Author Topic: Security questions/answers need to be just as secure as passwords  (Read 346 times)

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Forum Veteran
  • *******
  • Posts: 14703
  • Karma: 1862
  • Trained Attack Sheepdog/Troll hunter
    • Website Maintenance and Online Presence Management by Mr. Bill
Some online services demand strong passwords, but have very weak requirements for the "security answer" that you use to reset a lost password. This is stupid. The security answer is a backup password and should be just as secure as the primary password.

Example from a company that shall remain unnamed:

The security answer must be
* 2 to 14 characters
* letters only, no numbers, spaces, or other characters
* not case-sensitive

And there are only four "security questions" to choose from:
* What was the name of your first pet?
* What was the name of the city your high school was located in?
* What is your father's middle name?
* What was the make of your first car?

Now of course, you can put any random thing you want as the answer, but most people will answer truthfully so that they'll be able to remember without writing it down. As a result, hackers only need lists of common pet names, major cities, common given names, and car manufacturers, and they'll be able to reset the passwords on a large fraction of accounts.

If you run into something like this, DON'T enter the real answer if it's a common word or name. Treat it like a password and enter something unguessable.

(Yes, someone I know got hacked this way.)

Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6129
  • Karma: 772
Re: Security questions/answers need to be just as secure as passwords
« Reply #1 on: November 14, 2019, 09:35:34 PM »
I try to make sure I store bogus answers to the security questions in my password manager for the important sites.  It's a pain to have to go look them up, but it's fairly trivial for an attacker to find out a lot of your real answers. 

Offline bartsdad

  • Scrooge McDuck
  • Global Moderator
  • Survival Demonstrator
  • ******
  • Posts: 4025
  • Karma: 237
  • We're Vikings, we have stubbornness issues.
    • SPAMMY Link
Re: Security questions/answers need to be just as secure as passwords
« Reply #2 on: November 15, 2019, 02:51:45 PM »
I always use a non sequitur answer. It is usually the same for all the questions and is noted in my archives as to what it is.