You’ve go to be fucking kidding me. Adding an open text field to allow me to enter something other than what’s easily found via the Internet isn’t that hard. Security theatre of the unsecure.
I can easily find the city I was born in or the make and model of the first car I had on the internet, but I really doubt anyone would know I had any connection to them.
It’s a valid point though. We’re not supposed to use the same password in different places, so we shouldn’t be constrained to use the same security verification questions all over the place.
I’ve been asked for my mother’s maiden name so many times and places, I can’t seriously consider it an even slightly secure piece of information any more.
Yeah, Mangetout I see your point. But, for instance, you could always put in different names on the maiden name question on different sites. How are they going to know? I think web sites use the same ones to retain a level of consistency for the users who aren’t tech savvy or don’t want to spend a lot of time making up a question.
It doesn’t even have to be wrong names. If the site is at all important (e.g. bank), I’m using those security questions as another password field and putting in the same scramble of alphanumeric and special characters as I would for a password. Sure, I don’t automatically remember it, but I’m using a password manager for all the different accounts I have anyway and this just becomes one more item in the list.
Sallie Mae, the education loan people, ask “what is your grandmothers maiden name?” No apostrophe (hey, we’re only in the business of education), but what really bothers me is that on the rare occasion I have to answer the question, I can never remember which grandmother I chose: like all humans, I have a maternal and a paternal grandmother, and like most people, they had different names.
It boggles me that people would actually do this - it’s like making up two passwords for each site. :eek:
This one site I went to a few weeks ago had security questions that either (a) did not apply to me, or (b) was so vague I couldn’t even begin to remember. The idea of creating our own security question+answer is a good one.
The person who wrote that was Faye Dunaway’s kid from Chinatown, I bet.
:smack: Good idea. Much better than petulantly answering “what was your childhood nickname?” Fuckyou; “what was your grammar school?” Fuckyouelementary and so on. Habit changes today.
I think the favorite one I’ve seen was:
Yeah, that helps, guys.
My aunt always puts the name of her Shar Pei in the “what was the name of your first pet?” even though he wasn’t the first or last pet she’s owned just the most memorable. A lot of the security questions ask for more than three letter answers, but that’s not going to work if the answer only has three letters say Jon or May for example.
Well, you could, but then you’ve just got to remember what you put there, with no meaningful prompt. The whole point of security questions is that they’re meant to be triggers to something you already remember - and thus useful for retrieving accounts when you’ve forgotten the password you just made up.
Probably, but that’s like saying people should leave the door key under the mat if they don’t fancy carrying it around. It’s supposed to be a security measure.
I just use the same easy-to-remember word for everything across all websites. For example…
What is your mother’s maiden name?
wallaby
What town were you born in?
wallaby
What is your favorite color?
wallaby
…and so on. I’ve only come across one site so far (damn you HR Block!) that annoyingly rejects duplicates.
I got really mad at a security question interface once because it refused to recognize my best friend’s name as a valid answer to “What is your best friend’s last name?” I was like “I’ve had the same best friend for 15 years! How could it be anything else?! Fuck, is he mad at me or something?”
I’ve never seen a security question my brother couldn’t answer. What about someone who has a lying, stealing leech for a brother? I can make up a security question that no one but me could answer, but that I could answer in my sleep. Why can’t I use it?
I can neither spell nor pronounce the maiden names of either of my grandmothers.
Since I save all my passwords in a password program, I’ve started treating my answers to security questions as extra passwords: I make up random answers and write down those answers too.
e.g.
What is your Mother’s maiden name?
A: Q1aSU4KasZkPEm5qW1ojmVxPMPyUK9
Hmmm, wonder if they’d notice that my mom’s name used to be “Sally VanVisa” on my cc site, and “Sally VanDope”, “Sally VanHoldem” and “Sally VanDigimonPron” on others…
Anybody who knows how my mind works could answer all my online security questions*. Knowing actual data on me (city I was born, high school I graduated from) would be useless.
What was my first car? Batmobile.
Favorite teacher? Doctor Strangelove.
Childhood pet? Krypto.
OTTOMH, I can’t think of any place online that requires a security question of me that actually matters. I don’t bank online. I don’t belong to a data back up site. I think Yahoo mail, Facebook and the rest don’t qualify as important.
The fraudsters trying to steal your personal information certainly give you the ‘roll your own’ option in their phishing pages. Another example of how the web app pipeline of the underbelly is often better than at many legit companies…