Comments on: algorithms for dumb security questions

By: Jules

Jules — Sat, 28 May 2011 20:33:50 +0000

@Mark I, It must be really fun to call your bank! Can you sense the sound of disgust on the phone when you have to spew out that many alphanumeric characters to validate your credentials?

By: Mark I

Mark I — Mon, 24 May 2010 18:49:00 +0000

I use random strings for the questions and use Keypass to store them.

It is more of a pain but more secure

Q. What is the city you were born in?
A. ;N=##qm?9>}SMjYEk[|`YYQqs1U]L`uu,^}$|*2″o%pP>|pa/eKo$

I use GRC.com to generate the passwords or keepass. Really I like to use something different like GRC being IF keepass could be hacked “unlikely” but that is what I do.
https://www.grc.com/passwords.htm

By: Nick Writer

Nick Writer — Fri, 07 Mar 2008 04:04:06 +0000

In our company we’ve been using a password reset system from scriptlogic – desktop authority password self service for some months or so.
Initially we turned on the ability for users to specify their own questions in addition to the included ones from our helpdesk team. But got rid of such questions because of their security weakness.
Now we use a set of several “strong questions” limiting the answers to things like minimum answer length or preventing users from specifying the same answer for different questions.
Every time we change password requirements and password management settings it recognizes user profiles which is not compliant with the new requirments.
Such users are required to change and update their questions and answers profile to stay compliant with the new settings.

By: Lennon

Lennon — Mon, 19 Nov 2007 15:26:23 +0000

Having just implemented a password-reset system using this sort of question/answer model, I can give you a very simply reason why most sites don’t allow users to pick their own questions: just as most answers are “weak” from a security POV, most questions people pick for themselves are similarly weak, and do little to protect an account. By forcing people to think a bit more, the actual outcome tends to be that both the question and answer field are filled with drivel, making it far too easy for potential attackers to access the account.

Personally, I think that simple Q&A systems are a pretty poor security measure, anyway. Anything sufficiently memorable for you is probably also discoverable to someone else, unless it’s so sensitive that the Q&A database becomes just as appealing a target for phishing and cracking attempts as the data it’s supposed to protect.

By: Scott

Scott — Sun, 18 Nov 2007 14:47:48 +0000

But you could just as easily use the third word of the question as your answer, etc, etc.

By: Scott

Scott — Sun, 18 Nov 2007 14:45:48 +0000

Most surefire, easy-to-remember solution: the last word of the question is your answer.
What is my favorite color? Color.
In what city were you born? Born.

Works everytime and has saved me time and frustration.
As for security…

By: nealbirch

nealbirch — Sun, 18 Nov 2007 14:24:03 +0000

I do security for a financial institution, which of course will remain nameless.

I get older folks who have not only forgotten the answers but swear fervently that they wouldn’t have submitted the questions that they were asked.

My concern of course is that obvious answers defeat the purpose of the questions so I suggest they use the same answer for the random questions that they select.

Then I tell them that I pick the name of my first grade teacher, since I am over 50 most people wouldn’t be able to find the answer and anyway she married that farmboy and broke my heart. “I’ll never forget her though…”

This normally illicits a chuckle … until the guy said “you know, these days that age difference wouldn’t have stopped her.” ouch.

By: HumbleOpinion

HumbleOpinion — Sat, 17 Nov 2007 18:03:28 +0000

If you have a good password manager, for example Roboform or KeePass, you can just generate a new random key phrase for those answers. I long for the day when I can reduce the number of password to maintain by using a single sign-on such as OpenID.

By: Jim W

Jim W — Sat, 17 Nov 2007 14:54:21 +0000

The comedian Eugene Mirman does a bit on this. For sites that allow you to pick your own question, his is always, “What are you wearing right now?”
His answer is always, “I don’t think that’s an appropriate question.” It’s most fun when the same question is used for call centers.

By: Murtagh Siavush

Murtagh Siavush — Sat, 17 Nov 2007 12:33:49 +0000

I keep my passwords in a well backed up database, and when I have to choose a security question, I include it in the notes section of the database, and choose another randomly generated password for the answer. There is a reason I keep multiple backups of this file.