WingNews logo WingNews
top | item 15318955

(no title)

JupiterMoon | 8 years ago

> My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager

The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account..

discuss

order

JumpCrisscross|8 years ago

> The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account

I used to do this and then lost my password file. Fast forward to a call with AT&T. I told them I forgot my secret answers. They offered that it was "a super weird answer," which let me use the "mashed keyboard" line and got in. TL; DR I think this system is less safe than just making up cars, cities, et cetera.

ncallaway|8 years ago

Yea, I always use a handful of random words. That way, it's something pronouncable over the phone.

Still, I expect "oh, it's a random word not related to the question" would clear phone screen human layer of verification a good percentage of the time.

thaumasiotes|8 years ago

I can confirm that "I'm not going to be able to tell you the secret answer" was accepted by Blizzard when they locked my account and made me apply to have it unlocked.

I'm still bitter about that. I put garbage in the answer to the secret question because I planned not to forget my password. I didn't forget my password, but Blizzard nevertheless locked me out of my account, for the crime of using a payment card that was listed on my account, but wasn't listed as my "preferred" payment option.

pishpash|8 years ago

Yes, you should just make up a fake personal profile, and base your answers on that. True answers and human-bypassable answers are all bad, whereas fake answers open you up to a world full of entropy.

ohazi|8 years ago

correct horse battery staple?

tony101|8 years ago

One solution would be to randomly generate security answers with human readable words. Diceware does this. You can use a dice, or you can use an open source tool like this one:

https://www.rempe.us/diceware/#eff

https://en.wikipedia.org/wiki/Diceware

gecko|8 years ago

It's also built into 1Password. And before that, I just used what I think was literally a one- or two-line Perl script that just grabbed four words from /var/dict. Why yes, my mother's maiden name was indeed pathetic xylophone tootsie wasp, how did you know?

ddevault|8 years ago

You don't have to say "oh I just mash the keyboard for those", you can say "it's weird, bear with me" and read it out from your password manager.

ajmurmann|8 years ago

I do exactly this. About 4-5 characters in the support person interrupts me with "yeah, whatever".

The entire security question situation makes me incredibly pessimistic that we will ever get good security. The idea of security questions is so mind numbingly stupid to me yet it's widely used. One would have thought that after the Sarah Palin hack years ago everyone would have realised that but it seems like nobody did. The support agent didn't see my security question and go "oh that's clever". That's despite him being a person who deals with these all day they should realise the overwhelming stupidity. In a sane world companies who tell their users to use special characters etc. in their passwords and rotate them but then encourage them to mess it all up by storing information from their Facebook page ad a replacement for the password should have to pay massive fines. Yet hardly anybody is even seeing a problem with this.

This situation to me is so demotivating because it makes me think that whatever security mechanism we come up with well meaning people will undermine it.

maxerickson|8 years ago

The quote is an attacker attempting to bypass the check.

wyager|8 years ago

It's not about what you say, it's about what an attacker can get away with saying. And they can almost certainly get away with "I just mash the keyboard."

musage|8 years ago

But the attacker kind of has to know the answer is gibberish from the bat, otherwise they'd either guess or pretend to not remember a real answer, which is noticeably different from saying something like "oh, that's 30 random characters but I don't have the note with me right now".

cortesoft|8 years ago

Here is how it would go... attacker gives a real answer, support says no that isn't it. Attacker goes, "oh, sometimes I give fake answers for the question... is it a really long string of characters?"

Or they could go through a few things like that, always giving the excuse that they give false answers until they stumble on the right one.

tonyedgecombe|8 years ago

But we already know @sersi just mashes the keyboard for those questions :)

evincarofautumn|8 years ago

One trick is to use pronounceable passwords as answers to security questions, like a sequence of words (“Mother’s maiden name?” “correct horse battery staple”) or arbitrary syllables that make it sound as if you’re having a mini-stroke (“Where were you born?” “prisencolinensinainciusol, oll raigth”).

stordoff|8 years ago

I try to leave them unset where I can (probably doesn't help over the phone; I'm thinking more of online accounts), such as on eBay which keeps prompting me to set security questions but going back to the homepage lets me avoid doing so.

For sites that force you to set them (and where I care - otherwise they just get random nonsense), and for my bank, I have a set of plausible but false answers I use. Not bulletproof of course, but definitely not googleable and avoids the "I just set it to something random" attack.

LoSboccacc|8 years ago

that places the liability on the phone rep, while guessing an easy answer places it on you, so still a better choice

l0b0|8 years ago

Just generate a pronounceable word, for example using KeePass*.