Answers to Security Questions

[TromboneAl]

I don't like the security questions that are sometimes asked in addition to passwords.

First, I don't like them because some are too easily guessable researchable. For example, What was your first dog's name? Where were you born?

Second, I don't like them because the answer isn't always clear. Did I write Fido or fido? Did I write Chevy or chevrolet?

So, I'm considering a new policy. When asked to create some security questions/answers, I will always use one answer. For example, "This is my answer" That way, I'll always remember (I'll also record it in LastPass), and it will not be guessable.

For example: What is your favorite sports team?
This is my answer

Does anyone see any problems with that?

 

[tfudtuckerpucker]

[/URL][/IMG]

 

[REWahoo]

Does anyone see any problems with that?

This is my answer

 

[Bram]

Seems like a sensible thing to do...but then...
Are you going to have spaces between the words? Or not?
Will there be punctuation at the end?
Always something to tax our brains, eh?

 

[braumeister]

It's definitely a good idea.
Another option, obfuscating the issue a little more, is to simply make up odd and untrue answers to the usual questions. That way, even if someone digs up your personal information and attempts to use your real answers to those questions, they will be wrong.

Example: What was the model of your first car? Beef stroganoff.

As long as you're using a password manager to keep track of them, you're fine.
Don'f forget to occasionally print out your info from the password manager and lock it away in a very secure place, just in case.

 

[Meadbh]

I have my own suite of basic passwords to which I add variations. I have one that I nickname "usual" and another is named "favourite". So I can make a note that the password for a particular purpose is "usual with the second letter capitalized and 6* at the end", or some such variation. The hardest part is coming up with complex passwords when the site will not accept anything except a specific number of alphanumeric characters with multiple punctuation marks, upper and lower case.

I like braumeister's idea about beef stroganoff!

 

[fosterscik]

I do the single obscure answer on my accounts and have done so since an article appeared in a British paper ~6 months ago. I've had no problems. i favor a single long word e.g. my first pet = Gorgonzola, my mothers maiden name = Gorgonzola,... (Of course I use a different word!)

 

[ERD50]

I tried one answer for all recently, and it wouldn't accept them. (Zebraskateboard, or some other non-sense combo).

But I agree it makes sense to use a non-sense answer for each, but then you need to remember or use a program or something.

-ERD50

 

[prudent_one]

I also use the "one answer to all security questions" method. I use an old street address with no spaces - it gives me numbers, upper and lower case letters, and punctuation (abbreviation for St.) and so far has met requirements of all sites I use.

I felt a bit awkward when I had to give the answer to a rep on the phone who asked me one of the questions (mother's maiden name) but the rep didn't flinch at my oddball answer. They must get that a lot.

 

[ERD50]

OK, this has me formulating a plan, similar (but less intense) to how I do my secure passwords.

Pick a random char group that you can remember (and write it down or store it somewhere), lets say "4sa7ya".

Q: What is your Father's middle name?
A: 4sa7yaname

Q: What city did you meet your wife?
A: 4sa7yacity


Q: What was the model of your first car?
A: 4sa7yacar

Q: What is the name of your childhood friend?

A: 4sa7yafriend

And if you get a human at some point, even if you get one wrong, like " fsasyawife" for " 4sa7yacity", I'd think they'd realize that you must be getting it 'right', who else would answer with a "4sa7ya-anything"?

Trivia Q - Why is "4sa7ya" not a good password combo?

-ERD50

 

[travelover]

Lincoln used it first.

 

[RonBoyd]

I have always used a short (5-letter) word as answer to those questions. In the case of the site not accepting duplicates, a variation of that word.

An example would be "crazy" and variations "crazier" and "craziest." It has been what ten-15 years now and have never had to vary. (even typing in that last 8-character word is the limit to my patience.)

(my motivation, BTW, was the suspicion that it was too much personal data to give away willy-nilly and would be used against me someday.)

 

[easysurfer]

I've resorted to saving my security questions and answers in a password manager that allows for notes.

I've used random numbers along with an answer.

For example:

Q: what's your dog's name?

A: spot 6934

But hopefully if someone took my id/password and they get challenged on the phone and say "spot" the person on the other end won't go "close enough, you are good"

 

[Chuckanut]

If they want to know the mascot of your High School don't give the real answer - "porcupines". Instead come up with something really off the wall like "dragonducks". In this way even if somebody knows what high school you attended they still won't know your answer.

Also, the thought of you sending fire breathing ducks to avenge yourself, will scare them.

 

[TromboneAl]

Maybe "None of your business!" would be a good answer.

I recommend Lastpass. You can make it as secure as you want, and decide whether it will log in to a particular site for you, or just store your data.

 

[ERD50]

...
Trivia Q - Why is "4sa7ya" not a good password combo?

-ERD50

Lincoln used it first.

Ding! Ding! Ding!

A few years back, I downloaded a list of the 64,000 (65,536?) most commonly used passwords, and 4sa7ya was one of them. So now I do a find on that file when I put together my 'keys' that I combine with a short phrase for important sites. I use two keys which are the same for all my important sites, so it is easy to remember, then add a short phrase that is unique to the site. I can write down the short phrase, and I have the 'keys' committed to memory. This is simple, and I don't need to rely on anything else, a paper list is good, and I have most of the short phrases memorized by now anyhow. EZ.

I'd link to the site, but I actually had concerns that it was trap of sorts, but you can google terms like that and proceed with caution.

-ERD50

 

[Chuckanut]

FWIW, I also use two factor authentication on all financial websites that allow it. Most two factor authentication sites will allow one to designate one's home computer, ipad, phone, etc. as 'safe' so you don't always need the second factor to logon.

But, when Boris in decides to break into your account from his dacha in Babushkin, he will have another problem to overcome.

 

[TromboneAl]

More on LastPass:

 

[athena53]

I use two keys which are the same for all my important sites, so it is easy to remember, then add a short phrase that is unique to the site. I can write down the short phrase, and I have the 'keys' committed to memory.

I do something similar. I have a file with password info, but to anyone else, "Old AT&T e-mail password" or "greekislandyy" means nothing. To me, the latter is a specific island we visited, plus the 2-digit year we were there. I like the idea of starting with a nonsense key, though. I may try that next time I have to create a password.

 

[Katsmeow]

I use Roboform to manage passwords. The master password for Roboform itself is one that I don't keep in Roboform. I do have it written down (on paper not on computer).

For passwords, I have 3 types:

For places that don't matter that much -- I have something I typically use that no one would guess, and then I add something specific to each site. A password cracker would be able to eventually get those passwords.

For important places -- Mostly I let Roboform create a random password according to the password requirements of the site. These are passwords that I don't have any clue what they are and just rely on Roboform.

For important places where I might want to access them enough that I want to actually remember the password -- I create a sentence that I will remember and then use the first letter of each word (or it could be the second letter of each word or even the last letter of each word) with some special characters thrown in. These are usually very long.

 

[rodi]

Trivia Q - Why is "4sa7ya" not a good password combo?

-ERD50

Lincoln used it first.

And here I was thinking it was something like "should have at least one cap"

 

[tmm99]

Maybe "None of your business!" would be a good answer.

I so love that!!! I think the person on the other end (if your answer is being verified by an agent) would get a kick out of that too.

 

[tmm99]

I use LastPass also. I wish it had a mobile phone verification (with some kind of code like some credit card companies have) instead of a cumbersome table of codes though...

 

[REWahoo]

Maybe "None of your business!" would be a good answer.

Yep. Or you could go with this option...

 

[braumeister]

Just FYI, the Wall St. Journal did a review of the best password managers a few months ago. Although I'm completely sold on 1Password, these others also get high marks from at least some reviewers. Here's a quick look at one of the ways the Journal compared them: