully I can send a remote wipe before they hack it.

One thing that I do that inadvertently helps protect me against hack attacks is that I always use a unique email address when I sign up at a site, something like "hawguy+thesitename@mydomain.com" where "thesitename" is the domain name of the site I'm signing up for. I originally did this so I could easily block spam from a particular site, but I think it also helps a bit with security.

So it makes it harder to guess the email address I signed up with (trivial for a human to figure out, but I don't think it's common enough for the automated tools to do it), and if someone steals my "hawguy+thesitename@mydomain.com" email address and password from some site, they can't use that same email address to hack into another site even if I use the same password (and I tend to use the same password for all unimportant sites (like sites that I only use for commenting).

Re:Simple solution

[Killer+Instinct]

She told me she was a orphan, after I met her family...odd girl, talks to angels too

Re:Simple solution

[ZombieBraintrust]

Should be done in person with documentation. Not over the phone or online. Resetting you password should be slow and expensive.

Re:Simple solution

Yeah, all my security question answers are the same type of 12+ random characters generated by and stored in a password locker.

Re:Simple solution

[PRMan]

HAHAHA... Where are my mod points?

Re:Simple solution

[guile*fr]

Templates?

Re:Simple solution

[kenj0418]

but which now you have to pay to get your money out if the ATM isn't from your bank?

As opposed to before, when you'd have to drive to wherever your bank was and withdrawl your money there. Not that there is any good reason for it cost multiple dollars for this privilege other than pure profit. (My bank refunds the fees to me up to some amount each month (that I never come close to) so don't really care about the fee anyway.)

Re:Simple solution

[PRMan]

Do all the internet searches you want, you'll never figure out that my high school was "Never give guns to ducks."

Searching slashdot.com... AHA

Re:Simple solution

They would look at that response and say something like DURP... the solution is so simple it will blow you mind.

Re:Simple solution

[c++0xFF]

Yes, yes, and many more yesses after that.

When analyzing password security measures, your security is only as strong as the weakest link. The way things stand right now, your password isn't that blob of jibberish you type in when you log in, it's actually the set of security questions (which lack any sort of reasonable security right now). What good does it do to enforce 20-character, purely random passwords when people just write them on sticky notes? Or when a hacker can use social engineering to get your support line to reset passwords at will?

When it comes to password reset mechanisms, I don't think there's a good way to do it. Which is why the whole concept of a password has failed and needs to be replaced. With what? Beats me ... biometrics aren't very good (too many false positives or false negatives, too easy to bypass with photographs or silicon, etc) and use expensive and uncommon hardware; security tokens are cheaper, but the logistics make it impractical for large-scale implementation (imagine having a token for each web site!). Maybe eventually everyone will have a single token they carry around at all times and is accepted by all web sites, but then we start talking about privacy issues (tracking, for example). And even then, we still haven't solved the problem ... what if the token is lost or damaged? Do I call a support line and tell them my mother's maiden name?

Re:Simple solution

lets say you dont have a question and you wanted to use this more like another password. then for the question i would put "what is 100+2?". i dont have to answer that question i just put in there. i could use the numbers in the question to hint at what password/answer i used. so in this case i would make my answer something on the lines of "there is no two in binary".

Re:Simple solution

It wasn't free to withdraw money from a live teller at the wrong bank either, was it? Usually you couldn't do that at all.

Re:Simple solution

[houghi]

Even simpler solution: design your own answers.

That works if you design for people who know what the reason is that the answer does not matter.
If you design for people who you need to explain what a login is and how it should be used, you can not ask them to just answer something at random.

Sure, it will work for you and many people here. It won't work for Grandma. I would not be able to explain that if somebody asked what the name of their birthplace was to answer "On the moon" or even "In a hospital". They would never understand why they would lie.

Re:Simple solution

[travisco_nabisco]

My answer: "++"

Re:Simple solution

[cgenman]

Temporary answer - additional authentication.

1. Send an additional time-sensitive password via 3rd party means. Texting, e-mail, etc.
2. Body-scanney stuff with various time-based encryptions.
3. Use a dongle to encrypt / munge the password before sending it.

Additional answer - stop storing any passwords in plaintext, or on unsecured systems, or with obvious routes in.

Questions & passwords aren't really the right authentication for the future. They're just too easy to defeat.

Re:Simple solution

[dgatwood]

Exactly. This. Or over a video chat of your choice. Either one, of course, requires that the company in question have a photograph of you.

Anoher acceptable scheme would be a visual recognition game in which they throw... say fifty photographs at you and you have to respond correctly whether you took them. If you answer correctly at least 80-90% of the time and do not ever falsely claim to have taken pictures showing people posing, it is probably safe to say that you are the real deal—unless all your photographs are online and somebody might have memorized all of them, in which case you should have the option of opting out of that scheme for your account, much as you should be able to opt out of answering security questions as an authentication option.

I have consistently chastised every company that has ever forced me to answer security questions, questioning their competence. They make it easier for customer support, at a tremendous cost in actual security, and as such, I make it a rule to not trust such companies with anything important. Unless they spring them on me years after I've already trusted them with important stuff. Then, I give answers that are utterlly implausible and file bug reports demandiing that they STOP DOING THAT. Ahem. You know who you are.

Re:Simple solution

[Dewin]

Yup. I had an embarassing phone conversation with my state's tax department because a year earlier I set the secret question to "What is the password?" and a year later I had naturally forgotten the answer.

This is a bad idea, since security questions are probably stored unencrypted or at least using a reversible cipher -- the people on the other end of support need to be able to compare your answer, and there needs to be some leeway especially with spoken answers and spelling variations.

Unless, of course, your answer is an entirely different password...

Re:Simple solution

[ultranova]

For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.

Nothing's funnier than harassing a minimum wage worker who has no choice but to take your shit or be fired, eh?

Let me guess: you're a CEO?

Re:Simple solution

[Just+Some+Guy]

Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?

I agree with your general premise that these are just secondary passwords. That's actually how I treat them: I use my password manager to generate and remember random strings of characters as my security question answers. What was my first elementary school's name? "QQw9i?7JJq[m".

However, these don't have to be stored in cleartext any more than your primary password. Ideally, the authenticating system should hash your reply and compare it to the hashed version from their database just like you would normally. I don't think there's any inherent reason why your security answers need to be human-readable.

Re:Simple solution

Wrong! The answer is "that paragraph in the manual where Bjarne Strousoup says why he is awesome."

Re:Simple solution

[fredprado]

Simple solution. Let people be accountable for their own mistakes. Problem solved!

Re:Simple solution

[hobarrera]

Agreed. But obviously they have done a cost-benefit analysis and decided against this so far.

I personally like the Google 2-step authentication. Send a temporary code to my phone.

Where's the second factor in that? It's a temporary code and a... ??

Re:Simple solution

[Bert64]

I do similar, but with a wildcard subdomain so user@something.mydomain.com, the reasons for this are:

1, spammers will try to brute force common email account names once they get a domain to target
2, i can override the wildcard by creating specific mx records for a given hostname, and thus lose the spam without my mailserver having to process it at all, usually i redirect it to the mx records of the server that sold me out.

Re:Simple solution

The trick is to make the questions standard (i.e. mothers maiden name, first teacher, etc) and then always make the answer, "I'm almost certain I never answered that."

Someone trying to hack into the account will guess or, better yet, do research to find the real answer and still not get in.

Re:Simple solution

[Cro+Magnon]

The other day, I was looking at the settings on one of my accounts and noticed that the email was one I haven't had in years. If I had tried the "email your password", I would have been SOL.

Re:Simple solution

[Bert64]

Having walked around a call center, if you keep your eyes closed its quite easy to imagine that your in a room full of cute girls...
But open your eyes, and you realise that many of them are anything but cute, and just somehow have a really nice telephone voice.

Re:Simple solution

[hobarrera]

And what happens if you loose the salt?

Re:Simple solution

[batrick]

Because +@domain.com is not easy to figure out? I'd be very surprised if a spammer that acquires your garbage email address can't obtain your actual email address.

Re:Simple solution

[Krneki]

I'm a sysadmin, not only I have to keep track off you just siad, but I have 40+ accounts at work with security policy to change them every month. PITA? yes. But security comes at a price.

Re:Simple solution

[TheLink]

Ideally, the authenticating system should hash your reply and compare it to the hashed version from their database just like you would normally. I don't think there's any inherent reason why your security answers need to be human-readable.

They do if the call center person has to type your security answers. With your proposal, if they just type one character differently or add/remove one character the hash will be different.

The difference between security answers and passwords is that the system should be designed to not allow you to do brute forcing on the former.

Re:Simple solution

My custom meta security question: What is your security question?
Answer: What is your security question?

Re:Simple solution

[toriver]

Exactly: But it should be wrong answers you can remember. E.g. a Babylon 5 fan could answer "Psi Corps" for "What was your mother's name?" because of the "corps is mother, corps is father" line from that show. Or a physicist could put "Radioactivity" for "What is your favorite activity?" Etc.

The real solution is n-factor authentication: Something you are, something you have, something you know, something they know...

Re:Simple solution

[toriver]

Strange, the two times I had to call them up because I had forgotten one of the answers, they picked one other I had answered as a verification test. Luckily I remembered that.

Do you mean a non-answered question comes up after login?

Re:Simple solution

Even simpler, don't use passwords; use security questions only.

Since the answer to the security question gives you full access to the account, why not use it always. You don't even need to talk to anybody.

So the login process would go as follows:

Who are you? John Smith
What's the name of your pet chimp? the yellow brick road

Re:Simple solution

Or even better, let us setup a white list.

99% of the time I will be on one of four computers, let me setup a white list to allow just those access. (Two being my phone and iPad)

Even if they guess my information, they will not have access to a computer I gave permission to.

Re:Simple solution

[jmerlin]

What scares me the most, I think, is that several of the banks I've used have required ridiculously short passwords and relied heavily on these "security questions" as a second tier of authentication (as if that's more important than 64+ more bits of strength in the password). So you have to pick a password that's between 4 and 8 characters or some nonsense and answer some questions like "mother's maiden name" and "name of first employer" etc.

What we need is some kind of authenticator or something. If you can't trust me to use a 24+ character password or provide me with a more secure means to log-in, I can't trust you to hold my money. It's that simple. Keyloggers still win against complex passwords. Blizzard solved the problem by using symmetric cryptographic protocols so a device that's highly unlikely to be compromised is the source of part of the key (a keychain or a smartphone app). Why can't banks do the same? What a damn shame.

Re:Simple solution

[skids]

Simpler solution: do not utilize security questions. They serve no real useful purpose. If someone forgets their password and you need to ID them, ID them in a way that does not use the same squishy grey matter that forgot the password in the first place.

Re:Simple solution

Really? You think it would be hard to locate? Seriously?

Re:Simple solution

Pick a random word for a standard question.

Q: "What was the make of your first car?" A: "Rudolph"

As long as you remember your answers, nobody will EVER look up anything on the net and find out your first car was a 'Rudolph'.

Re:Simple solution

[kryliss]

swordfish, the password is always swordfish!!

Re:Simple solution

[heypete]

Where's the second factor in that? It's a temporary code and a... ??

Your ordinary username and password.

In addition to the code-by-SMS, one can also use any RFC 6238-compatible OTP program (Google makes one for iOS/Android/Blackberry called, unsurprisingly, Google Authenticator) to generate time-based one time passwords. Very handy.

I actually use the Google Authenticator PAM module (it doesn't call home to Google or anything, it's just a local authentication module) for authenticating to SSH on a few servers I run -- normally I'd use public key auth, but it's not suitable in that particular case. Useful for helping reduce dictionary attacks.

Re:Simple solution

this is where security questions are flat out stupid. the only place i want my password reset is if its an EMAIL ACCOUNT, every other site I will want them to SEND AN EMAIL RESET LINK TO MY EMAIL.

do you want to know what goes into my secret answers? oh about 50 characters of random crap, for which i curse the site under my breath as i also have to enter in their inane questions into my keepass database.

Re:Simple solution

Still just as terrible.

I'm sure someone else has suggested it, but it bears repeating: Simply use nonsensical answers.

My favorite color is pizza. My first car was an elephant. I went to the Institute of Glorious Cheese for high school.

Good luck getting that info off Facebook.

Re:Simple solution

[Dionysus]

"Who is your favorite author,"

Questions like that (or favorite book) might sound easy, but is actually hard because of the "there should only be one correct answer". There were a site where the security question was that, and I forgot what I had answered because my favorite author and book had changed in the meantime (and I don't remember who I had at the time when I signed up for the site).

Re:Simple solution

Commercial accounts are not covered by banks, if hacked. Only personal ones.

Re:Simple solution

[Chris+Mattern]

The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.

That's what encrypted password stores are for.

Re:Simple solution

Someone else who gives silly answers! They aren't something that someone can google, and, as mentioned, you get funny silences from the security staff when you tell them the answer...good fun, and better security. But, as the article points out, if a company doesn't require a correct answer, it doesn't matter what you answered.

Re:Simple solution

[bluefoxlucid]

Used to be, now white collar trying to live on a blue collar salary. Of course I have a white collar salary so I'm fuckin' rich. All these whiners like "used to be you could save for retirement, but making $60k-$75k/year these days doesn't leave you any room to actually build any savings!" and I'm like "lol I live on $15k-$20k pre-tax salary, I make 3 times as much as I spend and I don't make no damn $75k!"

Excuse me for a minute, I have to continue WINNING.

Re:Simple solution

[bluefoxlucid]

I worked in a call center that employed precisely 3 girls and they were all very cute. The one that was pregnant was less cute, but still very cute. Pregnancy usually does a number on that one, but she managed it, though she looked like a deformed alien with an unnatural spheroid bulge at the gut that no human could ever develop.

Re:Simple solution

[Darinbob]

The problem here is that you will forget. You don't answer these questions every day. You set up an account, set up the question/answers, and then never think about it again until 5-10 years later when you need some phone support. Multiply that by all the different accounts that may want security questions. Sure you could write down the answers and put them in your wallet or on your computer, but I've found that most of the times when I'm asked these questions are also when I do not have ready access to that information.

Re:Simple solution

[Darinbob]

Yup wallet is stolen, time to cancel credit cards, but wait I can't answer the bank's questions because I put my answers in my wallet...
And you're not always sure when you're asked these questions sometimes, so saying "hang on, let me boot up my computer so that I can tell you the answer to where I went to high school" makes people very suspicious.

Re:Simple solution

Maybe he's just enlivening the tedium? Would depend on the agents sense of humor of course.

Re:Simple solution

[hawguy]

Because +@domain.com is not easy to figure out? I'd be very surprised if a spammer that acquires your garbage email address can't obtain your actual email address.

What is my "actual" email address? I have around a dozen addresses that are important because I've given to family and friends, (and literally hundreds that I've used to sign up for various newsletters, blog sites, etc). If you just drop the part after the "+" from "hawguy-somesite@mydomain.com" and send an email to "hawguy@mydomain.com", it'll go straight to my spam folder and I'll never see it. The worst a spammer can do is make it seem like his spam is coming from another merchant, so he might change "hawguy-slashdot@mydomain.com to "hawguy-bestbuy@mydomain.com", but there's probably not much reason for him to do so.

Sometimes when looking in my spam email, I've found a number of variations on the username of the email address, usually where the spammer adds a number to the end of the name, like "hawguy-somesite067@mydomain.com". It must be accidental corruption on their side, or maybe they bought a list of a million "valid" email addresses from someone, and got ripped off because the emails were altered to be invalid.

I like the previous poster's scheme of using a wildcard DNS record to put the unique key in the domain name rather than the username.

Re:Simple solution

The one that was pregnant was less cute, but still very cute.

Cute enough, apparently ;)

Re:Simple solution

Or 5

Re:Simple solution

[Rob+the+Bold]

I treat those questions as just another password prompt.

Right, and you store it securely with the password. So you either won't ever need it or won''t have it if you do need it, since it's lost along with the password. I do it too, and I don't think it's a failure on our parts but of the system of password recovery/secret question as it exists.

Re:Simple solution

[SomePgmr]

The worst one I had was the question, "What did you want to be when you grow up?"

I had to answer that over the phone recently, and the representative responded with something like, "Oh that would be really cool."

I spent the next 20 minutes feeling a bit depressed about my career path. ;)

Re:Simple solution

[Rob+the+Bold]

Simple solution. Let people be accountable for their own mistakes. Problem solved!

I think that letting any Tom, Dick or Harry design and build his own lock for his safe deposit box would be considered a "mistake" as well. Presumably you wouldn't want to be known as the "bank where everyone's stuff gets stolen"

Ok, you were right after all, I wasn't thinking generally enough . . .

Re:Simple solution

[MrNiceguy_KS]

The first rule of Fight Club...

Re:Simple solution

[Culture20]

And what happens if you loose the salt?

It dumps out into a big pile on my friend's plate. Hilarious.

Re:Simple solution

[uniquename72]

And as long as you always answer 42, or 416 what is the problem with that?

This is pretty much what I do. I have a password that changes based on the question, but isn't actually the answer to the question.

Re:Simple solution

Better:
Q: What is your password?
A: shstbG$2lH7&59)2bwtxb

Re:Simple solution

[marcosdumay]

What? The preprocessor (yeah, that's shared with C), copy semantics, type translating... If you want to hate, there is plenty of material.

By the other side, it is easy to love those same things. Differently from Java (and Microsoft's copy) you have the freedom to write terrible and great code in C++. People's opinion of the language mostly vary with the category of code they see most.

Re:Simple solution

[gnapster]

I used to do that, but the administrators got wise. Now, each site has several security questions, and they must have unique answers.

Re:Simple solution

[gnapster]

Yes, you could do that, but it won't make you happy.

Re:Simple solution

[LDAPMAN]

The better designed systems use a one-way hash of the answer. The support guy types the answer in and it's hashed and compared. Other systems use a mix of reversible and hashed answers. It can be done securely.

Re:Simple solution

[Dewin]

The better designed systems use a one-way hash of the answer. The support guy types the answer in and it's hashed and compared. Other systems use a mix of reversible and hashed answers. It can be done securely.

Until your security answer is something that can be spelled and/or punctuated a multitude of different ways and you're answering it verbally (i.e. to authenticate yourself over the phone). "Grey" and "Gray" are going to hash differently, and to say nothing about the multitude of ways of spelling various names. ("Is it O'mally or O'malley or o'Malley or...")

You can't count on the support type spelling it the exact way you do.

And you definitely can't count on the back end to be storing it with any sort of security at all, so my original point still stands.

Re:Simple solution

[roman_mir]

PerfectionLost, glodime, stop arguing with yourself.

Re:Simple solution

[DMUTPeregrine]

That's what epic poems/songs are for. Much easier to remember.
And lo, he did hate the preprocessor!

Re:Simple solution

[DMUTPeregrine]

I had this nearly happen recently.
Luckily the e-mail provider I'd been using was a free online provider that deletes accounts after a month of inactivity, and no one had taken the address in the meantime, so I was able to sign up for the same e-mail address and use the reset function, then change my e-mail.

Re:Simple solution

[AmiMoJo]

Why do you put up with that? Cash machines in the UK are mostly free, even if it isn't your bank. They briefly mumbled about making you pay for withdrawals, just like they did about making you pay for a basic bank account, but the backlash was so big they backed down. British people would never accept it, we would switch to free accounts with building societies before paying banks for the privilege of holding our money and dispensing it to us on request.

Re:Simple solution

My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use.

You're lucky. My banking password is a 5-digit numeric code that I can't even change. It's a complete joke - even the username is harder to guess, since it has nothing to do with the account number or my name. But I don't consider it a secret, since it's shown in plain text on the bookmarked login page...

Posting AC for obvious reasons.

Re:Simple solution

[bluefoxlucid]

Yeah, you only have the option to write terrible or mediocre code in Java.

Re:Simple solution

[bill_mcgonigle]

lol I live on $15k-$20k pre-tax salary

Dang, your kids aren't very demanding!

Re:Simple solution

[bill_mcgonigle]

We know that this is bad practice for passwords. Why do we tolerate it for "security questions"?

Because the idiots who come up with this stuff have never heard of an attack-chain analysis.

Re:Simple solution

Keeping track like that would actually require a modicrum of effort and possibly thought. That is just too much to ask of civilized men.

Re:Simple solution

extern "C"

Re:Simple solution

Schizophrenia and multiple personality disorder are completely different mental disorders, with completely different symptoms, and they have nothing to do with each other.

Re:Simple solution

[UltraZelda64]

You could always ask something like "What is 2+2" but make the answer something like, for example, your favorite porno movie. Who says it has to be factual? It's just a word or phrase that's used as a sort secondary password in a way, with a hint if you forget what it actually was. Giving honest answers to real questions is just asking for trouble (unless the answer is complex). The real string of characters you should be worried about forgetting is your password. Remember that, and you shouldn't *need* a stupid security question.

I can't stand security questions, and wish they would be eliminated from the Internet. They are a pain in the ass when, for example, your bank occasionally asks you for it despite never getting your password wrong, and they just allow another, potentially easier way for a hacker to make his way into your account.

Re:Simple solution

Very whitty

Re:Simple solution

[John+Hasler]

And you definitely can't count on the back end to be storing it with any sort of security at all...

As has been recently demonstrated, you cannot count on the backend storing your passowrd with any security either.

Re:Simple solution

[InsectOverlord]

One of the banks I deal with has adopted the "SMS to phone" approach, with no possibility to opt out, which I find a terrible idea. It must be so much fun when your battery or signal is out or the phone is lost/broken and you have to close those stocks urgently, make that urgent wire transfer, etc. Bonus points if this happens when you're abroad, with no possibility to go to a brick-and-mortar branch. Another bank, which I also work with, uses RSA tokens - I much prefer that; it is real security.

Re:Simple solution

[MightyYar]

Google also gives you some pre-printed codes to use to carry around in your wallet in case your phone is on the fritz. You can also setup callbacks instead of just relying on the SMS.

Re:Simple solution

Hello, and thank you for calling Random Corporation Inc., this is Apu, can you please answer your first security question to verify your identity? The question is, "Do you want to..." *sigh*

Re:Simple solution

[MightyYar]

usually i redirect it to the mx records of the server that sold me out.

That is awesome.

Re:Simple solution

I work for a major US bank, and we had that precise problem... statistically, half of our customers have CDMA phones that are physically capable of working in most parts of *maybe* a dozen countries... and even then, only if the customer is willing to pay *extortionate* international roaming charges that actually manage to make 1995 AMPS roaming charges look cheap. Like, $2.50/minute. Jesus. Fucking. God. And the bastards at Sprint are about to release a crippled "world" phone (Motorola Photon Q) whose goddamn SIM is soldered to the motherboard, so you're stuck roaming at international Sprint charges, even when using a GSM network.

I'm not 100% sure, but I think that even Americans with GSM phones would have problems with mandatory OTP codes via SMS in another country, because I'm pretty sure that using a foreign prepaid SIM card temporarily changes your phone number & renders you unreachable via SMS sent to your "real" number. I'm curious to know how others (for whom OTP via SMS is pretty much the de-facto norm) deal with this problem when visiting the US. I know you can forward your voice calls, but can you also forward your SMS messages? I've never even successfully sent or received a text message to a non-US phone from Sprint, and ${deity} knows, I've tried... Turkey? Failed. S. Korea? Failed. Greece? Failed. I don't get error messages... it just silently humors me, claims to have delivered the message, and nobody ever sees it again.

Re:Simple solution

There is a potential reason for that. Most online banking accounts can't do any more than transfer money between your own accounts. The amount of potential damage there is extremely limited.

Re:Simple solution

[grimarr]

I really like that word you just coined: "modicrum". Sort of a combination of "modicum" and "crumb". I declare it the "Cromulent Word of the Day".

Re:Simple solution

[tftp]

In put in my name and birthyear. None of the matches had anything to do with me. Fortunately, I am not depending upon Mormon theology

Unfortunately, Mormons depend on you putting your name and your year of birth into their form. Yet another piece of the puzzle fell into place... You work in Indianapolis, right?

Re:Simple solution

She's known to everyone as "cunt."

Re:Simple solution

[dudpixel]

I do something similar. Even if I cannot choose the question, the answer has more to do with my response to the question than the answer to the question. I choose something that is like an automatic response - that I know is unlikely to change any time soon. So far so good :)

Re:Simple solution

Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care.

This is an example of how people are aweful at designing their own security questions. That's a terrible question because what you hate about c++ can change over time. You might as well ask "What is your favorite color?" Here are some questions I would consider 'good.' Some of these may be less 'good' for some people depending on circumstance.

• What is the first name of your first sex partner?
• What is the first name of your first kiss?
• What is the name of the city you were in on 12/31/1999?
• What was your first phone number as a child?
• What was the name of your first pet?

For these questions, the answers don't change. The possible answers are to numerous to easily guess. The answers are generally not public record unless you're a celebrity or not easily accessible if they ever were (try finding a 30 year old phone book).

Re:Simple solution

[fearofcarpet]

The two banks that I have accounts with use card readers to generate a one-time log-in key from the chip in my ATM card instead of a password... I think this practice is common in Europe, where ATM cards (have to?) have "smart chips" in them. Granted, if someone steals my ATM card and PIN, they can log into my account and transfer funds at will, but in theory that is less likely than having a password stolen.

Something like that happened to me years ago when I used my ATM card at the Toronto airport. Apparently thieves had installed a camera in the ATM that recorded my card number and PIN from which they were able to generate a fake card. Two days later, when I had returned home, my bank called asking if I had bought a plane ticket from Alberta to Vancouver that morning. I said no and they promptly issued a new card and refunded the money. They told me that ATM card cloning was so common that they basically have insurance against it.

Re:Simple solution

A better way? It's called asymmetric keyauth. It's been a part of like every Unixish system for the last decade.

Re:Simple solution

[bluefoxlucid]

$750 rent, $100 utilities, and I eat like a king--Oxtail stew, deli meat sandwiches, paninis, sushi, fresh bread all the time, even fish (I love mackerel). I used to ride a bicycle to work, but now I take the light rail; I have a car, but I pay very little in insurance because I don't drive it a lot, about 50-100 miles a month. It will last a long time because it's maintained and lightly driven; I had a coworker who bought a brand new car every 3 years, and people used to get them every 5 years routinely here due to 20k/year driving (folks like to live in PA and commute 40 miles to work in another state).

When it's temperate I use a fan in the window at night, then shut the windows at dawn, keeps the house 10 degrees below daytime temperatures--not great when it's 100F during the day, decent at 80-90. This drops my electricity usage by slightly more than half--my bill can be $50-$60 until July, then $120-$130 in July and August. Note that July and August are hotter, so the AC consumes more power than it would in May and June (which is where the half figure comes from--looked at average temperatures on different years during times I was using AC versus a fan, and how much power usage for 72-73 degree average).

We have billboards discouraging pregnancy here because everybody is poor, 14 year olds get knocked up, and we have a welfare state. They claim raising a baby is $780/mo, but the government gives you $3500 for the first one and $5200 total for two per year. Aside from start-up costs (i.e. a crib--cosleeping hell no, not sleeping near that fuckin' thing, but it would save a few bucks--a week's worth of clothes), baby should be cheap. Medical is covered by expensive family insurance plan (seriously $300/mo instead of $80/mo single or like $150/mo employee+spouse). Food mill will turn steamed sweet potatoes, carrots,peas, apples, etc into baby food. If the woman wants to wash traditional diapers I support this, but I'm having no part in it... god babies are disgusting, they shit and vomit everywhere...

Small children only need simple, long-term toys. A Go set for a 4 year old works, and keeps them occupied for pretty much eternity (having a 6 year old whoop you is terrible though). No firetrucks and plastic things that get played with for half a week, then tossed under the bed while the kid whines about needing a new toy already. Kids should be playing games with other kids. They should have bicycles (transportation, not toy--gets you to your friend's house, or 5 miles away, in a hurry so mommy doesn't have to take you everywhere on the back of the motorcycle) and board games and super soakers, not a thousand plastic helicopters and noise makers that they're going to toss around for ten minutes before becoming viciously bored and demanding you buy them something else.

People who buy their kids $50 of toys a week (or $100 or $500) are worthless parents and their children will never make it as anything but consumerist whores. I'm not going to have a daughter who marries the first guy who buys her tons and tons of shit (I've seen that happen, girls get quickly impressed by a guy that buys them a $200 pair of shoes, and a $500 X-Box, and a necklace, and clothes, etc etc... not normal pay-for-the-date stuff, just keep giving gifts--omg he buys me so much stuff I'mma marry him!).

Re:Simple solution

[jp10558]

Yes, the issue I have is I cannot keep my passwords in my head anymore - I have to use a password manager. I use Keepass, but it requires me to either duplicate entries or carry the file around with me. Plus, that file is now very attractive to anyone wanting access to my accounts as a single password to break.

Finally, in the case where you have to have the password manager remember your non-answers to password reset questions - it's like not having any password recovery method at all. I.e. you lose your keepass file, and you've lost both the password and the recovery answers.

Re:Simple solution

That doesn't work so well for those of us without mobile phones though.

Re:Simple solution

I choose different default questions but I never reply to any of them properly, I reply to others.
(E.g, When my question "name of the first pet?", I answer "Best friend of primary school?" or something like that ^.^)

Re:Simple solution

[kmoser]

"Thank you for calling USA Prime Credit, my name is Peggy."

Re:Simple solution

[MightyYar]

That's true. You'd need to offer those people a secure card or something - like the gadget that PayPal uses.

Re:Simple solution

[marcosdumay]

You don't really have the option to write terrible code in Java, for the same reasons you don't have the option to write great code in it. (What makes the language great for people that don't know how to hire developers.)

Or, better, you do have the option of writting terrible code in it, but you'll have to fight tooth and nail against every barrier on your way, will need much more time than for mediocre code, and must know very obscure details of the language. I've described this situation as "not having the option", but if you look hard enough, you'll find somebody doing it.

Re:Simple solution

[bluefoxlucid]

I've seen terrible Java code. Java apps that are slow, clunky, buggy, crashy. Errors? Try{} makes errors go away, you wrap it in try{} if there's an error.

If you make a bunch of assumptions, use nested loops for brute force algorithms, fail to close network connections and files, failure to use mutexes properly, etc, you'll get horrendous code. Deadlocks are possible. Exceptions are possible. Race conditions are possible.

Re:Simple solution

[marcosdumay]

Ok, you can call that horrible. But compare with what those people would write if they were ordered to use C++ instead of Java.

Those things often happen in C++, but come completely hidden, in the interaction of several layers of WTF.

Re:Simple solution

[MightyYar]

That's brilliant.

Re:Simple solution

[Hognoxious]

"Grey" and "Gray" are going to hash differently

Then remember which you used & spell it out. Use the military alphabet if necessary. Golf Romeo Echo/Alpha Yankee.

Re:Simple solution

[bluefoxlucid]

My response to that is usually to suggest a better operating system, one that enforces stricter constraints and so crashes programs out much more quickly when they misbehave. Making memory exclusively writable or executable (never both) and randomizing the address space layout tends to have that impact.

Hardware break points are also fantastic, but programmer are so terrible at using introspective debuggers it's pathetic. The truth is C, C++, etc programs are much easier to write than people think because they're much easier to debug than people realize. The normal way to debug anything is inline debugging--modifying the program and having it print noise to explain itself; most people don't use introspective debuggers.

It's kind of like people who don't know how to use automake or make files at all, and they complain that they have to tweak and hand-compile things on various OSes, gcc src/*.c -o a.out etc. and it doesn't always work. Automake is hard to work out the first time through; once you've got it, though, life becomes a lot easier. Introspective debugging is like that: how many people do you know that could use gdb to any effect?

Re:Simple solution

[marcosdumay]

how many people do you know that could use gdb to any effect?

In my experience, most people that know how to write code know how to use gdb. The ones that throw garbage at the complier untill it looks like it's doing the thing they want can't.

I completely agree that making flawed programs fail faster is a good thing, but Java takes a different approach about that. It compartimentalize the code, so that you can live with ilegible code, or replace flawed code easily (ok, easier than C). While in C bad code has an habit of spreading everywhere. Even when every piece still passes the minimum sanity tests, problems still appear out of interactions. That's because C gives developers enough rope so they can make great knots, or they can hang themself.

Re:Simple solution

My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication [snip]. Finally, their security questions are a joke [snip]

Hmmm. Thanks for the info.

Ahhh.... What was the name of your bank again? [scribbles furiously] - ;D

Re:Simple solution

[broggyr]

First step is to enter username & password. System then sends you a verification code via SMS.

Re:Simple solution

[broggyr]

Don't you get off when having sex?

Re:Simple solution

[cusco]

Sign up with a credit union. No fee to withdraw from any credit union ATM in North America, and withdrawals internationally are $1.50/each cheaper than any of the big US banks. Then there's the warm fuzzy feeling of no longer being forced to associate with some of the nastiest companies on the planet, too.

Re:Simple solution

[cusco]

Why can't banks do the same?

Because in the corporate executive game of musical chairs none of them are going to be in the position long enough to see any financial gains from fixing their security. By the time there would be any payback they'll be ruining some other company.

BYO

[wstrucke]

I find the security questions I like best are the ones I can make up myself. I typically use nonsense phrases that only I know the answer to. Unfortunately most sites would prefer you pick one of several 'standard' questions like the examples OP provided.

Re:BYO

.... but you don't have to give "standard" answers. You can use any word or words you want.

Re:BYO

[bcoff12]

Exactly. I make up ridiculous answers and store them in my password manager.

Re:BYO

[Bork]

Does not work - the general populace is unable to generate a secret question that is any better. They feel that it would not be used anyway so use nonsense questions and answers. Questions that I have seen when a user is allowed to create their own "Who did I F**K last", "What color is cheeze", "Why do I need a secret question", ....

Without knowing who the person is on the other end, I have about a 50% guess rate on the answers to most secret questions used.

Re:BYO

[zero.kalvin]

Exactly! But even with standard ones you can make it secure enough. For example I never had a pet when I was kid, and for that reason I pick that one out and fill it with a name that mentally means something for me, but something that not even my best friend of 21 years can tell! Really the problem is not with the security measures it is with the end users. If you pick that question above and you had a pet that half of the world knew you had. Well then don't nag on how bad the the security is.

Re:BYO

[nedlohs]

Making them completely pointless, since you'd only need them if you lost the password which would presumably also be in the password manager.

Re:BYO

[zero.kalvin]

If you give a standard answer then you are an idiot who deserv to be hacked! If half of your town knows your mother maiden name, what is the hell are you doing by picking that as a question and answer!

Re:BYO

You don't seem to understand what a password manager is.

Re:BYO

[HawkinsD]

My favorite make-up-your-own pair, which a CSR at a bank was once forced to read to me over the phone:

Q: "You're not going out dressed like that are you?"

A: "You can't tell me what to do! You're not my real father!"

Re:BYO

[joeadmin]

I do the same thing, fairly effective.

Re:BYO

And nothing usually prevents you from entering your "preferred" answer, regardless of what the question is. As long as you can remember your answer it works great. At least in my cases it always did.

Re:BYO

[X0563511]

I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.

My problems with these "secret questions" are:
1. They are obviously stored cleartext
2. They can be used to "substitute" for your non-cleartext password
3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.

Re:BYO

[Isaac-1]

The problem here is often lack of good choices like:

Paternal Grandfather's name? for someone who is John Smith III

Or name of city you grew up in, when it is your current city?

At this point Mother's maiden name looks good when given 3 choices

Re:BYO

[kat_skan]

They were already pointless. A backdoor password into my account that is REQUIRED to be something people can just Google about me? Genius.

Re:BYO

[PPH]

Its an app. on the computing device of your choice that stores passwords. In reality, the storage is in your iCloud account. Which is about to be hacked since some Apple CSR is a moron.

Re:BYO

[Cro+Magnon]

I "borrow" someone else's pet for that question. The people who know me might guess whose pet I use, but even they'd have trouble figuring which of the dozens of pets this person had is the answer.

Re:BYO

[zero.kalvin]

How about a wrong answer ? Or how about you switch answers? Pet name : John Smith I. Paternal Grandfather : Fluffy. Name of the city you grew up in: Sally. Name of your first kiss: Buttfuck Tennessee. That was easy, wasn't ?

Re:BYO

[captaindomon]

From Bruce Schneier: Q: Do you know why I think you're so sexy? A: Probably because you're totally in love with me. Q: Need any weed? Grass? Kind bud? Shrooms? A: No thanks hippie, I'd just like to do some banking. Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men. A: Go forth, and kill. Zardoz has spoken. Q: What the hell is your fucking problem, sir? A: This is completely inappropriate and I'd like to speak to your supervisor. Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it. A: It's a good thing they're recording this call, because I'm going to have to report you. Q: Are you really who you say you are? A: No, I am a Russian identity thief.

Re:BYO

[Hatta]

Here's the only security question you need:

"What is your password?"

Re:BYO

But my paternal grandfather's name WAS Fluffy! Now what do I do???

Re:BYO

Entertaining, but if I'm on the phone with customer service or if I'm trying to recover my password then I just need to get something done and really don't need hassles at that point.

Re:BYO

[Bigby]

If the answers are definitive, then they don't need to be cleartext.

Re:BYO

[nedlohs]

But keep it at all, just generate a 50 character random string and discard it, never to be used again.

Re:BYO

[nedlohs]

I'm pretty sure I do.

Re:BYO

[c++0xFF]

--
Never attribute to malice that which can be explained by mere idiocy.

I believe this falls under the "malice" category, wouldn't you agree?

Re:BYO

[Derek+Pomery]

Agreed. Even case sensitivity and whitespace isn't a problem.
Just hash it in lowercase w/ whitespace stripped.

I would hope most banks already do this.

Re:BYO

[dgatwood]

But then there are those obnoxious companies that randomly ask you your security question in addition to your password. For those sites, when you do that, you're permanently locked out of your account. That's why there should be a law requiring companies to disclose how they use those security questions at the time that they are asking them.

Re:BYO

[dgatwood]

And people only "lose" passwords because no two sites use the same scheme. You'll have one sit that disallows whatever special characer you use, while another requires it, one site that won't take it because it doesn't contain a capital letter (because it's a 36-digit number), and so on. If every site would just STOP doing that and instead provide a "password strength meter" that the user is allowed to ignore if desired, we would have no need or the security questions.

No one will ever randomy guess any of my high-security passwords, and if they crack into your site and steal them, you're required by law to notify me. I have different passwords at diferent tiers of security so that someone stealing the password to a throwaway account like here on Slashdot can't get into my bank acount. And more to the point, if everyone were simply required by law to store all passwords hashed and salted, that wouldn't be a real issue worth worrying about anyway. That's what makes this so absurd is that the entire problem is artifficial, all caused by bad programmers who aren't willing to sanity check their databse inputs and incompetent security "professionals" who come up with arbitrary rules that all passwords must follow instead of just providing guidance to help users choose a good password.

The reality of the matter is, if somebody gets cracked these days, it is either because their password is a single dictionary word or it is because of a social engineering attack through the security questions or something similar, because that's the weakest link in security—weaker than all but the weakest passwords by far. If all you do is a simple case-insensitive dictionary search for the user's password, you've prevented almost 100% of brute force attacks. Any rules beyond that just make it more likely that you'll need to implement back doors that weaken security.

And don't get me started on the most harmful practice: password expiraion. I've watched highly technically savvy people use systems that have password expiration rules. Their passwords are invariably junk. They have hard-to-guess passwords for things that don't expire. For passwords that expire, they tend to be a letter followed by 1234567890, where anybody who watches them enter their passwords from thirty feet away can guess them in a couple of minutes. You know who you are.

Of course, ultimately, the biggest problem is that passwords are fundamentally broken. Any password hard enough to guess is also hard to remember, and vice versa. This is compounded by having to remember different ones, but it is a serious problem even in the absence of that problem. And hacks like password managers don't help, either. When your computer gets 0wn3d, which statistically speaking, it eventually will, that password manager is also 0wn3d, and will dutifully provide those passwords to an interloper.

No, there is exactly one viable security solution: a smart-card-like device that is incapable of being accessed remotely, uses a simple serial protocol for communication through physical contacts (so the comms code is small and easily audited), requires the user to push a button to authorize each request, uses crypto to verify that the request came from a known server, and uses crypto to sign each request sent to that server. Then, different servers can have different levels of paranoia, from bulletin board servers that require a single token per session that expires in an hour all the way up to banking sites that require you to press the button every time you go to a new page.

Over time, people would become conditioned to the behavior of a site, so if someone started trying to send requests to the user's bank behind the scenes when he or she hadn't gone to a new page in the browser, the user would hit the "No" button. More to the point, even if users hit their "Yes" buttons, the damage would be limited to whatever the bad guys could do while the users were connected to a given site. A user reading Slashdot who suddenly saw a request for

Re:BYO

[nedlohs]

Yes, a law. The answer to all the world's problems.

But yes if the security question is used for anything other than accessing you account after having lost your password the storing it with your password makes sense.

Re:BYO

[kat_skan]

That's good for you and me, but normal people have enough trouble choosing a strong password without their bank actively encouraging them to use their damn dog's name.

Re:BYO

[dgatwood]

When it comes to getting full disclosure from companies about their security practices, history has shown that nothing else works. And that's what I'm talking about here: mandating that companies disclose how they intend to use the information that they are requesting at the time that they are requesting it. It's no different from laws requiring privacy policies, really.

Re:BYO

The answer to any security question, be it one of the clever stock questions like "Where did you go to high school?", "What's your first name?", et cetera, or a random pick-your-own-question, should be something other than the correct answer, preferably something totally irrelevant, off-the-wall, bizarre and nonsequitir: For something like "What's your first name?" you could give your answer as, "Caterpillar bulldozers taste like fish" or even, "Ok9dfhuuwef**7kipeepee". It could be anything as long as it's not your first name or anything resembling a name.

Of course, this depends on the bank or business not being anal in enforcing "proper" responses like eBay/Paypal has been. And if that's the case, you're screwed if you insist on doing business with them.

Re:BYO

only retarded store security question as something other than an unsalted irreversible hash.

That's Not Possible

[MightyMartian]

I'm sorry. Apple cannot make mistakes anymore. Clearly this is just anti-Apple-types trying to give the greatest, most wonderful, most lauded, most glorious company that has ever or will ever exist.

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Re:That's Not Possible

[CanHasDIY]

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Didn't they remove that function, in order to protect you from yourself?

Re:That's Not Possible

It's not a mistake...it's a feature.

Re:That's Not Possible

[alen]

they admitted that one of their CSRs didn't follow the rules

everyone here writes bugs with code and works it out over time. lots of times in production. but someone else makes a mistake and its time to burn them at the stake.

Re:That's Not Possible

They removed the option to turn it on.

Re:That's Not Possible

[cpu6502]

>>>Clearly this is just anti-Apple-types

I consider Apples to be like Chryslers, Lexuses, and Acuras. Severely-overpriced for what you get. BUT in this case you are being unfair. It wasn't Apple that dropped the ball but one of their minimum wage employees.

Apple should fire the employee and any other employees who hand-out new passwords w/o proper authentication by the caller (answering the secret questions). If Apple fails to do that, THEN you can vilify them.

Re:That's Not Possible

[Isaac-1]

Part of the problem is the CSR had the option to not follow the rules, they should have a box to type the challenge response, and the computer should have enough logic to only accept a close match, not counting capitalization or minor spelling differences. If they can't get it right, escalate the call to a supervisor level who may then have more leeway.

Re:That's Not Possible

I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

Didn't thJOBS BE PRAISEDtion, in orJOBS BE PRAISED you MOST HOLY NAME OF JOBS BE PRAISED IN THE HIGHEST?

I'm sorry, I couldn't hear you over the helpful, calming sounds of my iPads. Did you say something? Oh well, if it were important, I'm certain Apple, in their infinite wisdom, would allow me to hear it.

Re:That's Not Possible

[nazsco]

IPads only goes up to 10. 11 would be too complicated, like a second mouse button.

Re:That's Not Possible

[CrashNBrn]

I think Amazon should take blame too, no? I forget if there was a maximum character limit, but Amazon only allows Letters and Numbers in their passwords - which is a complete joke for a site that retains your credit card information. Amazon was one of less than a handful of sites that prevented me from using my NORMAL 32 character full ansi character passwords, chr(32) - chr(255), that I generate with a script from a regular typable phrase. Even a single letter used as an input will create: ïêûõeÿë/j7V+åk+0ùé6`V!õk

(Of course slashdot is removing 8 of the ANSI characters) Apparently not only can't slashdot do Unicode it can't even support the normal ansi character set.

What is Your Favourite Colour?

[Jeremiah+Cornelius]

What is your quest?

What is the air-speed velocity of a coconut-laden swallow?

Re:What is Your Favourite Colour?

African or European?

Re:What is Your Favourite Colour?

[Jeremiah+Cornelius]

I don't kno.... (Insert "Wilhelm")

Re:What is Your Favourite Colour?

African or European?

African of course, If it were European, it would be a "sugar-beet laden" swallow.

Re:What is Your Favourite Colour?

[saider]

It would be funny if your answer was a question - "An African or a European Swallow?"

Re:What is Your Favourite Colour?

[cvtan]

Blue. No, red!!! Aaaahhhhh!!!

Who answers security questions honestly?

[BMOC]

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli
First Car? Moon Rover
Mother In Laws Name? Dead
etc..etc..

Re:Who answers security questions honestly?

[imagined.by]

I usually just generate additional passwords and save them in KeePass.

Re:Who answers security questions honestly?

[Plumpaquatsch]

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli First Car? Moon Rover Mother In Laws Name? Dead etc..etc..

Of course people will forget the right wrong answer, without chance to find it ever again. Which is likely the reason why companies have started to allow a way around those questions in the first place.

Re:Who answers security questions honestly?

[CanHasDIY]

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

This, a million times over.

It's not the questions that are the problem, it's the idiots giving them obvious, straight answers.

Re:Who answers security questions honestly?

Shouldn't security answers have at least the security of a password? 8+ characters with one uppercase, one number, one special character, etc.

Re:Who answers security questions honestly?

>> It's not the questions that are the problem, it's the idiots giving them obvious, straight answers.

it's designed for obvious, straight answers.

Re:Who answers security questions honestly?

[JohnFen]

This completely negates the purpose for me. If I can remember my nonsense answer, I can equally remember the actual password, and using a standard nonsense answer on for all logins is no different than using the same password for all logins, a big no-no.

Re:Who answers security questions honestly?

I prefer to answer them as something completely obtuse.

What is your favorite color?
2.71828 bottles of blue on the 3.14159 meter wall.

What is your pets name?
IAU suck and it should have totally been kept a planet. It is stable!

What is your mother's maiden name?
Four score and seven years ago, a girl named Jill climbed a hill. It ended horribly. I was born.

Re:Who answers security questions honestly?

[unk98]

Same. I don't want them to be easier to break than my password.

Re:Who answers security questions honestly?

[Hatta]

They're still easier to break than your password. They're stored in clear text.

Re:Who answers security questions honestly?

[c++0xFF]

A good thought, but remember two things:

1) Security questions are often used to confirm identity over the phone. Are you generating answers you'd want to try to say over the phone?
2) Because of the above, the answers are very often stored in plaintext so the help desk can see the answer. Are you really gaining that much in security? (Never mind how often passwords are stored in plaintext as well...)

Re:Who answers security questions honestly?

[unk98]

That's an easy point to forget. Until they remove the feature altogether, I'll have to stick with garbage/random data as input.

Re:Who answers security questions honestly?

[Rob+the+Bold]

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

Favorite movie? Gigli First Car? Moon Rover Mother In Laws Name? Dead etc..etc..

I tried that, but what seemed hilarious (or maybe clever or perhaps cute) to me once apparently wasn't funny several years later when I needed it. I probably should have written it down. But if I'd written it down, it'd probably be on the same scrap of paper as the password, which I would have either lost or kept in its entirety.

Re:Who answers security questions honestly?

[allo]

why? What prevents the site from hashing the answers?

Re:Who answers security questions honestly?

[tftp]

These are free-form questions, usually, so it's hard to present them unchanged. For example, "Where were you born?" can be answered "In Athens" or "Athens" or "Athens, Greece" and so on. These answers are semantically equivalent, but hashes will be all different.

Re:Who answers security questions honestly?

[Culture20]

These security questions are often used for phone support, and they have to make a judgment call as to whether you answered correctly (punctuation, saying "from" instead of "for", etc.)
The answers need to be in plain text. Of course this means you can never use the same answers anywhere.

Re:Who answers security questions honestly?

[allo]

Bullshit, because no site will accept "In Athens" when i answered "Athen" the first time.

Recorded preference in tablecloth colors

[The+Barking+Dog]

Douglas Adams nailed it...again.

Don't Give the Real Answer

[mikestew]

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

Of course, that does no good if Apple simply ignores the security questions.

Re:Don't Give the Real Answer

Definitely. I guess common sense isn't terribly common.
I give the wrong answers on purpose as well but they're something meaningful to me that's not online and is memorable.

Re:Don't Give the Real Answer

Or if you post it on Slashdot.

Re:Don't Give the Real Answer

[Plumpaquatsch]

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

Of course, that does no good if Apple simply ignores the security questions.

So to recover the password for your account you also stored in 1Password, you use a security question, the answer of which you take from 1Password. I can see no flaw in your reasoning.

Re:Don't Give the Real Answer

[CAIMLAS]

Of course, that does no good if Apple simply ignores the security questions.

Everyone here seems to be missing that point.

If they will reset your password over the phone while enabling you to add an email address to the account and without reasonably certainty you are who you say you are, they have thoroughly demonstrated they do not give half a shit about the security of your information. Period. There are banks like this as well. It would be trivial to take over someone's financial and digital life in today's world with a little knowledge of who they are.

Re:Don't Give the Real Answer

[mikestew]

Yes, that would be an accurate summary. Answers are generally required,and I'm not about to give the actual answer. I do not intend to ever use the answers, as I view security questions to be a hole and not a help, but they might as well be recorded.

Re:Don't Give the Real Answer

Give them an answer design to cause a SQL injection attack

Q. What is you oldest nephew's name
A. Robert'); DROP TABLE students; --?

http://xkcd.com/327/

An answer to a common security question

What city were you born in?
Answer: Iwasnotborn in anycity

Don't answer the Security questions "correctly"!!!

[EMR]

When you fill out the "form" to define the security questions, Don't put the correct answers in.. purposely put a false answer, obviously one that only you know.. My dad makes up a "youngest son" to put in those security questions so there is no way someone can "scour" social network sites to find the answers.

Retinal Eye Scans

[justcauseisjustthat]

Retinal Eye Scans here we come, I'm feeling very Minority Report-ish....
(I'll never give my finger prints or DNA freely, but you can burn my eyeballs out)

Re:Retinal Eye Scans

[cpghost]

Imagine using a retinal scan after some time, and being denied access.

Misdirection

So tricks like misspelling the answer in a manner you can remember, or out right lying is no longer advised? 'Q: What is the name of your first pet? A: Godzilla' ... it REALLY isn't hard folks.

Use the First Girlfriend question

[danbuter]

Jokes on them! I've never had a girlfriend!

Re:Use the First Girlfriend question

[Pope]

CSR: "Your first girlfriend's name is... Bruce?"

Re:Use the First Girlfriend question

Q: What was the name of your first girlfriend?
A: Realdoll.

Re:Use the First Girlfriend question

[sconeu]

Her real name was Michael, but we called her Bruce just to keep things simple here at the philosophy department.

Doesn't feel all *that* tricky

[shilly]

What is your memorable place? seems to fit all those criteria, for example.

Re:Doesn't feel all *that* tricky

[JohnFen]

I wouldn't even know how to begin to answer that question. I don't have a single most memorable place, but a small collection of special places that are about equally memorable. How would I remember which one I used?

This is no different than "what's your favorite..." questions. My favorite anything is not fixed. My favorites change over time, so I still end up having to outright guess what the right answer is.

Re:Doesn't feel all *that* tricky

[trnk]

I was asked for a 'memorable date' the other day; I literally had nothing apart from my birthday, which seemed a little counterproductive.

Lie

Do not answer your security questions truthfully. Make things up, but be consistent with your lies or you may be out of luck when it comes time to answer the questions. This foils any attempt to impersonate you by using the public record.

Re:Lie

[JohnFen]

But then you are, in effect, using the same password for all your logins.

Re:Lie

No difference there than if you were to answer truthfully. Alternatively, you could do what others here have suggested and simply generate passwords as answers, then store them in a manager, but managers come with their own security concerns.

Re:Lie

[ZombieBraintrust]

But these questions are answered over the phone. When someone calls in and the answer to the question is a long stream of random numbers and letters the call support person is not going to bother with you security questions. They are just going to let the attacker in when they give plasable sounding answers.

Re:Lie

That's the same lack of training that allows for the "Well, I really cannot remember the answer to that" response to pass through anyway, so, again, no difference. The human factor will always be the weakest link in this equation if you exercise even a modicum of common sense, and that's something we've been trying without success to factor out for decades.

what was the name of your first pet?

[alen]

lots of cartoon animal names you can use

who says you have to use real answers to these questions?

Think fail

they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway.

No, a single employee was duped into make an error.

This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously.

Yeah, Tim Cook came right out and said that. #doublefacepalm

This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.

Re:Think fail

[thePowerOfGrayskull]

This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.

Yeah, totally sucks how everybody does that.

Re:Think fail

[JDG1980]

No, a single employee was duped into make an error.

That employee was acting on Apple's behalf as part of his official job duties. Therefore, Apple is legally and morally responsible for his actions.

This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.

So I suppose you're also opposed to corporate limited liability? You can't have it both ways.

Dumbest security questions 1st price: Mizuho bank!

[LifeIs0x2A]

Anyone else here who has an online banking account at Japanese Mizuho bank? Everytime I change browser or logged in from a different computer in the meantime I have to answer these questions again: What is your favourite drink? What is you favourite fruit? What is your favourite meal? Was it Spagetti Bolognese or did I write meatballs when I first logged in? Did I like lions at that time or was it Zebras? Quite existential questions to ask when you actually just would like to transfer your rent.
It might be safe but it is really an annoying joke. And additionally the Japanese language makes it even more fuzzy. Which alphabet did I use to answer the question? I 1000x prefer two step authentification ala gmail. But for a slower than snails on a tree shop like Mizuho Bank that is going to take decades to implement..

even random questions/answers are a weakness

"My mother's maiden name is 4dAm3Y3fv9nIks."

Operator: What's your mother's maiden name?
Attacker: My answer was random gibberish, but I forgot what is is.
Operator: Hmmm...seems legit.

simple

Always answer 42 to any secret question posed.
If the answer must be longer to meet some length rules forty-two or Forty-Two should suffice.
Now if I could just know what the security question was...

You're doing it wrong

[macemoneta]

Security questions are an opportunity for additional long passwords.

Favorite color: ALQbpFcWvvFiJlnEh5uuC0lpJZFHAvIcMuXrOh46L3bc24V39m
Where you grew up: 1t7jpfr7zzp87kOJTMOFw5qf1ReWKoxoeRu8U7vuz5TfPwypkU
First pet: gzcPme09nDYPHXvfvyi8FbpP9hX5cjqMiVi0MWd61sxyCIJjaG

Just use the prompt as the index for the key, which you've saved in your favorite key store, like keepassx.

Re:You're doing it wrong

[QuantumPete]

Or you just put the SHA1 hash of the question as the answer.

Re:You're doing it wrong

Meanwhile at Apple...

- Yes sir, what is your favorite color?
- You know, I was in Japan at the time and I think your database stored it wrongly you know- characters and stuff so it's probably gibberish. Can't you just go ahead with what I already provided?
- Absolutely sir.

Re:You're doing it wrong

[PRMan]

With a secret salt of your choosing.... Not a bad idea. You could regenerate it yourself, but criminals are too dumb to bother.

Even so

[stevegee58]

Even if Apple had enforced their own policies it's still weak anyway. Recall the hacking of Sarah Palin's yahoo email. The attackers just looked up the answers to her security questions on the interwebs.

Coconut laden?

[Okian+Warrior]

I don't know much about coconut-laden swallows, but an unladen swallow flies along at roughly 10 meters per second (9.9 mps, per rough calculation).

Where did you get the thing about coconut-laden swallow anyway? Was that a line from a movie or something?

Re:Coconut laden?

[Jeremiah+Cornelius]

I'm sorry, Lad.

1975 was a long time ago... Nearly in a galaxy, far, far away....

Re:Coconut laden?

That has unladen swallows, and the possibility of swallows carrying coconuts, but nothing about "coconut-laden swallows".

It must have been some other film.

Re:Coconut laden?

[Bardez]

Where did you get the thing about coconut-laden swallow anyway? Was that a line from a movie or something?

Are you... are you being... serious?

Monty Python and the Holy Grail.
the quote in question

Re:Coconut laden?

[Bardez]

Or rather this one being the coconut-laden discussion.

Mother's maiden name

[AnalogDiehard]

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.

Re:Mother's maiden name

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

But a lot easier to get from census records, since those become public after ~70 years.

Re:Mother's maiden name

[hackertourist]

Right, because there's no such thing as genealogy websites.

Re:Mother's maiden name

Why have accurate information? If you're just adding generations, that's still crackable, and worse yet she knows the method you're using to obtain your password.

Just make the answer "Smith" (assuming that's not actually in your genealogy) and let her research to her hearts content.

Re:Mother's maiden name

[houghi]

This is almost like making up an answer. Just use some random word or words. If you speak another language, use that.
Centipede, vasectomy "Mon crayon est jaune est large" is just as valid as Smith.

Re:Mother's maiden name

[Just+Some+Guy]

I use my mother's mother's mother's maiden name.

Why? Are you legally obligated to give the correct answer?

Re:Mother's maiden name

If you give an incorrect answer you need to remember it. If you can't remember your password, why would you be able to remember what you put down for the answer to the challenge question?

Re:Mother's maiden name

[Rob+the+Bold]

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

But a lot easier to get from census records, since those become public after ~70 years.

I don't know if you've looked at the 1940 census stuff yet -- and you should, it's fascinating -- but you'd really be doing some work to find my mother in a scan of a handwritten form. Even if you knew her address in 1940. And even if you got past the problem of her name being recorded wrong by the enumerator. Asking the Mormons would be easier.

Well

[ledow]

Just treat them like I do. Select any "question" and type another password into the answer box (one that you never give out).

Should it come to a password reset password where you're asked for no, NOBODY will ever guess it and you'll be able to reset your password either automatically (if they allow you to), or via a customer service representative (who will be wondering why your mother's maiden name was AH8hfds86, but who cares?).

Just as secure as anything else and requiring you to give out zero additional personal information, and totally UNABLE to be discovered by someone who happens to know you, for instance (unlike DOB, maiden names, etc.)

Re:Well

I make my answers into "Just email me a damn password reset", followed by random password padding...

Re:Well

[T+Murphy]

mother's maiden name was AH8hfds86

I think we're related...

Security questions: FAIL

[macraig]

Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.

Re:Security questions: FAIL

It's even worse, there are many "objective" that don't have a simple answer either:
"What was the name of your school?", I went to 5 different ones
"what was your first car?", brand?, model?, both?
"what was the name of your first pet?", well, I remember lots of pets and don't really know what one was the first one (I was very young and it was a long time ago), and again, as you say, when they ask back, I might remember different than today

Last time I had to answer questions, I couldn't find 3 of them that I could answer and be sure I would be able to answer back exactly if they asked me again, seriously.

Re:Security questions: FAIL

[AmongTheBoulders]

I do not have just one obvious favorite movie or one obvious favorite author. I do not have a favorite color. I do not have just one favorite school teacher. I did not attend just one high school while growing up.

I also did not learn to drive on just one car. There were two cars at home and three more cars that we used in the drivers ed class. Then there was also the tractor that we had at home too.

I did not have just one dog while growing up, and can not remember the name of the first one that we had when I was an infant. I also did not grow up on just one street. I lived on several different streets at different times.

I have been asked for all of the above as security questions, but would not have just one obvious answer for any of those questions.

Re:Security questions: FAIL

[CodeManBob]

There is a song to help you remember your favorite things. http://youtu.be/33o32C0ogVM/

Re:Security questions: FAIL

[macraig]

I'm tone deaf, you insensitive clod! They never made a movie "The Sound of Monotony".

Re:Security questions: FAIL

[volmtech]

My bank has more obscure questions. What make was your first car? Name of favorite pet. The car someone could guess with five or six tries but the pets name is recorded no where, besides after three wrong answers the account is locked and requires a phone call from my home phone to unlock.

trope: Stock Animal Name

[tepples]

lots of cartoon animal names you can use

Which gives attackers the option to use the rainbow tables.

Re:trope: Stock Animal Name

[allo]

rainbow tables are against hashes. you think of password lists.

Re:trope: Stock Animal Name

[tepples]

You're right. But an administrator would have to be high on hash to choose secret questions that are such obvious bait for password lists and Facebook sleuthing.

What's "mother's maiden name"?

[Anderu67]

Oh right, a cultural construct. Bonus points if you force the question on Spanish-speaking users, in which cultures there is no name changing and the person's last name includes what would be considered the mother's "maiden name". Very secure.

Re:What's "mother's maiden name"?

[Cro+Magnon]

Almost as bad is when your mother and one or both of her parents is listed as a relative on Facebook, with the grandparent's last name displayed in all it's glory. Top secret, my posterior!

Re:What's "mother's maiden name"?

[ILongForDarkness]

Well in theory you could set up security on your FB page so that people you don't trust can't see that info. But the problem is your cousin could have no security and have the information on their page. That is the problem with FB and the like IMHO not just lack of privacy but even if you set the privacy settings the way you want there is nothing stopping your friends from posting and tagging drunken photos of you.

For those that are in your "circle" in the social sites: it doesn't matter. Thinks like what was your mothers maiden name might come up in conversation. If you know someone well you probably know their favorite teacher, pets name, family members name, favorite food etc. The security questions are predicated on the idea that things like your favorite thing is something that you keep secret from friends. Not going to happen. If it is a bank website there is no reason why they can't require you to go to a branch or call in to reset your password. Having a plain text with public information question to reset an account to save on a phone call is just silly.

One answer to rule them all

The other extreme are the customers I support. One of them admits his answer to any security question is "snickerdoodle", regardless of what the question is. Easy, memorable, and hard to guess. Which would work great I suppose if he only ever used them on one site. In this climate where weaker sites are compromised and intel harvested, I suppose its a lot like him using the same password for every site.

This whole thing would be so much easier if we just agreed to embed a chip in people's hand.

Re:One answer to rule them all

[KhabaLox]

This whole thing would be so much easier if we just agreed to embed a chip in people's hand.

Make no mistake, this is coming. The chip will be your phone and your credit cards and banks will be linked to it. To pay you'll simply swipe your hand over the scanner at the retail location and then select (or say) "American Express." It will double as a two factor authentication device by receiving a security token wirelessly from the server when you try to log into an account. The system you're accessing will either have a scanner for you to wave your hand in front of, or the code will appear on your HUD for you to type in.

Or you could just use two factor authentication today with your cell phone.

I'm perplexed

People actually slap real details into those questions?

REal security

[gurps_npc]

As I have said before (check my posts): Passwords are ways to keep the ignorant out, not the determined or skilled.

We need real security - which comes from an obvious list of last attempts to log in. That way we know when and where (IP address tells all), someone tried to log into our accounts. If we don't recognize the times and places, then we can act.

We certainly can't trust the websites themselves to protect us.

Security Questions are a Joke?

[Tarlus]

Question 1: Why did the chicken cross the road?
Question 2: Why is six afraid of seven?

* dodges tomatoes *

Re:Security Questions are a Joke?

Why is six afraid of seven? Because you're an eight. Ha ha, urinate. That's good stuff.

Re:Security Questions are a Joke?

[tftp]

Question 2: Why is six afraid of seven?

Because the seven samurai will deep-six pretty much anyone.

Say what now?

Security questions are incredibly effective at stopping a hacker. The problem is, sites need to stop offering the same questions that have existed for years.

Need to get rid of ANY questions that could have answers in the public domain.

Another problem though is companies need to take these questions seriously. If a wrong answer is given twice in a row, lock the account until personal verification can be attained.

Apple should know better and just shows how certain corporations dont give a crap about security.

random strings in a password file

[bcrowell]

There is an easy workaround for this. You go to the trouble of using a high-entropy password for a certain web site, and then their web interface insists on knowing something like your dog's name, which would be a huge security hole. Well, whatever method you use for making a secure password (I use a hash function), just use that to generate your dog's name. So I'll tell google that my dog's name is bHo3HI38, and lolcats.edu that it's QRYh3l34.

Give up on wanting it to be memorable. That's pointless and self-defeating. Just stick it in an encrypted file. It's not an inconvenience, because you're never going to use it. I don't ever expect to have to actually tell lolcats.edu again that my dog's name is QRYh3l34.

Re:random strings in a password file

[bill_mcgonigle]

I don't ever expect to have to actually tell lolcats.edu again that my dog's name is QRYh3l34

Yeah, but the FCC might ask him about it.

(PS your comment is Spot-on).

Incorrect Answers

[Bigbutt]

I noticed this a while ago. I have a password keeper and record the question and the false answer I provide to the question. Even where I can make up a question, I make up a totally different, unrelated answer and record that.

[John]

Re:Incorrect Answers

[Rob+the+Bold]

I noticed this a while ago. I have a password keeper and record the question and the false answer I provide to the question. Even where I can make up a question, I make up a totally different, unrelated answer and record that.

[John]

I record "correct" answers in a password keeper -- as if some of those questions even have a "right" answer -- but in both our cases the password and the challenge question would either both be available or would be "lost in the same place", as it were.

Security questions are designed to weaken security

[wkcole]

They are de facto alternative shared secrets used for authentication, so that instead of there being just one password that will open an account there are more. Because the answers are mostly things we don't think of as particularly secret and many systems use the same sets of questions, the result is what everyone knows is bad practice: a weak password used in many places.

The right fix for the "security question" mess is not better questions or trick answers, it is to eliminate the process that demands them. A human-mediated password reset process is always going to be subject to social engineering and if the humans mediating that process are low-skill CS reps whose work is only deemed to be worth the prevailing call center wages in Chennai or Manila, the social engineering is likely to be unchallenging. If you must offer a way for a user to recover an account for which they've forgotten the password, it should not be vulnerable to attack via research or pleading.

Bad security questions

[cje]

Not only are some of the "standard" security questions bad because they're easy to research, some of them are bad because there are multiple correct ways to answer them, and it can be difficult to remember how you chose to answer.

My least favorite security question is "What street did you grow up on?" Depending on the answer to this question, there could be four completely valid ways to answer it. For example, I grew up on 5th Street. So depending on whether or not I feel like the word "street" ought to be included in the response, there are four correct ways to answer this question:

"Fifth Street"
"5th Street"
"Fifth"
"5th"

Now, I'll choose one today, when I provide my initial answer. But when I'm asked this question six months down the road, am I going to choose the same one? Maybe not.

The key is not just choosing good security questions that are hard to research and/or guess. They also should have unambiguous answers.

Use very personal questions !

[eulernet]

For example: what is your most shameful event in your life ?

Such events are unique to a person (some say that they define our own personality), and rarely expressed publicly.

Re:Use very personal questions !

[PPH]

Q: What is your most shameful event in your life?

A: Forgetting my password.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I like the ones...

[Jafafa+Hots]

...that ask for your first pet, because while people can figure out my current and even some former pets, there's nobody I've probably even told in REAL life about my first pet, Aflie, a baby chick I had for a few days. So with that question I'm totally safe.

Re:I like the ones...

[PRMan]

there's nobody I've probably even told in REAL life about my first pet, Aflie, a baby chick I had for a few days

Well, there goes that...

Do it wrong

I may be revealing too much but all of my answers to security questions are non sequiters. I just need to remember in pairs the questions and answers.

Q: What's your mothers maiden name
A: Apollo13*

The connection is private, anecdotal and unlikely to be replicated by another's thought process.

*This is not a real example of one of my answers.

It's not the questions

[gerardrj]

It's the answers. For the best security the answers should have nothing to do with the question, just like you see in all those old spy movies:

Q: What is your favorite color
A: walkaboutclock

Q: What was the name of the street you grew up on?
A: g!blix05

When only the account holder can possibly know the answers then there can be no social engineering to bypass the security.

None of this, of course, has any effect if policies and procedures at the vendor site allow for the questions to be bypassed. As I have posted elsewhere, we don't know the contents of the alleged call; the operator could have been threatened, blackmailed, bribed or even an accomplice.

Re:It's not the questions

[Sqr(twg)]

- Customerservicehowcanihelpyou?
- Hi, I've forgotten my password.
- No problem sir, we can reset it for you, but first I'll need to answer a security question
- OK.
- "What is your favorite color?"
- Gee, I remember that I picked an answer that was not a color, but something completely unrelated. Something with "horse" maybe? Or was it "dance"? Please, I really need to get into my account!
- I really shouldn't do this, but I guess that answer was close enough. Your new password is "..."
- Thanks, bye!

We tried this at my company...

[Spencer+Drager]

Every week we'd have several people who managed to forget their secret answer. The lesson: secret questions suck. In the future we are not going to use it.

The problem with security questions is that

[aussersterne]

those with memorable answers are precisely those most likely to be very important (i.e. likely public or easily accessible) information.

You're stuck with "What is your mother's maiden name?" (visit an Genealogy website and search for the person to find out) or the alternative, "What was the phone number of the first person you ever dated?" (Something you yourself likely can't find.)

I've noticed a sharp rise in these kinds of difficult-information questions in recent months. The problem is that if I have to go digging through my personal archives to find the information (if I can even find it at all), it's quite possible that I won't be able to find it when I need it later on, and likely that I won't simply remember it offhand.

I know people that have taken to generating secure random passwords and using these as the answers to questions, then keeping a spreadsheet with (a) domain, (b) questions, and (c) the random password generated for each question. But of course then there's a spreadsheet hanging around that contains this information, and the labor overhead involved becomes a disincentive to take the questions seriously at all (which is why I also know a person that answers every single security question they're asked to answer with "None".)

But seriously, at the practical level, who can answer:

What was the first name of your third grade teacher?
What was the nearest cross street to the home you lived in as a child?
Who was your sports or other hero at eight years old?
What was the name of your boss on your first job?

All of these kinds of questions dig back into obscure things that haven't been important to most people in many years, not to mention that many people wouldn't have known in the first place, and/or the answers could be so ambiguous that you'll struggle to remember what you entered ("Superman?" "My dad?" "Neil Armstrong?") given the ambiguities and categorial thinking involved.

I tend to think that the answer to security is a social one—calculate the risks and use "good enough" security, then assume that some percentage of security cases will fail and maintain resources/insurance to address the resulting cases in a way that allows you to continue to do business and gain users/customers. More or less what happens with banking right now.

Re:The problem with security questions is that

[Kjella]

But seriously, at the practical level, who can answer:

What was the first name of your third grade teacher?
What was the nearest cross street to the home you lived in as a child?
Who was your sports or other hero at eight years old?
What was the name of your boss on your first job?

1) Well I can't. But you know schools tend to have yearbooks and with some minor effort I could probably find out.
2) Oh I don't know, look up where your parents live for example? That works for many 20-somethings at least. And if you moved a lot as a child, it doesn't really have an unique answer.
3) You're assuming there's one hero that stands out above all others, most likely a year later I won't know which of the almost-equally-great people I put down as my hero.
4) Granted, this is probably the best one. Not exactly bullet proof though, but would certainly take some work.

Anyway, I could probably come up with some good ones. But the problem is that I'd probably have to share them, it's the same problem as using the same password everywhere. It's not very smart.

Re:The problem with security questions is that

[aussersterne]

That's my point. The questions on their own don't have clear answers for most people, much less memorable ones. The more likely they are to be clear and memorable, the more likely it is that other people know that about them as well.

(These are real questions, BTW. As a part of work not so long ago I created test accounts on a bunch of new web services and saved some examples of challenge questions that I thought were stupid.)

Re:The problem with security questions is that

"What was the first name of your third grade teacher?
What was the nearest cross street to the home you lived in as a child?"

These especially are hilarious: I've been in 3rd grade _three_ separate times as our schooling system handles grades that way. Not in US, obviously and at time I was in school. Nearest current equivalents would be elementary school, junior high and high school and all of those had "3rd grade" but of course US is using different grade numbering.

All of those are >30years back, I've no memory of teachers names and at 3rd round there was several. Also finding those from any record (not just public ones) might be near impossible after all of these years.

So not only confusing question, but impossible to answer in unique way.

Also I've lived at least three places "as a child", which one of those do I choose/have been using?

Same problem as previous question.

Re:The problem with security questions is that

[volmtech]

The first girl I ever dated? Jenny, 867-5309, why?

Liability != Policy

[aussersterne]

When a company loses value on the NYSE, this is not the same as saying that this poor company makes it a policy to see their stock value decline.

Companies can be held liable and accused of failure in meeting their goals. This is a separate issue from suggesting that they have the wrong goals.

Similarly, a single employee can represent a point of failure in meeting company goals. This is different from suggesting that all company employees are unable to contribute to meeting company goals.

Here's mine

Question: Ze5rohx9
Answer: PohJae1u

A bullshit problem requires a bullshit solution. Took me 10 seconds flat.

(For those who don't know, the great little program I used to generate these random passwords is called "pwgen".)

When THEY make up the answers for you

I've notice twice lately sites that make up their own questions based on stuff in some database. First time was Walgreens and then Chase bank. "Which of these was your former address?" and it gave 4 addresses and a "none of these". Repeat for 4 questions total. It was creepy but it did work. For Chase, I was helping a friend. I could answer one question but not all of them without asking.

I haven't seen any comments on this although it's technically off topic concerning social engineering to gain access to someone's account.

Re:When THEY make up the answers for you

[DeadCatX2]

They were probably looking at your friend's credit report. When I filed for an annual credit report they asked me questions exactly like that, "whats a former address? [lists 4 and none of these]".

Simple solution

[QuietLagoon]

...'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen,...

Why does anyone feel the need to use his/her real high school or whatever in answer to those questions?

.
I use a made-up word to answer those types of questions., e.g., use every other letter of the school's name, use a series of letters and numbers that have nothing to do with your high school.

I treat those questions as just another password prompt.

Toughest security question I ever had

The toughest security question I ever had was for getting a birth cert. I needed the cert to get a California license when I moved. They would not accept the Xerox, which was the only thing I had ever had. It had to be a certified copy from the city, with a stamp. The only practical way to get it was to go through an expediting company online. They had several security questions to verify my ID; but one gave me pause:

Which one of the following is a phone number you had in the past five years? (multiple choice).

Thank God it was multiple choice! I only had the vaguest recollection of the number. I was several years into using a cel phone. The numbers are always on speed dial with a name. Does anybody remember phone numbers now?

Two factor authentication

[KhabaLox]

I 1000x prefer two step authentification ala gmail.

I'm setting this up because, why not? The conundrum I face is that the only mobile phone I have is for work. I have a Google Voice number which forwards to my work cell. I set up the 2 factor with my Gvoice number, but this seems inherently weak and vulnerable to me, as an attacker could simply re-route the Gvoice to another phone if they got into my Google account. On the other hand, they can't get into my Google account from an untrusted computer without my work cell (or whatever phone Gvoice is pointing toward at the time).

Am I being paranoid, or should I change the 2 factor authentication phone to be an actual cell number instead of Gvoice?

Security nightmare...

[geogob]

I hate those questions. Seriously. Once I was faced to something like this... had to choose among a list of question at least two in a registration process. It was mandatory.

Question where something like :
- where did you spend your honeymoon... : I'm not married.
- what is the name of your first child... : I have no children.
- what is the name of your first pet... : does that include fake pets? because I never had a pet.
- what is the maiden name of your grandmother... : why the hell would I know or remember that?
- what was your favorite song in the eighties... : oh! oh! i know. This one....mmmm no that other one... mmm no no this one was better! mmmm that's not going to work.
- what is the favorite colour of your oldest child.... : not again with this?

I have honestly no clue what I answer to any of the two question I chose, nor which question I chose.

Re:Security nightmare...

[Cro+Magnon]

"What's your childhood friend's first name?"

I'm an anti-social nerd. I didn't HAVE any childhood friends!

Re:Security nightmare...

[Rob+the+Bold]

I hate those questions. Seriously. Once I was faced to something like this... had to choose among a list of question at least two in a registration process. It was mandatory.

Question where something like : - where did you spend your honeymoon... : I'm not married.

. . .

I have honestly no clue what I answer to any of the two question I chose, nor which question I chose.

It doesn't necessarily get easier if you are married, either. Plenty of online accounts you'd probably share with a spouse: utilities, joint checking, etc. Then it's "your grandmother or mine?" or "your fish or my lizard?" or "your song, my song or 'our song'?" Even when you try to come up with a scheme, like "always yours", you've already signed up for a bunch of these before you realize the problem or before the ambiguity problem existed in your "care-free single days."

Re:Security questions are designed to weaken secur

[KhabaLox]

Mod parent up. It's quite darkly amusing that sites require 3-5 security Q&As so that when you answer the first one incorrectly you get 2 or 3 more swipes at the apple.

Simple: Lie!

What high school did I go to?
The school of boston tech.

No, it doesn't exist (as far as I know... I'm from California). I just made it up. but I use it whenever I'm asked about my high school making it easy to remember. A hacker can do all the research they want and never guess the lie...

However, I just reduced the security to a series of passwords, but that is a different problem.

I like two factor authentication... something you have + something you know. You want your password reset, OK... on the back of your i-device, what is the serial number? Now they have to be in your house/work and it reduces the number of people that can hack you to a smaller set that is easier to identify.

Then make it simple... use an algorithm!

[gosand]

Use an algorithm.
Use real answers, but replace vowels with the letter Q. (for example)
Mother's maiden name: Smith => SmQth
First pet: Spot => SpQt

Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember. Then you can apply that rule to any password.
Like switch the first and last letters. Smith = hmitS, Spot = tpoS. Or use numbers. Or a combination. It quickly looks like nonsense, but if you use a rule then you can apply it. Or change it. If you have to change a password, then switch from using Q to W, then E, then R, then T, etc.

You can even write down your rule in plain site. If I wrote down "flip Q" as a reminder, it would remind me to flip the first and last letters, then replace vowels with Q.

And I just came up with this one for this post. The one I actually used is based on something nobody could guess, and has been altered over the years so that I am the only one that knows it. And it works! I still remember an intern at my first job left to go back to school in 1994, and he told me his unix password in case I needed to get into his account. It was CIrpotb, (Clearly I remember picking on the boy,) from Pearl Jam's song Jeremy.

Re:Then make it simple... use an algorithm!

[John+Hasler]

Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember.

That's what I do as well. The rule is "Look in the little black book".

Re:Then make it simple... use an algorithm!

[DirtyLiar]

I now "nwO" all your accounts!

Simple solution - Lie + nonsense

If you are telling the truth on these questions, you deserve to be hacked.

Lie. Don't tell the truth.
Store your answers in your password-safe along with the questions.

My answers are different for every site.
My answers are junk - random characters, not words.

When I get to set the question, I use "look it up:" to remind me the answer is in the KeePassX DB.

Never tell the truth. Heck, I don't even use my real birth date.

They aren't "security" questions...

[joebok]

These are things are not about security - they are about convenience. Primarily they are used for self-service password resetting. I don't think beefing up the "security" on convenience questions is really very helpful.

If you are serious about your security, you should pick randomized strings to use as the answers to the convenience questions, then store them in a nice secure password safe.

Generate Passwords For Answers

[Slashdot+Parent]

I just use generated passwords for the question answers, and store the answers in Lastpass.

Any idiot can figure out where I went to high school in about 20 seconds of googling, and that's over a slow connection.

Identity is hard, and we make it harder

[medcalf]

Identity is difficult. We have a mental model that says that a person is a person — a simple one to one correspondence that always holds the same. That is, I am always identical to myself in all aspects and particulars. This model is insufficient in at least four aspects: we are made up from and are a part of multiple identities; not all of our identities are directly connected; parts of our identities change over time; and we have different uses of identity which require different ideas about identity, but we treat them all as if they are the same.

When I am typing on SlashDot, part of who I am comes through. This is not the same part that comes through when I'm with my family, nor are either of those the same as what comes through when I am at work. You can say that in some sense these are all the same, just with different aspects showing through, which is basically (not to troll, but just to make it easier to visualize) the same as the Christian conception of Diety in three parts, each distinct but also each identical. You can also say that these are in some sense different identities, linked by my mind and body. Normally, the distinction wouldn't matter, but there are cases where it does. For example, consider the case of multiple personalities. It's a rare disorder — far more rare than movies or criminal defendants would have you believe — but it does exist. In a true multiple personality case, even the memories accessible to different personalities can be wildly different, along with of course their personalities and behaviors. Online, this is frequently encountered, because people assume different characters in different contexts, and in the anonymizing world of online communities, these characters can be wildly divergent. Treating all of these as identical misses a lot of nuance that typically is not very meaningful in everyday life, but is meaningful in circumstances rare in everyday life but common on computers. The foremost example of this is that I don't want an online identity I don't completely control (my work login) having access to an online identity that I do completely control (my bank account) which has real-world, practical consequences if the two get mixed up in some fashion. And yet both of these identities are real, complete identities, each sufficient to grant me access to a different set of information with limited access.

It's actually even harder than the above would imply, because not all of our identities even overlap. Consider reputation. One of the reasons Anonymous Cowards are so frequently despised on SlashDot is that they have no reputation. You cannot believe that just because an AC tells you something interesting, true and not widely known in one context does not mean that that AC or a different one will not lie outrageously and slanderously in another context. My reputation here, or on Twitter, or in real life is in some sense connected to my other identities, in that it was my actions that partially formed that reputation, but they are not directly connected. Consider the case of negative political advertising, which is often so effective precisely because the attack is on the reputation of the target, and thus is not entirely within the control of the target. This makes it much harder a politician to defend himself, because those reputations can be changed beyond the control of the politicians themselves. Moreover, anyone who has ever done anything of note will likely have multiple reputations. Would anyone argue that Jimmy Carter's reputation among Republicans (formed largely by his foreign and economic policies and the contemporaneous condition of the outside world) is the same as his reputation among Democrats (formed largely by his humanitarian work after he left office)? These reputations do not directly connect to each other, and only in a tangential way do they connect to his reputation among family and friends. So it is with all of us, though usually less dramatically than that.

Our identities also change over time. Not

Re:Identity is hard, and we make it harder

tl;dr: Wall of text crits you for 50 damage.
You have been killed by Wall of text.

Re:Identity is hard, and we make it harder

[medcalf]

You want pictures?

Solution Fail

[ZombieBraintrust]

These security questions can be answered over the phone. Capitalization and spelling is ignored. If you put in random letters and numbers they would likely just listen to the first few characters before allowing you in.

Public Records aren't so Accurate

Many of my immediate ancestors, one generation back, died when I was under 10 years old. So, I don't have first-hand knowledge of the Security Question banks ask. Internet searches might find more about me than I know.

"In what city were you born?" comes up often, but I honestly don't know. Pennsylvania only lists the county name on birth certificates, and that's all I have. Also, some Nun named me at a Catholic hospital and my parents used that.

Hockey, Cat or Dog

When you know a little bit about local sociology, you can guest many answers of those "security" question. I've often seen security questions like "What is your favorite sport?". If you live in Canada, the chances are that the answer is Hockey. Other possibilities, with lower occurring : Football, Baseball or Soccer.

Another one, "What is your favorite animal?". Well Dog and Cat is probably answered 90% in Occident in general...

Those questions are so easy to guests and are part of insecurity, not security...

PS : Sorry if I made any grammatical error, English is my second language. Wish your eyes are not bleeding like a river on spring...

Re:Hockey, Cat or Dog

Not being mean, just trying to help you better learn English.

You mean "guess", not "guest".

Other than that, it seems like you speak better English than some people who have it as their first language. Not sure what occident means...accident?

What's worse is..

If you don't want your family or (ex-)spouse in something. They know everything anyway.

How about this:

[SirGeek]

Answer with nonsense (that you CAN remember).

• Where were you born: In a Brothel in Bagdad
• What was your father's name: Jor-El
• What was your favorite pet's name: Shit Licker

They forgot one - Immutable

[cyberfunkr]

...has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research.

Some may consider this a spin off of "Definitive", but I would like to add "Immutable".

Immutable -- The answer should not change over time or situation

The classic example of failures to this criteria this would be "What is your favorite artist/song/color/book/food/child/body part/etc?" Since no site ever lets you go back and adjust your security question, the answer you give is the answer you must stick with. There are dozens of websites that can easily tell I was a child of the 80's. This also means questions involving time-sensitive things cannot ask for the most recent of something; like "What is the last tattoo you got?" or "What did you eat for breakfast today?"

Better variations of these questions would be, "In second grade, who was your best friend?", "What street did your first love/crush live on?", or "What was the make/model/OS of the first computer you owned?" They exist in a fixed point in time, and do not change based on whim.

Of course it's impossible. That's why I don't try

[Mike+Van+Pelt]

I have made up one really, really good password that I will not forget -- over 16 characters of mixed case, digits, and punctuation -- that I use for one purpose:

The password for my key manager.

I let the key manager create long, totally impossible passwords, and use it to log into everything else.

I've used pwsafe and keepass in the past; currently, I'm using LastPass. (Logging in to it with a very special email address that I use only for LastPass, nothing else.)

My typical 'security question' answer...

[CCarrot]

Q: "What was the name of your first dog?"
A: oiq387jhoxzlpo8q )7y9l;iop;a jnls7ul.l

Keepass is your friend.

Keepass combined with SpiderOak is your portable, mobile, goes-everywhere-you-go friend :)

You can help make them more secure, though.

[Chris+Mattern]

Where did I go to high school? VaduvEl4
What is the name of the first street I lived on? HarUkDargIs6

Thanks, apg, for providing the answers for those questions. Question and answers go in an encrypted password store (I use Password Gorilla, myself).

Re:You can help make them more secure, though.

[ILongForDarkness]

The problem is that the security questions are often used to reset your password and at least in my experience no one makes the entry field for the security question into a password field. So it is plan text. Sure hope you don't us those strings as other passwords but even if you don't anyone looking over your shoulder/screenscraping etc can get your security question answers.

I think a better, not perfect just better, is for the bank to assign you a password and call you once a year to come into a branch with id to get your new password. No weak passwords, passwords have nothing to do with the users, they must be changed regularly etc. Website only things (like Amazon account) is a bit more of a pain but even they have 1-800 numbers to call for help when the net doesn't do it for you.

Or Mine...

[Greyfox]

WHAT... is your favorite color?
WHAT... is the air speed velocity of an unladen swallow?
WHAT... are you wearing? (The answer to the last one is "I don't think that's an appropriate question!")

Another simple solution...

[Krokus]

Why is it necessary for the answers to these security questions to be correct answers? I have standard outright lies as answers for my security questions, and those answers are known only to me.

Obvious!

[pubwvj]

I've been telling my bank, and other web sites, for years that the security questions are fundamentally insecure because they have obvious researchable answers. My solution is I answer them with random possibly (probably) incorrect information. Just treat them like another password.

Q: "Who was your your boyfriend?"
A: "Sticky iron bars in 4 feet of concrete"

Q: "What was your first car?"
A: "Kurk rocks wood in a dirty green dust cloud of 51 chefs."

Q: "Which branch do you bank at?"
A: "At a stupid place filled with morons."

Oh, but that last one was obvious and correct. Well, throw one in now and again to keep the hackers guessing.

Custom questions

[nitehawk214]

Some sites would allow custom questions. So I would always put in a question like, "What are you wearing?", so the customer rep on the phone would have to ask me that. Then I could put in an answer like "That's and inappropriate question!", that I would reply back with.

Security questions ARE a joke...

[Ceseuron]

How the ridiculous notion of obscure, irrelevant questions became accepted as an additional layer of security is beyond me. In the extremely rare circumstance that I find a site that let's me at least formulate my own questions and responses, I'll usually play along. But I flat out refuse to have any involvement with any organization that requires a selection of questions from a predefined list. For example, when the servicing company in charge of my student loan account opted to force every user to answer five of "The Usual Questions", before allowing me to log in and make payments, I contacted them and politely asked that they remove the requirement from my account as I didn't think their mandatory questions made my account any more secure. They refused, so I simply cancelled my online account and informed them that they would receive all future payments by mail. Now they get a check, mailed out via my bank's online bill pay system, that they have to process.

Speaking of my bank, they actually haven't fallen into the same rut of foisting security questions on their account holders. Instead, they've got SMS verification that simply sends my phone a text message with a one time use access code. Much more convenient and secure than asking me what my neighbor's best friend's twice removed cousin's dog's favorite brand of dog food was when I was in third grade.

Limited Number of Answers

[GeoSanDiego]

The two most commonly used questions for a company I used to be a developer for were "What is your favorite color?" and "What is your favorite number?". I tried telling them that they should not be using questions for which most answers would fall within a very small range. But they didn't seem to want to change them.

Re:Limited Number of Answers

[neminem]

What is my favorite number? e, or maybe i, or 2pi. Bet nobody's going to guess -those-. (At least not until now.)

Unbreakable Password

[krsmav]

On the Gibson Haystack checker, "My hovercraft is full of eels" will take 2.89 hundred million trillion trillion centuries even for a Massive Cracking Array. In the unlikely case that the complete Python scripts are part of the initial check, I'll probably change it to "My hovercraft is full of Slashdotters"

Re:mother's name

[TaoPhoenix]

How did the summary miss the chance to mention Facebook? Oh, they don't mention the F-word (!!) for once when it makes the Zuck look bad?

For lists of questions that don't include "design it yourself", Facebook is the Walmart of Secret Question Busters.

(Simulation)
"Yay, I feel special, I made a Facebook account! Let's tell the whole world who I am! I'm ______ ______, I born and raised up in Philly, shout out to all the Main Street peeps! My whole family is there in Philly. Let's Like Mom, and Mom's whole family! I named my cat after Susan Boyle's, Pebbles."

(Later, looks at security questions. "Doh!")

computer geek cute

[coyote_oww]

For geeks:
          female voice == acceptably attractive

Give a false answer.

The trick to these questions is to choose one (or all) of them to have a false answer.

For example:
Your surname is Jones and your mother's maiden name is Smith. When prompted on the website, you respond like this:

Question: What is your mother's maiden name?
Answer: Paper

The only time you need to give a correct answer is when they require proof of it.

But won't that be hard to remember when you have a different answer for each question over hundreds of web sites?
Choose one set of questions and one set of answers and use them universally.

Using answers such as "None", "Never", etc. also degrade the ability of someone to datamine the correct answers.

I'm quite bummed by current developments...

[gwolf]

In Mexico, the two banks I use use two-factor authentication — A password (with some non-obviousness requirements, but yes, in the end they put stupid hard limits on the entropy, such as a maximum of 8 characters) and a security token. I have had one for over six years (lost the second one, but it lasted ~5 years on me) without a hiccup.

They are now telling me it's safer to kill the tokens and use a SMS to my cell phone as the second factor. Right, as if there is phone coverage always, everywhere. As if SMS messages are always instantaneous. As if I always have my phone on me. As if I never travel overseas (and avoid using the phone because of the roaming costs).

So, by the end of the month, one of the banks will stop accepting a perfectly safe security practice.

Or maybe they are not...

[gwolf]

very much born in the USA or Europe?

FWIW I make ~US$15K a year, and I am nowhere near the bottom curve of the salary level.

Obvious solution

[Evil+Pete]

is to deliberately use an incorrect answer. First street you lived in? Make one up that only you know. Mother's maiden name? Make it up. Just have a reliable way of remembering it.

Sometimes The Answer Is Ignored

[Jason+Levine]

Someone stole my identity and tried to open a credit card in my name. They got my name, address, social security number and date of birth right. However, they got my mother's maiden name wrong. You would think that would raise red flags, but the credit card company just approved the card anyway. Sometimes these "security" questions are worse than an easily guessed joke: Sometimes the answers to them are simply ignored.

But that's a security problem.

[reiisi]

There are simple security issues like the strength of a password or the strength of encryption on the file where the password is stored.

Security includes harder system problems, like where the password file should be stored, should they all be stored together, how to enforce permissions or privileges on the password file(s) and so forth.

And even harder problems, like how do you encrypt the username/password exchange. (And whether and how the username should be encrypted as well.)

And then you get to the really difficult problems of managing security. Which includes secretaries and help desk personnel and customer policies that are susceptible to social engineering. These, also, are part of security.

Entertaining

[reiisi]

The really amusing thing is that this is exactly what passwords originally were.

Before computers, I mean.

Re:Of course it's impossible. That's why I don't t

[Miamicanes]

How do you deal with sites whose stupid password "complexity" rules disallow the passwords generated by an app like LastPass? You know, the braindead rules that ignore total length, and only care that 3fa456d9eee71e8b doesn't have uppercase characters, has three 'e' characters in a row, has a 3-character sequence like '456', and/or lacks punctuation? Or worse, sites that reject it for HAVING digits, or being 16 characters instead of 12(max)?

I tried a program like that ~6 years ago (I forget which one... it was for PalmOS), and ended up getting totally frustrated because more than half the sites I used were intolerant of the passwords it generated. Even when I forced the program to generate what I thought might be the least-common denominator acceptable to most sites (exactly 8 characters, forcibly mixed-case with at least one digit), I STILL ran into sites that rejected them for stupid reasons that had nothing to do with real entropy, and everything to do with the fact that the web app's author apparently didn't know how to use Javascript properly (half the time, they only did client-side validation, and it was obvious that the main reason for some of the rules was the author's inability to do proper Javascript regular expressions).

Of course, let's not forget the joy of trying to use an app like that with a mobile phone and banking apps that bend over backwards to prevent you from entering the password in any manner besides one character at a time, by hand, using an onscreen keyboard that shuffles itself around after each character, from rote memory. Or even the stupid mobile website for an unnamed pizza chain that acts like your online ordering credentials are the arming keys to America's nuclear missiles (despite not actually storing your credit card or any other sensitive info online), and hasn't gotten an order from me in years because I don't have the patience to deal with them.

Re:Dumbest security questions 1st price: Mizuho ba

[adnonsense]

If you can, get an account with Shinsei Bank, the system is much saner (relatively speaking). And you also get free ATM cash withdrawals at 7Eleven and post offices.

What a totally meaningless and untrue statement!

Passwords have reached the end of their useful life adds Bruce Schneier.

What a totally meaningless and untrue statement!

Security Questions are Bad

The problem with security questions is that fundamental personal identity information cannot be reset. You can reset and change a password but you cannot reset your mothers maiden name. And once such information is leaked (which is most probably will be) then your identity is at even greater risk of theft.

What idiots decided that instead of enforcing stronger passwords they are instead going to force people to divulge personal information which cannot ever be reset? Have they really through carefully about what they are doing?

Passwords are still excellent, provided a reasonable standard of password is enforced.

It needs to be unique, as well.

[RichiH]

If every site uses the same set of questions that fulfill the four requirements laid out be OP, the system is still broken.

Even simpler solution

Answer random nonsense to the question. No-one can know the answer.
Think of it as an extra password.

Who in their right mind puts real information to those things anyway???!!!

Well

[trifish]

Bruce saying that "Passwords have reached end of life and are for lower-security applications only" is just plain stupid.

Maybe if he said passwords to online services, then I might agree. But a good offline password is still one of the highest-security measures there are.

Lie

This is why your answer to these questions should be lies. Anyone can look up your mother's maiden name. But if you lie and type in something completely off the wall, you have created a second password field, essentially.

Use REALLY secret answers

I'm an in-the-closet bi-sexual and use terms which only I would know to describe my homosexual partners acts ... works for me so far and is very arousing at the same time thinking about how to cum up with the words!

Oh, and PS, BTW, the graphic word to post this was "mounted" -- OMG! The irony of it all! Yes!!!!!

Re:mother's name

Well, the obvious answer is to just lie for your answers (and/or everything on your FB). The only trouble will be having to remember which lies you told.

Favorite Color

I write it is hex... troll -.-

Don't give real answers

You need to be careful about the information you post on social network, and Guild/WoW related sites. If you post too much it just makes it easier for hackers to steal your identity. If you tell the whole world you mother’s maiden name, then the whole world know the answer to one of your possible secret questions. If you post your email address, that is also your B-Net account name, you have given away half your log in information.

It was through Public Information about Sarah Palin on the internet, that allowed a hacker to find her email account and guess her SQ&A. All he had to do to gain control of her email account was use her SQ& A, with her Email provider, forgot password feature.

On your SQ&A gave a misleading answer to you secret question but still make it something you can remember. Example: They ask what is mother’s maiden name, give your father’s mother’s maiden name; They ask what was your high school mascot you give the mascot of your high school’s crosstown ravels; etc..

Credit Agency Questions

[rojash]

The questions used to identify you based on past history like previous street/city and mortgage questions also has its limitations

Re:Of course it's impossible. That's why I don't t

[Mike+Van+Pelt]

1) LastPass lets you configure length and character set rules independently for every site. If it generates one the site won't accept for other reasons, you can just click "generate" again.

2) The mobile app (which isn't free; it's part of the premium package for $12/year) includes (for Android, anway; can't speak to iOS) a "keyboard method", so you switch your keyboard entry method to "LastPass", and it works with the few banking type apps I've tried it with.

secret questions

Yes, perhaps, most secret questions are a joke for most people whose history is not a matter of record in the US but for people who were born or lived abroad, particularly in countries with limited access to demographic information for instance, I believe even the most accomplished expert, having access to the most powerful computers, could discover the answer to questions based upon unrecorded information, residing only in the mind of the person who is privy to the information, so long as he/she does not use the same security question frequently in a country where records are kept.

My Question.

Security Quetion : WTF?
Answer : FTW!

Re:Of course it's impossible. That's why I don't t

[Miamicanes]

But then, when you go to log into a site with wacky rules that requires a special password using a different computer/tablet/phone, how does it KNOW it has to use the alternate password scheme?

The LastPass keyboard is a nice idea, but AFAIK, Android doesn't allow on-the-fly keyboard switching (you have to launch settings, navigate to 'keyboard and input', set a new default keyboard, then start over). I use Graffiti for everything (I'm crippled without it), so I'd still be SOL. So would somebody who uses Swype, a split tablet keyboard, or even the funky keyboard whose name eludes me that has you compose English the way Koreans compose Hangul (ex: 'd' = 'c' + 'l').

I just lie

[DirtyLiar]

I answer security questions incorrectly, so the likelyhood of anyone guessing my password through research is nil.

I also have different passwords for every account, but based on something (that I'm not going to even hint at).

Still, I think I will continue to not have an Apple account of any kind, because under certain circumstances I could be very screwed.

Mother's Maiden Name

Never use the question about mother's maiden name. Since that has been used by financial institutions for decades, it is one of the items that is needed for credit card fraud & identity theft. Choose another question or have another answer that isn't similar to the real answer