[djsumdog]

"Your mother's maiden name has numbers in it?" (bank teller, DMV person, etc.)

"You .. give real answers for your security questions? Seriously?"

I do the same thing, real birthday if it's financial or employee related, but for everything else, I'm a few years older on another date. I often pick a security question that I don't have a real legit answer to as well.

[raverbashing]

Yes, I try to make the fake answer sound legitimate though

City you were born? Just pick any (random/unrelated) city instead of 2DXSDGREDV@#!

It's easier if you have to go through a person (which is usually forced to go through a script) also easier on the phone

[wila]

Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.

As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.

[ubernostrum]

As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.

[always_good]

>requires the attacker to know you do this

Nah, "well, it kinda looks like random characters" is information a support rep will give you.

Welcome to social engineering and info escalation.

[ubernostrum]

If the support rep is just giving away enough info to figure this out, there is nothing you can do to protect yourself against the company's policies.

[always_good]

Yes, which is why social engineering is going to get a whole lot worse before it gets better.

[whiddershins]

As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.

The random character thing isn't great for this use, it seems, as a result.

[ubernostrum]

If support reps give enough information away over the phone to let someone guess a security question, there is nothing you can do to protect yourself from them.

[dredmorbius]

The search space for city names is tragically finite.

There are ~35,000 cities and towns in the U.S., but if you start weighting those by populating (and birthing hospitals and centres), you're going to reduce that count considerably.

https://www.reference.com/geography/many-cities-united-state...

[llukas]

Why pick name of U.S. city or more general city in country you live/are related to?

There are a lot of lovely and easy to remember names in other countries ;)

[raverbashing]

Yes but if a system allows you to bruteforce this you probably have bigger problems

[dredmorbius]

The overall risk runs a few different ways. One is that you yourself will bee at risk, another is that there will be a high number of compromises.

There are about 300 in the U.S. of over 100k population (corollary: the other 34,700 locations have fewer than 100k people each, or are at most 10% of the population). A 1/300 chance of cracking a security question on any given transaction is pretty good odds. Particularly if the crack is then reusable.

Another 10% of the U.S. population (roughly) lives in the 10 largest cities alone. That's a 1% likely success rate based on just ten values.

The point being that "legitimate sounding but fabricated" may still not be a particularly good option.

[apcherry]

I don't even try to make it sound legitimate. e.g. How many sisters do you have? Anyone guessing will be trying a number between 0 and 5. I use a semi-random word, colour or car I associate with my sister(s), eg. Audi. When asked for a number no one guessing will respond with a car make.

[bitshepherd]

Someone has the idea behind challenge/response.

You don't have to answer the challenge with a 100% truthful, legitimate, accurate response, because the point is to NOT provide an answer that could be guessed by framing the response in truth, or even reality. So long as you've picked one that matches with what you've preseeded, use a random word/phrase as your response.

q: What is the name of your favorite teacher? a: bumble bees in the desert

[cortesoft]

Yeah, but the key is you need to be able to remember it. Sure, you could store it somewhere, but often times the reason you are needing to use it is because you don't have access to your normal system (computer, phone) that you use to login with.

[projektir]

I don't recall the last time I used secret answers to get into anything. I don't perceive it as a valid way to get into an account. But the option cannot be refused... so to me it's just a security risk.

[sersi]

I've had to use security answers because I was locked out by systems that detected I was using an ip from a different country and so refused my correct password and were using the security questions as a kind of extra authentication.

The amount of stupidity needed to build such a system is staggering.

[drdaeman]

I believe the general recommendation I saw was to type something in lines of "never accept this answer - it's probably someone trying to impersonate me | 2DXSDGREDV@#!" (although it's probably hard to do so if the maximum acceptable length is too short)

[ubernostrum]

This is how you get engraved plaques, or birthday cakes, with the message NO MESSAGE JUST LEAVE IT BLANK on them.

[drdaeman]

Haha, true.

Still, if that helps in one case per thousand, it's still better than none.

[mjlee]

I doubt this would help, it seems fairly unlikely that whoever answers the phone would be interested in playing logic puzzles.

[Cyphase]

I had this thought as well, but figured I'd make sure no one else already posted it. Kudos :). I was thinking something like this:

> Do NOT give ANY hints; only accept an EXACT answer; I will NEVER say I "forgot" this answer. 2DXSDGREDV@#!

Maybe add an "I test you occasionally." :D

If there's a length limit, trim and remove parts of that as you see fit. For example:

> NO hints! EXACT answer! NO exceptions! 2DXSDGREDV@#!

I'm going to do this at a few places, then call to test them :D.

[jacquesm]

I do this too, some phone number checks and email checks are surprisingly good.

[Xoros]

The first time (years ago...) I had to enter my birth date on a website that asked it to me for no valid reason, there was a default value. It's now my birthdate on every others !

[sbarre]

January 1st 1970 is sometimes known as "The Internet's birthday" for this reason..

[userbinator]

It's also the "UNIX Birthday".

[alanh]

Right, leave it blank when enrolling → Empty value coerced to number becomes 0 → Recorded in Unix timestamp format where 0 is Jan 1 1970 → Wow, everyone was born then?

[cesarb]

I never quite got this "mother's maiden name" thing. Isn't your mother's maiden name... your mother's current name, minus the extra surname she got when she married? Why is this treated as a hard-to-discover information?

[nikcub]

"Mothers maiden name" has been used in over-the-counter banking as an authentication secret for over a century (1882 first mention[0])

Likewise DOB and SSN have been long established as auth secrets.

They never should have survived the transition to the internet

[0] http://splinternews.com/your-mothers-maiden-name-has-been-a-...

[alkhatib]

In the US and other countries it's common for a wife to take her husband's last name.

Changes from "Jane Doe" to "Jane Smith"

[ricardobeat]

I think he's saying the maiden name is easily found. At least in Brazil, the husband's surname is _appended_ at the end, doesn't replace the maiden one: Jane Doe Smith.

[Merad]

Yeah, but often (usually?) the woman's maiden name replaces her middle name. E.g. Jane Elizabeth Doe -> Jane Doe Smith. I'm pretty sure my mom's maiden name is printed on her driver's license, paper checks, etc.

[lsaferite]

I know very few women that have done that TBH.

[Merad]

Maybe you just didn't realize it, because it isn't very common to see someone's full name? It was very much the norm until the 80s-90s, and even today I think the majority of women still go that route. I just spent a couple minutes searching Facebook to sanity check myself, and so far all of the women I'm friends with who are under 30 and married have done it.

[ytjohn]

I wouldn't use Facebook as a guide. My sisters all have done <First> <Maiden> <Last> for facebook, but none of them have legally changed their middle name. They just do it on facebook so that people can find them.

[always_good]

Most if not ~all of those women are doing it so people can find them on Facebook, and people in the States rarely use the middle name field anyways except for legal docs.

[reducesuffering]

In my experience, the women do that so people that knew their name pre-marriage can find them, not because that is their full name.

[cortesoft]

That is not super common in the US.

[sandov]

In South-America and other countries it's common for a wife to keep the name she was assigned at birth for ever.

[ams6110]

It also is from an era when you would assume that a person's mother was in fact married. Less likely today.

[cortesoft]

Or for all the women in my family... their maiden name is their current name, because none of them change their name when they get married.

[Spivak]

I think the best bet is to provide an actual name in that field, just not the real one. Grab a list of the surnames and pick one at random. Bonus if you hyphenate two.

[mrhappyunhappy]

Doesn't matter if you give your real bday or not. I could easily google you, email one of your coworkers and ask for your birthday for a secret gift. Voila.

[mrhappyunhappy]

Ignore my last comment. I didn't follow your logic of putting a fake birthday into the site haha. Doh!