From someone in IT Security.
There are rules for complex passwords. They have to be a certain length, contain upper case, lower case, numbers, special characters, etc. Nobody could come up with my password.
But, then there is the security question that is a regular word that might be available on social media.
My answer to: Who was your first crush is Jsad7sjsadfascrush replacing Jsad7sjsadfas with a “word” that only I know and something that nobody could figure out.
I don’t understand what you are saying here. What word ( or “word”) do you replace that string of gibberish with? Why is that word easier for you to remember than the name of your first crush?
It’s not easier, it’s more secure.
I still don’t get the process that Author_Balk is trying to describe. The string of gibberish is more secure than the name of a girl, so why does he have to substitute some other word (or other “word” whatever that means) for it?
Seems to me that cousin Melvin’s last name is entirely unambiguous, easily remembered and difficult for someone not related to cousin Melvin to guess at.
Not that this is strictly related to my original question, but it’s further vexing that many sites do not let you see your password as you type it, thus making typos probable, and many of them automatically change the first letter from a lower-case letter to the upper case.
This just happened to me. I was shut out of a financial account and had to phone them. The nice guy asked me the ‘usual’ security questions and I had no idea what I had put on the original application some ten years ago.
- My best friend’s name.
- My address when I was 10
and some others I forget. They are going to write to me with a temporary password which is fine. A good job I didn’t move since then.
Heh. If you’d seen the junker that was my first car, you’d know why I’d have a problem with the color question.
Possible true answers:
Green, mostly
Which part?
Rust
Primer
Variegated would work. Except maybe ‘motley’ was what occurred to me the day I answered the question?
Yeah.
I stick to a modification of the ‘Godzilla’ method. Pick any random, uncommon word to use as your standard answer followed by a hyphen and then the last word of the question. Unless they reword their security questions I’m set.
That works online. What about on the phone:
“What was your mother’s maiden name?”
“Inconsolable hyphen name.”
All you people who are talking about forgetting the security answers are missing the point.
Write them down!
Now, I know that the security “experts” say not to do that. They also miss the point. Writing them down is far more secure than trying to remember stuff like that for years on end.
No, the problem there is that most sites use three questions and they require you to provide different answers for all three. And there’s no guarantee that you’ll be asked the questions in the order that they appear.
The more I think of this, the easier it becomes for me to generate perfectly unambiguous, secure, impossible-to-guess but easy-to-remember answers if I can provide the questions.
All you need do is think of something you did in the past that was unusual. Say you visited a foreign destination on one trip only, so something about it will stick in your mind. In my case, that might be “What is the middle name of the adult you travelled to Amsterdam with in 1994?” Or maybe you have a prominent piece of art, or a photograph in your house for years? “Who is in between you and Linda in the photograph on the living room wall?” Or maybe you spent a few years writing a novel that was never published? “What’s the first name of the protagonist in TITLE OF NOVEL?”
I dunno. Is that Fred? Alfred? Uncle Freddy?
Agreed @kenobi_65. I just started a new job with so much 2 factor authentication (2 IT systems, payroll, and at least one more that used questions rather than 2FA) and the security questions drove me nuts. I had to pick at least 6 of these. Many of the questions seemed “normative” in some way. What if I don’t know my mother’s maiden name, or my father’s middle name? Which father? My father’s mother’s maiden name, do I use the one she had in Europe or the one on her passport, which was forged as she fled a war-torn area? What if I never drove a car? Or went to a prom? What if I don’t have a high school, I was home schooled? And my first crush, what if this person later did something so horrible to me that I don’t want to ever think about them again? These questions kind of assume that everyone had a happy and stable childhood.
Well, yes, puzzlegal, for YOU that is an ambiguous question. For me, it’s a very simple name that has only one spelling. But do you have artwork on display in your house? If it’s a still-life, what color are the flowers? If that’s ambiguous, then think of a different piece of art, or a different unique trip you’ve taken. The point is EVERYONE has some experience in their lives that has a highly memorable, distinct, unambiguous fact that they can easily associate with it.
I’m going to give away a big secret and compromise the security of my accounts. I just enter the last three words in the question, complete with punctuation. So, the answer to “What is the first sports event you attended?” is “event you attended?” Very easy to answer the questions when needed.
I had to start doing this because I found that I could not select three security questions to which I had actual answers. It must be very difficult to create security questions that do not (in my actual life) have any reasonable, possible answers. But somehow they manage to do it.
This is a pretty contemptible answer. For whose benefit do the security questions exist? Your answer seems to be “The people asking the questions, of course.” What the fuck should I care about how difficult it is for them to store my questions? If I can invent a better (MUCH better!) system than the “experts” can, why is it my concern that their system has awful flaws that they are insisting that I use?
“Are you by chance related to the Dusseldorf Inconsolable hyphen names?”
Did you ever invent an unusual recipe? Name the key ingredient.
Did you ever have your picture published? Name that newspaper.
Did your daughter ever get married? What is her husband’s name?
Do you have a prominent birthmark? Where is it on your body?
DId you share an office at some memorable job? What’s that person’s [most unambiguous first or last] name?
It’s endless, literally, the number of secure, unambiguous, unguessable answers each of us can devise, if we were allowed to invent the questions.
Storing the question with the answer is an extremely minor nuisance. Hell, off the top of my head I’d have them in the same table, which is minorly easier then having to link the standard question to a particular answer. And forgetting the answer to “what is the make of your first car” is no more of a problem for the company then forgetting the answer to “how many fingers did grandpa Art lose to a wood-chipper?”.
As I, and several others, have noted, security questions are slowly getting phased out, and yes, it’s because they suck. Companies that invest wisely in their IT infrastructure have also realized the flaws, and gotten rid of security questions. So, the identity management industry isn’t “just chugging on” with security questions.
As has been noted, two-factor/multi-factor authentication (typically that six-digit code which is texted or emailed to you) has often been adopted, while some companies use systems like biometrics (facial recognition, thumbprints) or physical electronic tokens for verification (though those are more typically used for verifying identities of employees, not consumers).
The issue is that not every company has cared to invest in updating their systems, and not every company has an IT or security department which is well-versed in the state of the art in identity management. And, thus, we, as consumers, still run up against companies that still use lousy systems like security questions.
Taking their own sweet time to do it, too, aren’t they? Part of my issue here is the enormous time I’ve been noticing this problem, and the lack of responsiveness to complaints such as mine. I assume they’ve been aware of the problem(s) for longer than I have, yet–[crickets]. I classify their response under “Your phone call is very important to us.” Lip service, in other words.
And please notice that while you are at least willing to acknowledge the validity of the complaint, there are those offering their weak yet belligerent excuses for the problem. “Oh, it’s so haaaaaaaaaard for us to get off our butts and do something, you mean people don’t understand all the nuisances we poor IT clowns are facing!!!”