Oh yeah. Always record your answers to those.
Or always use e.g. “Abcd” as your answer to every question on every site. But some sites check that you have different answers to their various BS questions.
There’s the newish trends where they (usually financial institutions IME) ask you questions about your past, that you never actually told them. Like they give you a list of cars and ask which one you owned once upon a time. Which is OK, except that I’ve been asked more than once about ex-spouses of relatives, and where they live now. Which is ridiculous, for multiple reasons - I may not recognize their post-divorce name, I tend not to keep track of other people’s ex-spouses, and what if the divorce was particularly horrible? One time once I got through I told the CSR politely but firmly that I don’t appreciate security questions about my brother’s ex-wife who cheated on him for years, and if I’m asked about her again I’ll be closing my account immediately.
I’ve also had systems that will have a person ask you security questions on the phone but then enter them with a keyboard in order to verify, and the system requires that part to be exact.
In a way, it prevents the CSR from knowing the answer to the question and thus inadvertently revealing it through social engineering, or from looking at it at other times, if the answer is always only “yes this matched” or “no this didn’t match.”
I think but am not 100% sure that I ran into this once when I answered a question and they said the answer didn’t match when it did. I’m not 100% sure because I did not write it down. But it is an answer that could be spelled multiple ways. The next time I called, I made sure to tell them how to spell it and it worked. (The previous time, they went ahead anyway even though I didn’t give them the right answer! I think it is because I answered the previous two correctly.)
Thats an interesting 3rd party system where neither the e.g. bank, nor the worker, know any of that. They just get back a yes or no from the 3rd party identity verification supplier.
Problem is it works very badly on people w simple lives. So they end up scraping the barrel looking for anything on the person & come up with your next door neighbor’s father’s ex-spouse’s dog’s illegitimate puppies’ names.
Have you owned a dozen cars & houses & businesses? They’ve got lots of simple emotionally neutral questions to ask. Not? Not.
I got asked where a cousin of mine lived that I haven’t seen since we were both 6 years old and lived next door.
Yeah, it’s all coming out of public databases, so they’re linking me to my brother because we shared an address, then him to his ex because they shared an address. But it still sucks and hopefully they’re getting some feedback about how annoying it is.
I’ve been locked out of my credit reports for ages because their verification questions are all places I never lived, but the addresses of relatives where I had mail forwarded twenty years ago. I can’t possibly guess what information they have, and it’s not anyplace I ever lived.
UGH! My electric toothbrush, hairdryer, and curling iron all have this same handy feature.
Another login-related one: Over the weekend, I was helping my mom activate her new credit card, for which she had to create an online account with the bank. At one point, it asked for a username for the account, and of course I put in her email address as the name, as one does.
It didn’t work. At first I thought that the problem would be that usernames can’t contain an @, as is sometimes the case, and was about to fall back on just the part before the @. But no. Usernames were not allowed to contain the user’s first or last name.
The bank does know what a username is, right? They’re supposed to be easy to tie to the person. That’s not where the security is supposed to come from.
My bank required my username to have a digit in it. That’s really stupid.
One of the banks I used to work with required a long/complex password, that had to be changed every 60 or 90 days. That, on it’s own, had me calling in regularly because I couldn’t remember it and I’d lock myself out. One of the million times I called, I mentioned that I only typed it wrong once before I was locked out and the tech support person mentioned that the system locks you out after three wrong attempts…not three consecutive wrong attempts, just three wrong attempts, period. Myself and the other person that had access to those accounts used to joke about how far we’d wandered from our base passwords. After dozens of iterations Bicycle1234$ had morphed to Bikes8989$$$ or something like that. And the even stupider part is, and I mentioned this to them a number of times, that making us change our passwords this often means there’s no possible way we can remember them and they inevitably end up having to get written down.
Then multiply all of this by two, since I had a personal account with this bank as well.
And then there’s the bill payment portal that Dr Pepper uses. Your password has to be changed every three(?) months. When it’s time to do that, after logging in, it sends a “One Time Password” to your email that you have to type in. Not generally a big deal, but when that One Time Password is pT3Yg_$z89, for the love of god, don’t disable the ability to cut and paste it. Memorizing a few characters, then going to the page to type them in, then going back to the email to memorize a few more and so on is really obnoxious and it’s not helped by the fact that they also hide what’s being typed. Making it harder to enter a One Time Password doesn’t make the site any more secure, it just makes it more frustrating to deal with. Every time I go through this, I tell myself I should just go back to mailing them a check.
I have one. Stupid websites that insist on emailing a password or two-factor authentication that expire in a ridiculously short period of time (like 5 or 10 minutes).
Email was never intended to be delivered instantly. It was intended to be asynchronous communication that goes through a variable number of intermediaries. Sometimes I get emails quickly, and sometimes they take 15 minutes or longer.
But when the password or code has expired before I get it, it gets extremely frustrating. Especially if you make the mistake of requesting a second code, finally getting the first code, then being told it doesn’t match or has expired.
Even worse is if the website will not let me proceed otherwise. I tried to book a last-minute train on Amtrak once, and was unable to create an account using my normal email address. I finally gave up and switched to a GMail account, but by the time I got through, the train was full and sold out.
Can anybody tell me what the fuck this is about? How is security increased by not allowing me to copy/paste my account number or password?
I’ve run into this with the Hilton app. I had to enter my confirmation number on another app but couldn’t cut and paste my reservation number. I had to memorize 4 digits at a time and then go back and forth between tabs. And to add insult to injury, that’s the only time I’ve actually had to use my confirmation number, every other time in my life, from any hotel brand, my name and credit card have been enough. And when I needed to use it it was a pain.
The no-pasting is meant to defeat bots that rely on pasting as their method to fill out the form. Definitely a defense rooted in the bots of the early 2000s, not the ones of the late 2020s.
I had similar, with the even worse ‘feature’ that when toggling between apps on my cell phone, whatever coding was displaying the long string of confirmation code numbers would irretrievably vanish when I toggled back to read the next sequence of numbers. I was able to screenshot it (after much cursing and re-requesting new codes), and then toggle between my card site and the screenshot gallery folder, but holy hell!
Regarding the disabling of copy/paste: I just found this extension and installed it. We’ll see how it goes.
Thanks for the suggestion. I’ve just gotten it too.
FYI … it’s available from the Google Chrome webstore at Don’t F*** With Paste - Chrome Web Store. And works in both Chrome & Microsoft Edge.
It’s been awhile since the last time I hit a website with the no-paste feature. But of course when I do, it was/is attached to a password field. All my passwords come from my password manager and are long gibberish. Not easy to keystroke at all. Dumb bastards.
I’ll have to try that (or rather see if there’s a similar Firefox extension). I have a few other sites I use that also disable pasting your password and some that don’t work with Bitwarden either. I wonder if an app that re-enables pasting might fix the bitwarden issue as well. The disabled pasting and the non-working bitwarden issues, I think, are independent of each other, but there are some sites where neither works, I’m curious if it would at least fix those ones.
I’m not sure if you meant to grab the One Time Password part of my post, but I’m guessing in that case, the reason you can’t paste the OTP is because they disabled pasting for the regular password and it carried over to this field as well.
This reminds me of another site. Clover, as in the credit card machines you see all over the place now. I have the Clover Dashboard webpage logged in and on my monitor 100% of the time I’m at work since it tells me what’s going on in the store (at least regarding what’s been sold) in semi-real time. However, it automatically logs me off any time there’s no activity for 15 minutes. So when I go to glance at it after more than 15 minutes, I have to log back in then navigate back to the page I like being displayed. That got really old really fast. What I ended up doing is finding Firefox extension that refreshes tabs every X minutes. Now I log into that page in the morning and set it to refresh every 14 minutes. That comes with some other problems, but they’re not as obnoxious as having to log 20 times a day.
Also, now I’m able to have tabs automatically refresh at whatever interval I want them to, which comes in really handy. It’s especially nice for things like keeping a tracking (eg UPS, Amazon) page current or if you’re waiting for something on MyChart (eg test results, prescription) or really any time you’re sitting there refreshing a web page over and over. It’s also helpful for sites that take a long time to refresh since any time you glance at the page you know it’s no more than X minutes old.
The Amex website logs users out after 5 minutes. I may get an extension for it, but I only use the website once a month or so.