You can also lie to security questions with joke answers only you understand.
I use fingerprint technology.
It is so secure, I can’t get in, 95% of the time!
Don;t worry the it will work for the feds when they knock you unconscious and put your finger in the scanner.
Childhood friend: Z67!1pQ6fk9
I started this too lmao.
Huh?
Instead of answering security questions honestly, you can treat them as just like another password field.
Funny thing is when a bank employee asks you for the answer on the phone. I was like 5 characters in dictating the random 32 characters when she just stopped me and let me do what I called to do.
That doesn’t sound like a good system security-wise TBH. I’d prefer if the employee had to enter the answer successfully on their end for the system to grant them the necessary access, otherwise it feels like a big opportunity both for internal snooping and for social engineering.
Yeah, I guess they are seeing the answer on their side because they need to be able to judge that when you say your first car model name differently than when you typed it in, it’s the same thing.
Because you are not trying to recall the answer, you are answering the question, and can word the answer differently than before.
Which I don’t like.
Ah, thnks for explaining!
That’s why I never tell anyone that my first pet was named Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.
Found a welsh lemmy user.
Nah, just a smartass.
Finnish?
It’s a village in Wales.
How do you pronounce the third “o”?
How do you pronounce the second “þ”?
Welsh cat! Bapahdahbabapadahdah.
I mean, I just feed security questions as a randomly generated string- password managers will even save that string so you don’t have to remember it.
If you store it in your password manager alongside your password, what’s even the point in having these questions?
In some places it is mandatory
… that’s an excellent question.
Frankly, even if you don’t… what’s the point? if you can crack the password, you can probably crack the secret question. or questions.
if you can social engineer a password, same with secret questions.
They’re basically just a second passwords. possibly one of many passwords with a prompt.
I’m not even sure how I would store the answers to these questions in a database. Would you hash them like passwords or just store them in plain text (maybe encrypt them, but if someone has access to your servers they can probably access the encryption key too)?
many passwords allow you to store pass keys (like with crypto wallets) as hashes attached to any login credentials. I would suggest storing them that way. at worst, I used to create secondary credentials.
Yeah, it’s a little silly if you end up on the phone having to say it to a service rep, but it’s better than what’s otherwise basically security theater.
I once spent about five minutes explaining my email over the phone — which email has just a handful of letters, but in a weird sequence. Can’t imagine having to dictate a random password.
Reminds me of the time when our office got corporate debit cards for everyone, and one dude had his security phrase be eight letters ‘Q’ (or more specifically, a sorta connective letter that can only be at the end of syllables in our language).
The name of my high school crush was “SnorkleBrewersExploringAsphaltBrowniePie” why do you ask?
“Little Snorkly Pie, we called them.”
I said my name is Apostrophe Semi-colon DROP USERS.
I enjoy singing “oh ricky you’re so fine, you’re so fine you blow my mind hey ricky [clap clap] hey ricky [clap clap]” at the service rep and i told them that if i don’t sing it or clap that i have failed the security challenge.
it’s the answer to what was the color of my first car.
I feel like maybe someone could convince people over the phone to give them access if they explained correctly that the fields have random strings and roughly how they are formatted, but claim to have forgotten what they are
In a properly secure system the rep can’t see the code but must type it in to get to your data. If they can get to it without your secret, they can be tricked into supplying it or may abuse their access themselves.
If they’re doing it that way then it’s dumb for these to be questions about your life because the point of that is to make it things that people will definitely be able to remember, but realistically you’re only going to remember the answer in general, not necessarily the specific wording or how the answer was formatted.
For anything properly made the words are not stored in a format the service rep can read, they are hashed
You could convince a cs rep to open it with a sob story and a fake sniffle.
Fortunately, most places have gone away from giving CS repels that kind of access.
Or random word(s): easier to tell a service agent.
My voice is my passport. Verify Me.
i am wearing a wire.
you need to never use the “security questions” ever…
The security questions are often forced.
The trick is to make up answers. Have some go-tos or a pattern that only you know and no one else could guess with information from your life.
Why yes, I did grow up on AmazonFakeStreet. Oh, my spouse? MicrosoftSpouseName of course.
so the funniest thing, we were sitting around at a family reunion. someone asked, so do we all use the same answers for our security questions? and uh, turns out we all do. same made up answers (everyone had the same favorite cat. whose favorite person was me awww yisss), but the same answers. and that moment we decided to update our security procedures.
You get security questions asking you who your “favorite person” is?
Hmm… SELECT * FROM Users WHERE SecurityResponse2 = “*Epstein”
I bet Jesus is a popular answer.
It’s the cat, yeah
You can also store these in a password manager like KeePass…
KeePass is very good all encrypted data is local, and no server interaction
unless you’re using a password manager capable of tracking those for you.
Doesn’t every password manager have a “notes” field these days?
I’ve only used Bitwarden, so I can’t speak to the others, but Bitwarden does, yeah.
But to the average person, “password manager” is whatever their browser does for them, and I’m not sure those have much more functionality beyond username/password and ID fields.
You replied to the wrong guy, but I think they rather meant it as “unless you’re using a password manager (…because password managers are generally capable of storing extra data)”. 😅
I mean, even if it can’t store extra data in one entry, you could still create multiple entries for a single account and just name the entries similarly.
And to give an example of a password manager intentionally kept so simple that, well, there is a solution, but it is somewhat choose-your-own-adventure: https://www.passwordstore.org/#organization
(You can get GUIs for it, which may have a premade solution after all, for example: https://f-droid.org/packages/app.passwordstore.agrahn )
if you use password manager, you should never need to use recovery questions.
Well, I’d rather write down anything I enter, in case I do ever need it. But yeah, generally speaking you shouldn’t need the answers.
it probably doesn’t hurt to save it, but at the same time, for a keepass user, if you lost the primary password, it probably means you don’t have the wallet for whatever reason.
Well, there might be other reasons to need them. For example, I once got locked out of an account, because I had lost the 2FA credentials (which I did not have in KeePass, incidentally). The webpage let me back in with a recovery question.
Well, technically, it was a recovery code which was just random symbols I had been provided upon account creation, but kind of the same thing in the end.
having 2FA in place and then letting you in based on “security question” is the peak clown show.
(this is not attack on you, but wow…)
the trick is q’wdsjfaosdijgoasfgnsdk;jfavfghoiaerjhpguewrhjtiwuerth
never ever put any non-random information there.
i had a 70 year old guy getting divorced, because his wife of similar age “hacked” his email by entering name of their parrot and found out he is emailing with another 70 yo lady.
Ideally you still want it to be something you’ll remember, unless you’re using a password manager capable of tracking those for you.
The mistake that guy made is that he still chose a name he had some attachment to. You want to make sure you choose something you have no attachment to whatsoever.
And then never reuse the same answer between different services, just in case one of them is storing them as plaintext.
what you are describing is password and we use wallets for these. the problem is, that various services intentionally presents “security question” as sort of a fallback for when you forget the password, because you wouldn’t forgotten your first pet’s name, right? it is fundamentally wrong approach.
what you are describing is treating the “security question” as second password, which is possible, but kinda pointless. if you have good password stored in the wallet, it is safe and you won’t forget or lose it. and if you lost it, it is probably because you lost access to the wallet, so saved security question you treated as a second password and stored in the same wallet is kinda useless now.
I’m just recommending that folks treat the answers to the security questions, at a minimum, like they treat their passwords themselves. The security questions are a way around the password, and so they should be kept just as secure and hard to guess.
If you’re using a secure password manager, great, that’s exactly the best approach. The majority of people don’t, which is where this sorta thing becomes an issue. If you have a password manager and the service you’re using forces you to answer security questions, of course you can let the password manager generate something just as random as the password itself (provided it can remember it and can track which term corresponds to which question). For anyone who does not, it’s just important to choose something you’ll remember but no one who knows details about your life can simply guess. Otherwise it doesn’t matter how secure your password is.
You can’t even install Windows (local account) these days without answering 3 of these. If you ever click on one of the recovery options, you’ll be asked for one of them.
My solution is usually to just randomly smash the keyboard for a while.
The worst about those is that they only give you 6 questions to choose from, and all of them are really bad as security questions.
They should have had a list of at least 20 to choose from. Preferably the ability to enter your own as well.
install Windows
Well… there’s your problem. ;}
No, cause it’s at work and not my choice. It’s also just one example of many. I don’t run Windows on any of my own PCs any more.
My sympathies. It was meant very much tongue in cheek, hence ;} (I’m sure there’s an emoji, but I don’t think I will :)
My solution is usually to just randomly smash the keyboard for a while.
i do the same.
deleted by creator
