Do you find security questions ambiguous?

In My Humble Opinion
41

My mother has two maiden names (the first one was changed from its more “ethnic” version when she was in eighth grade). I went to five elementary schools (which makes far more than five streets I grew up on). I have two maternal grandmothers. two paternal grandmothers and two paternal grandfathers. My high school changed its mascot (it was racist). The first car I owned was “blue” (I have little interest in cars) and my first pet lasted one night (she whined all night and Dad couldn’t take it), does she count (did she count when I answered this question five years ago)? Or maybe my first pet was a pair of hamsters. I was born in St. Paul. Did I type that St Paul - or maybe Saint Paul…

I have been in the position of having not a single choice of security question be something I could answer consistently with surety.

Its always struck me that security questions were created by people who grew up in nice stable middle class two parent family of origins. I mean, that’s me - and I have a hard time answering these questions due to unusual family history.

42

Just chiming in with others who said never ever actually answer the question. That’s like storing your passwords in a photo on your facebook page.

My password manager has a notes field. When I have a site with security questions I put all the questions and answers in the notes. For example…

Favorite Teacher: FreedomAxelTiger
Mother’s Maiden name: QuantumLeafCan

43

Wow. I almost started the exact same thread yesterday. This is for my retirement account, so it’s pretty important. But there are FOUR security questions. For each one, you have to pick from the same stupid, stupid list of subjective ambiguous bullshit questions. I ended up giving up. I need to try again when I have more time.

But seriously -

[ul]
[li]What is your favorite food? Hell if I know. I like lots of stuff.[]What is your favorite restaurant? See above.[]Who is your best friend? I have what I consider a couple of them.[/li][li]What’s your favorite animal? Uh, dog I guess.[]What’s your favorite season? :shrug:[]Where did your parents meet? * Huh? Beats me.*[/li][li]What is your favorite color? Green. NO Blue.[/li][/ul]

And yeah, as others have said, you must choose 4 different questions, and 4 different answers.
And on and on…

44

I’m a little (deathly) afraid to point it out, but the whole system of “security questions” reeks of WASP suburban conformity. The loaded phrase “white privilege” actually comes unbidden to mind.

Narrow-minded cultural assumptions are the bane of computer systems that have to deal with personal information. Even something as fundamental as a name is completely beyond the ability of American system and software planners to break out of their little Anglo-centric bubble and understand naming systems in other cultures (because they’re “wrong”?).

When something as critical and central as personal identity is impossible to get broadly right, what kind of effort can we expect for a “check the box” bolt-on: system security. Very little, and the same bad ideas get used over and over because they “work” (and if they don’t work that’s the customer’s fault).

45

The best way to deal with these questions is to come up with an answer which you can absolutely remember, but which makes absolutely no sense in the context of the questions.

Q: What’s your favorite color?
A: Bogthrottle

Q: Who was your best friend in childhood?
A: Bogthrottle

You get the idea. The security code system is not going to know the difference and there’s no way anyone will figure it out by data mining you.

Unless your favorite color really is Bogthrottle and you’ve posted it on Facebook.

46

If they are specifically targeting you. Then you have a problem a security answer wont handle. Other than that, if they just want you to use the favorite pizza topping question, don’t say pepperoni. Too easy. I’m pretty sure that something like, rocky mountain oysters is likely un-hackable. Unless that’s in your dossier too.

47

I can’t remember what this was for now, but about a year ago some account I have instituted new security questions. Not only did you have to select from a list of prepared questions, you had to select your answer from a list of prepared options!

For instance, one question was “Who is your favorite artist?” and then there was a list of maybe ten famous painters like Picasso and Rembrandt. So if your actual favorite artist is someone else (like anyone living, or non-Western, or not a painter) then tough. I do happen to have a favorite famous, dead, European painter – Vermeer – but although this strikes me as a pretty mainstream choice he wasn’t on the list.

I didn’t think I’d be able to remember which of the other painters I picked as my favorite, so I went with the question about what color my childhood home was. This only had about five options, all common house colors like white and brown. It seems like an identity thief could easily just get lucky trying to guess that one, regardless of whether I used the real color of our house.

48

Yes, it was United Airlines, and it made me especially stabby. What adult has a “favorite sea animal?”

Anyway, I finally decided to merely choose a letter of the alphabet. Every correct answer would be the one that started with or came first after F. Seemed to work, but if they rotate new answers into the list the way my bank does with security questions, I’m screwed.

49

Where are you people finding sites that allow the same answer to each security question???

I have never come across a site that allowed this.

50

Manatee. Only losers choose dolphin.

51

You guys make this way too difficult.

First, remember this is just security theater, just like at the airport. Cyber-thieves aren’t likely to hack into your account through the log-in page; it’s too much trouble for too little reward. They are going to go in some other way. The reason these things exist is that the people who run the sites have to have something in place to address all the people who want to complain on how lax their security is.

So, don’t worry about having answers that are difficult to guess or be able to find out. Unless you are a VIP, nobody cares. Keep it simple.

I use all lower case (I’m not sure it matters, but I do it that way, anyway). I answer the question as simply as I can. If I was Dangerosa and the question was what city were you born, it would be st. paul, not saint paul, and not st paul. All lower case, and st. paul is how it appears on maps and just about everywhere else you see it in print. Don’t include the state (the question was city). When you choose an answer, don’t go looking for ways to get it wrong, look for ways to get it right, first time, every time.

If your first car was a VW Bug, for the model of your first car use beetle. All lower case. VW is the make, not the model. Bug is a nickname for the model, the model name is beetle. Simple.

I’ve noticed that some financial institutions have started asking me questions, based on their records for me. For example, they will ask me to choose a former make and model of a car I owned at one time. Their list will include 6 or 7 popular cars with a “none of the above” choice. Perhaps former house numbers, or street names. After two or three of these (particularly if they are answered quickly) they can be pretty sure I’m me. Perhaps it gives me a little more confidence, but I suspect I am more at risk of losing my money by hidden fees, them signing me up for fictional accounts, being hacked from the inside by Russians, or a dozen other ways than someone hacking my login.

I used to agonize over the issues brought up by many in this thread, until I decided it was just for show, anyway, and to just keep is simple. You can make them complex, but simple is easier. And, yes, if you like pepperoni pizza, then pepperoni is a fine answer to your favorite pizza topping.

52

You have a more consistent and orderly mind than I do. Because to me, its a coin flip on whether I write St Paul or St. Paul (I would seldom write Saint Paul - although that is the way I usually see it living here - that is what is on most of the official signage, my water bill, the school district logo - officially its usually spelled out. And I would never write st paul, st. paul or saint paul - its a proper noun.

Like a lot of other people here, I use LastPass now, and so haven’t needed to break into an account with security questions for years. But I DO find them ambiguous. And to some extent classist and racist as well.

We have no real idea about where my son was born, he was adopted and born in Korea…name of the city you were born in is not a great question for everyone. Because I kept my maiden name, mother’s maiden name is a not at all secure question for him - there are a LOT of cultural assumptions packed into those questions.

53

I have, which makes the situation more dangerous than if none of them did. Because many do, I was doing the “same answer to all security questions” trick that others have mentioned. Bad idea! Sooner or later you will get one of those sites that won’t let you do that.

Twenty-three months later… “Oh shit, was this that one that wouldn’t let me put the same answer to each question? Or is this one of the ones where I put my default answer? If it didn’t let me put the same answer I usually give, WTF did I put?”

54

Christ, I’ve never even been to St Paul. :frowning:

55

I think this is a fine solution. I’ve found that spelling my names backward (first, middle and/or last) is not only easy to remember, but contain a sequence of letters random generators don’t usually think of.

For extra security, throw in some digits from your phone number or a @# or two.

56

Almost any scheme that anyone offers for making passwords out of things that are familiar to you. is bad advice.

57

This is still making it way harder then it needs to me. He just has to pick something that is memorable to him, even if that memorability is merely that it’s his answer to “What is your mother’s maiden name?”.

Recording questons and their answers in a password manager is a fine idea, though password managers are not guaranteed secure either and a breach in security of such managers means you have effectively committed the sin of using the same password everywhere.

58

The only thing I hate worse are those security prompts that give you 10 images and tell you “Pick whichever image has a road in it” and then one of the images is the Golden Gate Bridge. Is a bridge that handles vehicle traffic considered a road?

59

CAPTCHAs.

Hate 'em.

Pick the ones with cars. “Car” means what? (The same company also has you pick vehicles sometimes.) Also, is that bit of something sticking out behind a tree a car bumper or what? Many have very long views down an apparently empty highway. Maybe that dot far away is a car. And on and on.

Oh, and “street signs”. Are painted yellow arrows on a pole a “sign” or not? Is a sign on a store front a “street” sign or not? There are things with possibly foreign script on them. I don’t know all the scripts in the world. Is that a “sign”? And even more on and on.

Mrs. FtG is really bad at these so she tries to do the audio ones. And those are even worse and she ends up locked out.

Really stupidly done.

60

Portuguese Man o’ War. Only posers choose [del]mammals[/del] chordates.