For sites that let you make up both the question and the answer, Bruce Schneier has suggested having some fun with it [1] to make your conversations with support more amusing. Examples:
Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.
Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
While you don't have as much flexibility when you do not get to write the question, I'm sure there are still plenty of amusing answers you could pick.
This is all well and good until you call your bank, and taking a look in your password database you discover that your first pet's name is Adolf Hitler.
The conversation that follows becomes somewhat awkward..
I’ve been using rap lyrics for a long time. Had to get on the phone with the bank once and explain that “I like big butts and I can’t deny” and the response from the teller was priceless.
Here's what I do: random long strings as answers for each question, and save them with the credentials in KeePass. That way I keep track of each one, and they can't be used against me.
However, beware of tradeking as an online trading service. They have the lowest rates, but they have some ridiculous backward security requirements.
1) You have to enter passwords with an on-screen keyboard. Which means long complex computer generated passwords are a pain.
2) They present security questions in multiple choice form. That's right, your clever or unique answers are right there easily identified next to all the mundane answers.
Honestly I don't know how they haven't fired their whole security team. I know this kind of security theatre is costing them business, and I bet their back end reflects similarly poor decisions. I am surprised they don't have regular compromise reports.
There was a discussion about it on HN few weeks ago and someone rightly pointed out this is prone to social hacking by the attacker saying "well yeah I put some random garbage string, don't remember exactly". Remember, human part is the weakest point here.
Yeah, I thought I was clever doing that until the day came to reset my login with my bank. They didn't ask a single one of those questions, and instead asked questions that anyone with my credit report could have answered. </facepalm>
I put a 1KB base64 string into my PayPal 'security' questions. Problem now is that it won't accept that string again when I want to change my password. I assume the text was truncated at some point but is no longer now …
If enough people start doing that, sites will just add a third layer of secret questions to let you reset the other secret questions you forgot the answers too, and on and on... It will be secret questions to unlock secret questions all the way down.
An important point for this is that the answers seem to be stored in plaintext (by companies) so you also shouldn't use the same one in multiple places. Simply substituting easily researched information for less easily researched information only solves half the problem.
I blogged about this last year; the sad reality is that the security of these "security questions" are more important than that of your password since they can be used to reset both your password for this site and everywhere else (as well as gain access to your bank, obtain credit cards in your ID, and more).
We need to obscure these in the database. You can't risk losing your ID entirely just because some random site didn't bother securing these details and fixated solely on "best practices" for password storage in the DB.
This question is also misogynist. My mother does not have a "maiden name" she has a "last name", which has always been the same. It's not the 1950s, women don't have to subjugate themselves to their husbands name anymore.
Other security questions are often even worse. "What high school did you attend?", for example, is something many friends and acquaintances will know and most others can trivially obtain via LinkedIn or Facebook. "Where were you born?" and "What is the first school you attended?" can be reasonably reliably guessed from the high school as well.
It's helpful to know that on most services the maiden name can be thought of as a second password. Only on some credit-related services does the answer actually matter, it seems.
And then there are those of us who have hyphenated surnames, where the maiden name is there for all to see. I wish my name weren't hyphenated, but I'm stuck with it. It's always silly when someone asks for maiden name: I've already given it to you...
Hyphenated names are also longer, making it a perpetual challenge to fit my name on forms. On standardized tests I was always penalized a minute or more as I spent time scratching in all of the letters of my name. Then there are the fields where the hyphen is not allowed, so I have to enter something that is not my legal name, or even worse are the services that accept the hypthenated name but then transparently change it for storage on the backend. This can make verification fun since there's no telling whether the hyphen was removed, replaced with a space, or some other character entirely. Better hope that you don't have a limited number of attempts to access something. It doesn't fit on credit cards either, making the name field of web payment forms a best guess (I usually put my full name regardless of what is actually on my card).
Future parents out there: consider expressing your family pride or sense of nonconformity in a different way. Hyphenated names are a nice gesture, but they're totally impractical in a world where data entry matters. I'm only thankful that I don't also have a unicode character in my name...
> It doesn't fit on credit cards either, making the name field of web payment forms a best guess (I usually put my full name regardless of what is actually on my card).
The name you enter for web payment doesn't matter; it's not part of the payment authorization process. Also, the street name doesn't matter either.
> I’ve decided to leave the website link out in the interest of discouraging abuse of the tool.
I appreciate the sentiment, but I suspect this would be a more powerful demo if people actually found their own mother's maiden name. Anyone wanting to abuse it could find it trivially anyway (Google for "type your details below so we can start tracing your family", and you only get a single result).
I do wonder how complete the site's records are. I can find most of my family, but it doesn't seem to think I exist.
Edit: seems to be a weird search issue - given name + family name + year of birth returns multiple people who aren't me (with different given names / years of birth), but given name + middle name + family name + year of birth finds my details. Personally not too worried about it, as I use a random name in place of my mother's maiden name for banks etc., and have recommended to family that they do the same.
One of the most frustrating things is that many banks and other financial services seem to have the most antiquated security practices (nothing above twenty characters and no special charcters, for instance). It should be the other way around and yet here we are.
That said, I've mostly seen these used as an in-addition question when you want to do something like reset your password. Who's out there using these security questions as the primary mode of authentication?
They value stability highly. So they often go with mainframes and software that was written in decades past. When the software was written, that stuff was often pretty good.
I have to put in a security question answer every time I log in to the Bronto email marketing service. Have to go into LastPass and look up the string I used.
> Inevitably, I quite consistently can’t remember the word for each service – a fact that surprised this particular rep, “How do you forget your Mother’s maiden name?”.
The rep is looking at the string that you gave them as your maiden's name (so that he or she can compare that with whatever you utter), and what's on the screen is obviously not anyone's maiden's name, being "nonsense", and all.
These jobs don't always go to the brightest bulbs in the chandelier, do they.
Gee, how on God's green Earth could anyone forget that your mother's maiden name is Z3xYFrd9.
It's rude too, implying that the customer is incredibly forgetful; in a customer service role, we should refrain from making such a comment even if the string does look like a viable maiden name.
Even some harmless, utterly non-sarcastic comment about anything could be taken the wrong way or take a surprising direction.
"Nice tattoo, where did you get that done?"
"It's a birthmark, which made me the target of bullying throughout elementary school."
Talking about password recovery: Google has an interesting attitude. I recently lost password to a dev account on gmail I created few weeks earlier so had to reset password.
I went through a process in which they asked questions "when more or less was account created", "when did you last log in successfully", "what last password do you remember", "what google services did you use with this account" etc. which, mixed with some other data they possess (I believe), like IP addresses, made me successfully recover the account without any "maiden name" questions.
This isn't news, I've done this for decades. I have a fake family that I use for Mom, pet's name, fathers birthplace, etc. But unlike the OP, I only have one fake family to track.
It's not hard to do, just pretend you are an undercover KBG agent. Alternate plan is to just rotate family by one, so Dad moves to Mom, Mom moves to older sibling, etc and the pet rolls to the top (Dad).
I had a related issue with this kind of security measures:
I can't remember them after... is your favorite book "ABC" or "A B C"? first car Nissan Fairlady or 350Z?
So what I do is that you take the question, put it on an email with the key, put the key into a password generator [0] that creates the answer with a Master key just you know.
[0] Password generator pro, FOSS, grab it on FDroid
I generate random answers that fit the question (i.e. best friend: Steven Austin, 1st Car: Hummer H3) and store them in Last Pass (or Keepass). Can use password generator too.
Worse is that these answers are stored often in plaintext because they aren't the users "password". I'd argue having them at all puts one at greater risk of being hacked.
What I'll never understand is why I can answer these questions with 64-128 characters (typically) but my password is limited to 16-32 characters.
I’m not sure which is worse, that so many sites require “security” questions (emphasize on quotation marks) or that the questions are frequently paired with asinine password restrictions that prevent the construction of a strong-enough password in the first place.
I thought this to be really interesting. I found this article making good points and it is incredible that the maiden name is more important that the password itself. Seems backwards in my opinion.
[+] [-] tzs|10 years ago|reply
Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.
Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
While you don't have as much flexibility when you do not get to write the question, I'm sure there are still plenty of amusing answers you could pick.
[1] https://www.schneier.com/blog/archives/2010/04/fun_with_secr...
[+] [-] darkr|10 years ago|reply
The conversation that follows becomes somewhat awkward..
[+] [-] Eric_WVGG|10 years ago|reply
[+] [-] amyjess|10 years ago|reply
You can do so much with "Where was your father born?" and "What was the name of your childhood pet?".
[+] [-] tnash|10 years ago|reply
[+] [-] daveguy|10 years ago|reply
However, beware of tradeking as an online trading service. They have the lowest rates, but they have some ridiculous backward security requirements.
1) You have to enter passwords with an on-screen keyboard. Which means long complex computer generated passwords are a pain.
2) They present security questions in multiple choice form. That's right, your clever or unique answers are right there easily identified next to all the mundane answers.
Honestly I don't know how they haven't fired their whole security team. I know this kind of security theatre is costing them business, and I bet their back end reflects similarly poor decisions. I am surprised they don't have regular compromise reports.
[+] [-] jakub_g|10 years ago|reply
[+] [-] mikestew|10 years ago|reply
[+] [-] CrystalGamma|10 years ago|reply
[+] [-] ryandrake|10 years ago|reply
[+] [-] nnutter|10 years ago|reply
[+] [-] jobigoud|10 years ago|reply
[+] [-] zorked|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] ComputerGuru|10 years ago|reply
We need to obscure these in the database. You can't risk losing your ID entirely just because some random site didn't bother securing these details and fixated solely on "best practices" for password storage in the DB.
https://neosmart.net/blog/2015/never-store-answers-to-securi...
[+] [-] cballard|10 years ago|reply
Oh, and gay people exist. Get with the times.
[+] [-] msellout|10 years ago|reply
[+] [-] notahacker|10 years ago|reply
[+] [-] amyjess|10 years ago|reply
"Where were you born?" "In the fires of Mount Doom."
"What high school did you attend?" "Methamphetamine High"
[+] [-] thowawy3116|10 years ago|reply
And then there are those of us who have hyphenated surnames, where the maiden name is there for all to see. I wish my name weren't hyphenated, but I'm stuck with it. It's always silly when someone asks for maiden name: I've already given it to you...
Hyphenated names are also longer, making it a perpetual challenge to fit my name on forms. On standardized tests I was always penalized a minute or more as I spent time scratching in all of the letters of my name. Then there are the fields where the hyphen is not allowed, so I have to enter something that is not my legal name, or even worse are the services that accept the hypthenated name but then transparently change it for storage on the backend. This can make verification fun since there's no telling whether the hyphen was removed, replaced with a space, or some other character entirely. Better hope that you don't have a limited number of attempts to access something. It doesn't fit on credit cards either, making the name field of web payment forms a best guess (I usually put my full name regardless of what is actually on my card).
Future parents out there: consider expressing your family pride or sense of nonconformity in a different way. Hyphenated names are a nice gesture, but they're totally impractical in a world where data entry matters. I'm only thankful that I don't also have a unicode character in my name...
[+] [-] toast0|10 years ago|reply
The name you enter for web payment doesn't matter; it's not part of the payment authorization process. Also, the street name doesn't matter either.
[+] [-] emodendroket|10 years ago|reply
[+] [-] stordoff|10 years ago|reply
I appreciate the sentiment, but I suspect this would be a more powerful demo if people actually found their own mother's maiden name. Anyone wanting to abuse it could find it trivially anyway (Google for "type your details below so we can start tracing your family", and you only get a single result).
I do wonder how complete the site's records are. I can find most of my family, but it doesn't seem to think I exist.
Edit: seems to be a weird search issue - given name + family name + year of birth returns multiple people who aren't me (with different given names / years of birth), but given name + middle name + family name + year of birth finds my details. Personally not too worried about it, as I use a random name in place of my mother's maiden name for banks etc., and have recommended to family that they do the same.
[+] [-] emodendroket|10 years ago|reply
That said, I've mostly seen these used as an in-addition question when you want to do something like reset your password. Who's out there using these security questions as the primary mode of authentication?
[+] [-] lallysingh|10 years ago|reply
[+] [-] vinceguidry|10 years ago|reply
[+] [-] kazinator|10 years ago|reply
The rep is looking at the string that you gave them as your maiden's name (so that he or she can compare that with whatever you utter), and what's on the screen is obviously not anyone's maiden's name, being "nonsense", and all.
These jobs don't always go to the brightest bulbs in the chandelier, do they.
Gee, how on God's green Earth could anyone forget that your mother's maiden name is Z3xYFrd9.
It's rude too, implying that the customer is incredibly forgetful; in a customer service role, we should refrain from making such a comment even if the string does look like a viable maiden name.
Even some harmless, utterly non-sarcastic comment about anything could be taken the wrong way or take a surprising direction.
"Nice tattoo, where did you get that done?"
"It's a birthmark, which made me the target of bullying throughout elementary school."
Oops!
[+] [-] jakub_g|10 years ago|reply
I went through a process in which they asked questions "when more or less was account created", "when did you last log in successfully", "what last password do you remember", "what google services did you use with this account" etc. which, mixed with some other data they possess (I believe), like IP addresses, made me successfully recover the account without any "maiden name" questions.
[+] [-] cballard|10 years ago|reply
[+] [-] mhurron|10 years ago|reply
[+] [-] AstroJetson|10 years ago|reply
It's not hard to do, just pretend you are an undercover KBG agent. Alternate plan is to just rotate family by one, so Dad moves to Mom, Mom moves to older sibling, etc and the pet rolls to the top (Dad).
[+] [-] xlayn|10 years ago|reply
I can't remember them after... is your favorite book "ABC" or "A B C"? first car Nissan Fairlady or 350Z?
So what I do is that you take the question, put it on an email with the key, put the key into a password generator [0] that creates the answer with a Master key just you know.
[0] Password generator pro, FOSS, grab it on FDroid
[+] [-] ajford|10 years ago|reply
[+] [-] Nadya|10 years ago|reply
What I'll never understand is why I can answer these questions with 64-128 characters (typically) but my password is limited to 16-32 characters.
[+] [-] makecheck|10 years ago|reply
[+] [-] amyjess|10 years ago|reply
Some people were born to unknown fathers, and some people deliberately changed their names to their mothers' maiden names later in life.
[+] [-] m3andros|10 years ago|reply
[+] [-] Chefkoochooloo|10 years ago|reply
[+] [-] chei0aiV|10 years ago|reply
[+] [-] gonyea|10 years ago|reply