The Survival Podcast Forum

Survivalism & Self Sufficiency Topics => Homesteading and Self Reliant Living => Home And Business Security => Topic started by: Mr. Bill on November 14, 2019, 08:59:33 PM

Title: Security questions/answers need to be just as secure as passwords
Post by: Mr. Bill on November 14, 2019, 08:59:33 PM
Some online services demand strong passwords, but have very weak requirements for the "security answer" that you use to reset a lost password. This is stupid. The security answer is a backup password and should be just as secure as the primary password.

Example from a company that shall remain unnamed:

The security answer must be
* 2 to 14 characters
* letters only, no numbers, spaces, or other characters
* not case-sensitive

And there are only four "security questions" to choose from:
* What was the name of your first pet?
* What was the name of the city your high school was located in?
* What is your father's middle name?
* What was the make of your first car?

Now of course, you can put any random thing you want as the answer, but most people will answer truthfully so that they'll be able to remember without writing it down. As a result, hackers only need lists of common pet names, major cities, common given names, and car manufacturers, and they'll be able to reset the passwords on a large fraction of accounts.

If you run into something like this, DON'T enter the real answer if it's a common word or name. Treat it like a password and enter something unguessable.

(Yes, someone I know got hacked this way.)
Title: Re: Security questions/answers need to be just as secure as passwords
Post by: FreeLancer on November 14, 2019, 09:35:34 PM
I try to make sure I store bogus answers to the security questions in my password manager for the important sites.  It's a pain to have to go look them up, but it's fairly trivial for an attacker to find out a lot of your real answers. 
Title: Re: Security questions/answers need to be just as secure as passwords
Post by: bartsdad on November 15, 2019, 02:51:45 PM
I always use a non sequitur answer. It is usually the same for all the questions and is noted in my archives as to what it is.