top | item 19913183

Ask HN: Why do companies still not let you choose your security questions?

2 points| CM30 | 6 years ago | reply

Like for example, Apple with their Apple ID setup? These old cliched questions don't help anything, and are stupidly easy to defeat for anyone wanting to socially engineer your account details.

So why don't these companies just give you a few text boxes and let you set them yourself? That way, they'd at least be somewhat secure for thos who know what you're doing, and those who use them for impromptu passwords could just use them as that.

P.S. Why do we still have these silly things in general?

2 comments

[+] pwg|6 years ago|reply

> P.S. Why do we still have these silly things in general?

One possibility is a belief that having a security question allows for users to reset a forgotten password without having to involve a help-desk person on a phone call to do a password reset.

> These old cliched questions don't help anything

If your answers are the output from this:

  $ sort --random-source=/dev/urandom --random-sort /usr/dict/words | head -5
  spindled
  antiquities
  tumblers
  teasing

Which makes (for this example) the answer "spindled antiquities tumblers teasing halter". So you have words for the times you are talking to the human on the phone when they want you to give the answer, but you have random words that joe-hacker is not likely to guess while trying to do social-engineering on the same help desk human.

With a password manager, storing these "random" answers to security questions along with a randomly generated password, is trivial. And if these are your answers, you don't really care what the question happens to be, because the answer you give will have nothing to do with the actual question anyway.

[+] Kazooie_Bird|6 years ago|reply

Storing custom questions requires a larger persistence footprint.