Those pesky Security Questions...

[ERD50]

In another thread, I mentioned that I prefer not to use any automated password apps. That might be an irrational fear on my part, but it is what I do, and I know I'm not alone.

So I had mentioned a trick I use (I came up with it independently, but I'm sure it was used by others before me), and it has worked well for me. In short, I have a standard "prefix key" and a standard "suffix key" that are somewhat complex, yet easy for me to remember. So for every site that I want to use a fairly secure password, I use the prefix-suffix and a unique middle word for that site.

So if Prefix is "APPLE123" and suffix is "zebra789" (but use non-dictionary words for better security), I might use "$LB" for the middle word (for "Local Bank" - and since the use of 'special characters varies by site, I add any special characters in the middle word). So for my local bank, my PW would be "APPLE123$LBzebra789". The nice thing is, I can write this down on paper, or on afile in my computer, and all I need is a note to myself for what site it is, and then something like " -- $LB -- ", and I know to add the prefix/suffix. If a bad guy gets that file or paper, they won't know what to do with it. I keep the prefix and suffix written down somewhere else, just in case I have a lapse in memory.

Fine, but those pesky security questions. I was born in a populated city (easy guess). When I was helping my DM with some stuff on the internet, I had to guess her security questions, and the general ones were easy (baseball? chocolate? piano? - you can play Jeopardy and guess the questions!). Many of those specific questions might be discover-able by a motivated bad guy (Mother's maiden name, child's middle name, etc...).

So I borrowed my 'key' idea, and the last time I had to set up security questions, I created a security question prefix. Let's say it was NOYB- (None Of Your Business). So here is how my security challenges are now answered:

What was the name of your best friend in high school?

NOYB-name​

What street did you live on in grade school?

NOYB-street​

What city did you meet your spouse?

NOYB-city​

and so on...

I think I can mange to avoid a too similar question set (like the city you were born and the city you were married) if the site does not allow the same answer for two different questions (but those could be the same anyhow?). So this should work. Heck, if it was a human and you slipped and said "NOBY-married" instead of "NOYB-city", I'd hope they'd figure out that nobody else would have said "NOYB-anything", so that would be good. A computer would see them as different though.

So I will do continue to do this in the future, maybe even go back and change the ones that I can. Anyone see an issue? Suggestions?

-ERD50

 

[RunningBum]

My concern, and I'm not certain it's valid, is that it sounds like you could have the same security answers for multiple sites. Having the same password for different sites is said to be a bad idea, I assume because if someone is able to decode one password they could try it on other sites. Likewise if a bad guy gets your security answers, they might be able to get into other accounts using the same answers.


The fix to that would seem to be a different prefix for each site, so $LB-name, perhaps. Your problem might be in remembering that $LB prefix, which is why you're on the security questions. I tend to use something in the site name as part of my prefix.


Just a thought.

 

[ERD50]

Yes, I've thought about that concern, and also wondered if it was valid. But what bad guy is going to put 2 + 2 together for an individual? They'd have to crack that first one anyhow, and who the heck is going to guess that the answer to "What street did you live on in grade school?" is "MRGFLF9-street" (after they tried Main Street, Washington Ave, MAple Street, Elm Street, etc - by then hopefully they are locked out)? They would need that to guess that you duplicated it elsewhere. I feel pretty good about that.

Interesting idea to use the 'middle key'. I guess I'm just not sure it's needed? I think one for all will work?

I think one important thing is to keep your email password very secure. If they break into that, they could get all the password resets of other sites sent to them. And they might see what other sites you deal with by the emails! That seems like a real can of worms.

-ERD50

 

[kaneohe]

.......................................
I think one important thing is to keep your email password very secure. If they break into that, they could get all the password resets of other sites sent to them. .................................

-ERD50

Good tip..........hadn't thought about that ........thanks.

 

[Mulligan]

The passwords to all my important sites are so random and long, I have never been able to memorize them and I use them often. So of course I keep a file card index book handy to look at them. I have couple of bogus letters on each side of the password in case someone ever steals that.
My ipad has a 4 digit security code and it has stayed the same for years and my fingers just punch it without ever thinking. One day last week the fingers froze and all the sudden I couldnt remember the code (and I bet I opened Ipad up a dozen times in that day alone). I had to dig into my password book to find that... If I ever get diagnosed with Alzheimers I will know what day the first incident happened.


Sent from my iPad using Tapatalk

 

[easysurfer]

I treat those pesky challenge questions like another password which are randomly generated and stored in a password keeper. Works for me.

 

[ShokWaveRider]

I was brought up in Europe, we do not have Proms....... A lot of the questions are US Related. and what if you are an unmarried Orphan? You should be able to invent them yourself.

 

[COcheesehead]

I was brought up in Europe, we do not have Proms....... A lot of the questions are US Related. and what if you are an unmarried Orphan? You should be able to invent them yourself.

The answer is the important part. The question can be anything. So if the question is prom related, the answer can be "none".

 

[travelover]

The answer is the important part. The question can be anything. So if the question is prom related, the answer can be "none".

What? You mean to tell me they don't check to make sure the answers are honest?

 

[Car-Guy]

All mine are long complex and random. I keep a password protected spreadsheet on an encrypted USB. The USB only gets plugged into a PC when I need a PW and I keep 2 extra backups of that file on other off line storage devices and sync them up about once a month. Security questions and any other related info can easily be kept within the same spreadsheet. A minor PIA but simple to use, backup, keep off line and carry with me if I'm traveling.

If the USB were to be lost or stolen, it's encrypted with very good encryption software so I'm not worried about that. If a USB were to fail, I have two other off line backups.

So all I really need to remember is the PW to open the encrypted file. It's long and complex too but it is something I'm sure I can remember.

Remaining concerns with PW management are addressed with good virus and malware protection. Nothing is prefect but it's good enough for me.

 

[Options]

I don't know what I would do with Keepass password manager. I haven't been asked a security question in at least a year. As I've digitized, automated, and simplified everything while simultaneously hardening myself substantially as a hack target, I've freed up enormous amounts of time to work on higher value things.

I'm not at all being facetious when I say I don't know how I put with all the time-wasting added steps, extra work, and frustrating inefficiencies that existed in my life before. One of the greatest joys of retirement has been being able to get rid of all the useless stuff in life I tolerated before.