I don't know if it's a good practice or not, but i usually just pick a word to use for all security questions, that's totally unrelated to the question.
ex. I what town did you first meet your best friend? "potato".
> Sometimes I use a straight up password generator for the answers. Hope I never have to give those out over the phone.
I filled the security answer for my Blizzard account with random ascii garbage, which I didn't record, confident that I would always know my password.
That was true. But Blizzard disabled my account for purchasing time codes with a credit card other than the one that my account designated "preferred payment". (The card I was paying with was also listed under my account, but it wasn't "preferred". I have no idea what attack they think they're defending against.)
I had to call in. Phone-based customer service accepted "I don't think I can give you the answer to the security question" as a valid answer.
I've had to do it a few times, because I do that same thing. They usually respond with exasperation and say something like, "No, sir we need your security answer not your password." Then it's my turn to be exasperated and say, "No, check again, that's the answer." Very fun.
Don't do that unless you don't care about that account. Often the answer to a security question effectively acts as a password. You are not defending against someone guessing your answer, you are defending against someone using an automated dictionary attack. A common word like 'potato' scores quite high in the common password lists.
A safer option is to just generate a random password for those questions as well and store it on your password manager.
If you do that then it's super easy to social engineer the company in question. "I don't know what I put for mother's maiden name, I just mashed the keys a lot on that".
When you want to retrieve the password for an account you created 5 years ago, but you only remember creating it between 5 and 15 years ago and you have 2 dog loving grandma's each of whom have 2-3 old doggos all the time....well, good luck in remembering and identifying the correct name of the possible 10-15 dogs
This is a case where you think of an _idealized_ grandma, and her perfectly preserved dog, `Mr. Mycroft Applebottom III`, who has been sitting on her mantlepiece since you were in gradeschool. [0]
The site doesn't have to know you're making it up.
0: Obviously, it'd be better if your idealized grandma spoke with your password generator beforehand, and therefore named her dog something less guessable, like `ff627f056c51b694e2e5d0bdc168c647`.
That's a good suggestion actually: just remember that you always ignore the question, and you've saved the actual securely generated answer as 'sitename-sec-question' or whatever.
Right but if there are six possible dogs at creation time you choose a different question.
If the answer is unique when you create it, but a new dog comes into the picture when you need to recall it, I doubt that's going to cause much of a problem. Maybe you get it wrong once and try again - you're only going through this because you already forgot your password.
If your grandmother is alive and has one dog and you use that dog's name as the answer you are not terribly secure because this information is easy to obtain. It's only virtue is that it is, supposedly, easier for you to remember.
I'd argue this is one of the more secure questions compared to other common questions like "Your mother's maiden name" or "The make of your first car".
Exactly. I don't know how to go about finding out someone's (not personally known to me) grandmother's dog's name, but if I know someone's name then mother's maiden name is easy in the UK.
It's a bad idea to use anything that might change. For example, "What was the make of your first car?" Might be OK. "What is the make of your favorite car?" Not good, odds are decent your favorite will change between setting the answer and trying to use it.
ex. I what town did you first meet your best friend? "potato".