2

Possible Duplicate:
Do security questions subvert passwords?

Many Web sites nowadays require a (hopefully strong) password along with some pretty easy security questions. Sometimes it is not possible to avoid filling in the answers. Most of the time, it is not possible to formulate your own questions (e.g., "give me the other random string").

IMHO, this is a hefty security risk for the user. You pick up a secure password (maybe even a truly random one) and let your account open to every one who knows it (e.g. your birthday).

What do people do to mitigate this problem?

fubra
  • 39
  • 3

1 Answers1

4

Actually, it's worse than that. With the over-sharing that is so common on sites like Facebook and personal blogs, complete strangers can find out all sorts of useful information for hacking security questions.

My best advice is that when you are forced to supply an answer to a trivial question ... lie.

What is your mother's maiden name? McGillicuddy

What was your first car? 1952 Yugo

What city were you born in? Randomville, Wyoming

Actually I was born in the Chicago area and her maiden name was "Smith", and you could find that out fairly easily, but a good lie that you can remember is much better.

Peter Rowell
  • 211
  • 1
  • 6
  • 1
    random data is even better from a security point of view, if it's only for password reset, then just securely store a copy of the password with keypass or similar. – ewanm89 Oct 22 '12 at 23:29
  • I guess I'm an old fart. I hate having anything so complicated that I have to store it in yet-another password-protected bucket. My password varies on a per-host basis, but it is a pattern based on a complicated, mutated phrase and modified by the site I'm logging into. I may have as many as 100 sites I can login into (I can sudo in most cases), each with a different password, and I don't write *anything* down. I will admit that I use that same *security phrases*, but they aren't the ones I just posted, and I have about 10 or so of them. That's as much as my aging brain can handle. – Peter Rowell Oct 23 '12 at 02:25