Answers to Security Questions

Although this is slightly off-topic, we recently had a financial account moved to a new "improved" service and were appalled to find out that this supposedly state-of-the-art financial service provider only allows passwords consisting of the digits 0-9. OMG!
 
MBAustin said:
Although this is slightly off-topic, we recently had a financial account moved to a new "improved" service and were appalled to find out that this supposedly state-of-the-art financial service provider only allows passwords consisting of the digits 0-9. OMG!
Click to expand...

That's pretty astounding. Hope it's allowed to be more than one digit long! :)
 
MBAustin said:
Although this is slightly off-topic, we recently had a financial account moved to a new "improved" service and were appalled to find out that this supposedly state-of-the-art financial service provider only allows passwords consisting of the digits 0-9. OMG!
Click to expand...

This is what has driven me crazy over the years. I try to use similar usernames and passwords for the many places I log into. But they have so many different rules for both items that I often forget some of them, especially if I log into them rarely. This also happened at my old job which had unsynchronized usernames and passwords for the two systems I had to sign into. Sometimes they would be the same, then one would change a month later so I would have two different ones for a little while before they would synch up again. Very annoying.
 
scrabbler1 said:
This is what has driven me crazy over the years. I try to use similar usernames and passwords for the many places I log into. But they have so many different rules for both items that I often forget some of them, especially if I log into them rarely. This also happened at my old job which had unsynchronized usernames and passwords for the two systems I had to sign into. Sometimes they would be the same, then one would change a month later so I would have two different ones for a little while before they would synch up again. Very annoying.
Click to expand...

No way could I keep the various rules straight in mind mind. That's why I just rely on a random password generator that allows for choosing password lengths, and types like special characters or not.
 
I have three levels of passwords. I use one password for any accounts that i really don't care much if someone broke into. I have a slightly better one for those accounts that I would prefer not be broken into but if it happened it would not be the end of the world. For the critical accounts, I have a more complicated scheme that is unique to each account but had a common pattern that i can easily remember.

Since i don't do social media it would be difficult to research the answers to my security questions (like first car, HS mascot, etc).
 
pb4uski said:
I have three levels of passwords. I use one password for any accounts that i really don't care much if someone broke into. I have a slightly better one for those accounts that I would prefer not be broken into but if it happened it would not be the end of the world. For the critical accounts, I have a more complicated scheme that is unique to each account but had a common pattern that i can easily remember.

Since i don't do social media it would be difficult to research the answers to my security questions (like first car, HS mascot, etc).
Click to expand...

I do much the same. Technically, good practice is a different password for every site, and a combo of upper and lowercase, numbers, letters, and symbols.

I have my "standards" as above, and now add the website in an abbreviated consistent way to the standards: i.e. "ear" in front or in back of my passwords, where ear is for the Early Retirement site. A password manager now days is a must in my opinion, and if something happens to me and family knows where to find my password manager password, they can get to the other sites.
 
I use KeePass for userids, passwords and security questions. I never use the same userid (unless they require my email address which I hate), password or answer to a security question.

What hospital were you born in?
Blue2 4X treecorn

What is you mother's maiden name?
66 excavator 18T

What was your 1st pet's name?
Altogether42 airplane 29$$

No problems with those security questions here.
 
TromboneAl said:
Does anyone see any problems with that?
Click to expand...

You have to see the security question for what it is: a second password.

Since I already have one, I just put in a very long random string of characters and spaces that are garbage and do not write it down. So I'm SOL if I forget my first password.

If you can't remember your first password, why on earth would you remember a second one that you use much less frequent?

And before you say: I write it down. Well, write down your first password then. It's just as safe.

Security questions are utterly useless and should be removed from the planet.
 
Totoro said:
YSecurity questions are utterly useless and should be removed from the planet.
Click to expand...

Perhaps you misunderstand (or maybe I do).
If you forget your password, those security questions can help you recover or reset it fairly easily. But if you don't know the answers to the security questions, you will probably be in for a major hassle if you ever need to get your password reset.
 
braumeister said:
Perhaps you misunderstand (or maybe I do).
If you forget your password, those security questions can help you recover or reset it fairly easily. But if you don't know the answers to the security questions, you will probably be in for a major hassle if you ever need to get your password reset.
Click to expand...

I understand that.

What I'm trying to say is that a security question and its answer are nothing other than a second password. Getting the right answer gives you access to your account, either by resetting the password or recovering it.

Here's the dilemma: if you make it easy to guess, you open an easy way for someone to break into your account. If you make it hard to guess, you need to remember it just like you need to remember your first password.

There is no distinction between a password and a security question/answer challenge. The best solution is to not forget your first password in the first place. And if you do forget, recover your password via another route (as you would do if no security question/answer exists). All sites have that option.

Not sure I'm explaining it well (it's late here). I'll try again maybe later this week :)

Long story short: any security expert in IT will tell you that security questions are not a good thing. Especially standardized questions.
 
OK, I understand now what you're saying.
But I have often been faced with a situation where my password isn't good enough because I'm trying to login from a different machine.

In those cases, I'm asked a security question and I can easily get in.

As long as I:
a. use a password manager
b. don't use standard answers to security questions
I think I'm in good shape.
 
Totoro said:
...
Not sure I'm explaining it well (it's late here). I'll try again maybe later this week :)

Long story short: any security expert in IT will tell you that security questions are not a good thing. Especially standardized questions.
Click to expand...

I think there are two cases -

1) As braumeister just mentioned - you are asked for a security Q/A in addition to the correct password. Because you are logging in from a different IP and/or different computer w/o a cookie (I was going nuts with this when I was trying out different browsers for a while).

2) They ask the security questions in place of the correct password - this can be a real issue as you point out. It really makes the password pretty meaningless, and the security Q/A effectively becomes the only real 'test'.

However, for case 2, it seems that usually means that a new password goes to the email of record. So unless the bad guy has your email as well, it is still reasonably secure... I think?

So a follow up to this is - does everyone have really strong passwords on their email? I think that is critical.

-ERD50
 
Totoro said:
I understand that.

What I'm trying to say is that a security question and its answer are nothing other than a second password. Getting the right answer gives you access to your account, either by resetting the password or recovering it.

Here's the dilemma: if you make it easy to guess, you open an easy way for someone to break into your account. If you make it hard to guess, you need to remember it just like you need to remember your first password.

There is no distinction between a password and a security question/answer challenge. The best solution is to not forget your first password in the first place. And if you do forget, recover your password via another route (as you would do if no security question/answer exists). All sites have that option.

Not sure I'm explaining it well (it's late here). I'll try again maybe later this week :)

Long story short: any security expert in IT will tell you that security questions are not a good thing. Especially standardized questions.
Click to expand...

No no no, you are wrong. I am asked security questions when I call financial institutions. And you want long complex userids, passwords and meaningless answers to security questions for each place because they are long complex and meaningless! That's why you should use some form of password safe, you never need to know any of them whether you have 2 or 200. All you need to remember is the long complex password to the safe, make it a phrase with dates or addresses like

"I used to live @ 121 Garden St but on 1/13/1998 I moved to 75 Grove St!"

which becomes Iutl@121GSbo1/13/1998Imt75GS!

Yeah that's a crazy thing to remember but to you it really means something so it is easy peasy lemon squeezy for you to recall.
 
easysurfer said:
No way could I keep the various rules straight in mind mind. That's why I just rely on a random password generator that allows for choosing password lengths, and types like special characters or not.
Click to expand...

I want to do that, but I always wonder if there will be some situation in which I'm away from my computer, and need to remember the password. That would be frustrating, but it's pretty unlikely.
 
veremchuka said:
make it a phrase with dates or addresses like

"I used to live @ 121 Garden St but on 1/13/1998 I moved to 75 Grove St!"

which becomes Iutl@121GSbo1/13/1998Imt75GS!

Yeah that's a crazy thing to remember but to you it really means something so it is easy peasy lemon squeezy for you to recall.
Click to expand...

I wouldn't go as far as lemon squeezy. I would probably be thinking:

Was it 01/13/1998 or 1/13/98? Did I use Mountain View Street or Mountainview Street? Was it "I used to live" or was it "I lived at"? Was it "but on 1/13/1998 or "but I moved on 1/13/1998" Was it, "I used to have a parakeet but now I have a tarantula"?

Once I used a system like that, but there was a word that could have been one word or two.

Remember that it might be a few years between memorizing and remembering. Once I had to enter my zip code at the gas station, and I forgot it.

-----------------

A lot of companies get this stuff wrong. I've noticed that some companies use the last four digits of your SSN. I presume the logic is that you don't have to use your whole SSN, because that's sensitive--it is essentially a password.

BUT, as soon as different companies use the last four digits, then the last four digits become sensitive--they are now a password.
 
veremchuka said:
I use KeePass for userids, passwords and security questions. I never use the same userid (unless they require my email address which I hate), password or answer to a security question.

What hospital were you born in?
Blue2 4X treecorn

What is you mother's maiden name?
66 excavator 18T

What was your 1st pet's name?
Altogether42 airplane 29$$

No problems with those security questions here.
Click to expand...

Actually if folks read obituaries you find that if your mother has passed on it is likley that her maiden name is in the obituary, along with your name as a child and the town you live in. This does suggest that mothers maiden name for more mature folks is a very poor security question, until obituaries are written to avoid stating the childrens home towns. Better say the maternal grandmothers maiden name, as that takes a lot more tracing back, and assumes folks have not changed cities in the interim.
 
meierlde said:
Actually if folks read obituaries you find that if your mother has passed on it is likley that her maiden name is in the obituary, along with your name as a child and the town you live in. This does suggest that mothers maiden name for more mature folks is a very poor security question, until obituaries are written to avoid stating the childrens home towns. Better say the maternal grandmothers maiden name, as that takes a lot more tracing back, and assumes folks have not changed cities in the interim.
Click to expand...

Very true.
I just misspell my mother's maiden name. Misspelling comes naturally to me.

Sent from my SAMSUNG-SGH-I337 using Early Retirement Forum mobile app
 
I'll never complain or be annoyed again about the security, challenge questions/passwords. It apparently is what prevented me from potential harm last week. My credit union called and said someone called in and had my account number AND my SSN! They were trying to do a wire transfer. They didn't have my call-in password and apparently didn't know my first pet's name (or the other questions either). This is what raised the red flag, and also started a flurry of activity on my part. Had to close my old and re-open a new account which was linked to several sub-accounts (checking, savings, visa, HELOC) which of course my wife was joint on. Notify the credit bureaus and put a fraud alert out there, file an affidavit with the IRS, and the most time-consuming was re-setting up all the auto payments and direct deposits. The $10/month id theft service I have was very helpful in both initiating things for me, and giving me all the information I needed to do stuff that had to be done only by me. I won't complain about that $10/month again either!

So, I'm now as diligent about the answers to those security questions as I am about my passwords themselves. There's still at least one bad guy out there with my SSN! Lots of good ideas in this thread too. Thanks everyone.
 
I'm a paid LastPass user (so can use it on my phone). I also printed-out a one-time password list and carry that in my wallet (just looks like jibberish).

And like many, I make-up answers to the security questions using a "rule". The problem is that if a site is compromised and someone sees the answers to my security questions, that can be leveraged on a different site.

Only marginally related, but here's a cool password related link: https://www.grc.com/haystack.htm

password: yRDrATI4c!ng
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second)1.74 centuries
Click to expand...
 
Chuckanut said:
Steve Gibson is one of the saner voices in this entire computer security mess.
Click to expand...
I got to listening to a bunch of netcasts back when I had a lot of commute hours to fill. Now, not having to fill-up drive-time, I gave-up almost all of them. But I still listen to Security Now (and sometimes Freakonomics Radio).
 
You've got to wonder why some lawyer hasn't jumped on this

KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot. The manager said the bad guys called the customer service folks at the bank and provided the last four of each cardholder’s Social Security number, date of birth, and the expiration date on the card. And, as with the bank in New England, that was enough information for the bank to reset the customer’s PIN.
Click to expand...

Amazing. And very sad.

http://krebsonsecurity.com/2014/09/...epot-banks-see-spike-in-pin-debit-card-fraud/
 
sengsational said:
I got to listening to a bunch of netcasts back when I had a lot of commute hours to fill. Now, not having to fill-up drive-time, I gave-up almost all of them. But I still listen to Security Now (and sometimes Freakonomics Radio).
Click to expand...

Leo and his various hosts and guests are among the best.
 
You must log in or register to reply here.

Similar threads

D
Medicare/Social Security Question
Replies
21
Views
1K
Sunset
Sunset
S
Do you want to manage it?
2
Replies
31
Views
2K
djsander
D
A
1041 trust return questions
Replies
6
Views
428
Montecfo
M
G
Half of Life...
Replies
18
Views
1K
djsander
D
S
Will this work to minimize taxes on inherited IRA?
Replies
12
Views
984
cathy63
C

Latest posts

Back
Top Bottom