[JupiterMoon]

> My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager

The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account..

[JumpCrisscross]

> The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account

I used to do this and then lost my password file. Fast forward to a call with AT&T. I told them I forgot my secret answers. They offered that it was "a super weird answer," which let me use the "mashed keyboard" line and got in. TL; DR I think this system is less safe than just making up cars, cities, et cetera.

[ncallaway]

Yea, I always use a handful of random words. That way, it's something pronouncable over the phone.

Still, I expect "oh, it's a random word not related to the question" would clear phone screen human layer of verification a good percentage of the time.

[thaumasiotes]

I can confirm that "I'm not going to be able to tell you the secret answer" was accepted by Blizzard when they locked my account and made me apply to have it unlocked.

I'm still bitter about that. I put garbage in the answer to the secret question because I planned not to forget my password. I didn't forget my password, but Blizzard nevertheless locked me out of my account, for the crime of using a payment card that was listed on my account, but wasn't listed as my "preferred" payment option.

[pishpash]

Yes, you should just make up a fake personal profile, and base your answers on that. True answers and human-bypassable answers are all bad, whereas fake answers open you up to a world full of entropy.

[ohazi]

correct horse battery staple?

[alphast0rm]

This is a reference to the XKCD comic, Password Strength [1].

[1] https://xkcd.com/936/

[isostatic]

And for those who think the reference is so well known it doesn't need citing: https://xkcd.com/1053/

[Chris2048]

Quite Frankly - bad math. You judge people based on how old they are..

[auxbuss]

A fun place for names:

http://www.fantasynamegenerators.com/

[tony101]

One solution would be to randomly generate security answers with human readable words. Diceware does this. You can use a dice, or you can use an open source tool like this one:

https://www.rempe.us/diceware/#eff

https://en.wikipedia.org/wiki/Diceware

[gecko]

It's also built into 1Password. And before that, I just used what I think was literally a one- or two-line Perl script that just grabbed four words from /var/dict. Why yes, my mother's maiden name was indeed pathetic xylophone tootsie wasp, how did you know?

[developer2]

The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

These are supposed to be the very last line of defense for security, including if lose your password manager. As an exaggerated analogy, imagine that being unable to answer these questions meant your house, car, and life savings are taken from you. That is how important these answers are, except you're "only" losing one online account at a time.

Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere. The reason behind why security questions exist is a good one, but they don't offer enough security when used as intended (memorable, non-random data). The problem is there is currently no better alternative, short of requiring you to tie your legal identity to every account, and having to show up in person with photo ID to regain control of an account you've lost access to.

Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

[marcosdumay]

Hum... I'd say that the entire point of security question is that incompetent people can appease non-technical bosses by claiming that they follow best practices.

Where they stand at the security line is irrelevant, because their mere existence on a place is already a symptom of a deep level of incompetence and an almost sure prediction of a compromised system. Besides, security is usually chain-like (compromise one node and it's broken), not army-like (compromise one node and you'll have to fight the next).

Besides, most people do not have a favorite color, do not remember the name of their 3rd grade teacher, and have severe doubts about what counts as their "first" pet. Yes, they are intended into solving a real problem, but nothing about them survives any amount of questioning.

[andrewem]

The problem is that anything which you remember that well is likely to be discoverable by other people. For instance, if someone's mother is dead there's a good chance that her obituary will be online and list the names of her children and her maiden name. Likewise, you could find the name of a person's elementary school via looking at their posts on Facebook in many cases - or if not their posts, then their siblings or their friends. So these kinds of questions are hardly a great proof of identity if it can be found online with a bit of searching.

[wpietri]

That might have been the theory of security questions early on. But by now I'm sure I've filled out security questions dozens of times. Whatever the intent, from my perspective as a user, they're in the "speed bump" category of security.

For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

[pktgen]

> For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

This is a great idea. Not only can the police verify that a given photo ID matches the person in front of them, they can also verify that the ID is valid and unaltered by verifying that the details on the ID match the details in the DMV's database, eliminating fake IDs from being an issue. This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name -- but it would dramatically increase the risk and makes ID theft much harder to scale.

A federal effort to standardize an identity verification service across federal and local offices nationwide would be helpful. The service should be available to any entity (not only banks or financial entities) who wishes to verify the identity of a counterparty. The process and fee should be standardized nationwide, with the fee being break-even and paid by the entity requesting the verification.

Post offices are a good candidate to offer such a service, but would need some work to set up (unlike police agencies, I presume post offices don't have access to DMV databases).

[developer2]

The idea sounds nice in theory, but the only reason any administration would implement this would be to remove anonymity from the internet. Your ability to recover accounts would just be a side effect of the system designed to allow the government to track everything you do.

[htnaoerc34]

> This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name

This is much more common than you might think. I believe in Illinois there was some sort of ongoing problem with people at the DMV selling licenses to truckers who didn't actually pass their tests[0]. I'm sure any criminal with a wad of cash could get them to make a fake ID.

[0]: http://www.chicagotribune.com/news/chi-991009license-story.h...

[Fnoord]

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.

> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.

[kelnos]

> These are supposed to be the very last line of defense for security, including if lose your password manager.

Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.

> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.

And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.

The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.

In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.

[Dylan16807]

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory

And it's a shame to lose that feature, but they compromise your security so terribly that you're far better off not using them.

> it is possible to lose them - and that is unacceptable

Ten steps forward, two steps back. I find that acceptable.

[PretzelFisch]

why not just offer a snail mail reset?

[ddevault]

You don't have to say "oh I just mash the keyboard for those", you can say "it's weird, bear with me" and read it out from your password manager.

[ajmurmann]

I do exactly this. About 4-5 characters in the support person interrupts me with "yeah, whatever".

The entire security question situation makes me incredibly pessimistic that we will ever get good security. The idea of security questions is so mind numbingly stupid to me yet it's widely used. One would have thought that after the Sarah Palin hack years ago everyone would have realised that but it seems like nobody did. The support agent didn't see my security question and go "oh that's clever". That's despite him being a person who deals with these all day they should realise the overwhelming stupidity. In a sane world companies who tell their users to use special characters etc. in their passwords and rotate them but then encourage them to mess it all up by storing information from their Facebook page ad a replacement for the password should have to pay massive fines. Yet hardly anybody is even seeing a problem with this.

This situation to me is so demotivating because it makes me think that whatever security mechanism we come up with well meaning people will undermine it.

[smelendez]

Four to five characters is probably enough for their threat model though?

The only way I can think of that somebody could steal only the first few characters of your security answer is by looking over your shoulder at a very unfortunate time. That seems unlikely, and most of the questions they use are predictable from the first few characters when answered genuinely anyway (surnames, car names, streets and towns).

[maxerickson]

The quote is an attacker attempting to bypass the check.

[wyager]

It's not about what you say, it's about what an attacker can get away with saying. And they can almost certainly get away with "I just mash the keyboard."

[Sir_Cmpwn]

Ah, I see what you mean. Perhaps instead of grabbing a handful of characters from /dev/urandom, you generate a passphrase (a few random dictionary words)?

[jeffmould]

Been doing this for several years and prefer this method. I also try to reduce the number of times I use a particular security question. However, I don't think the problem comes from what questions you use or what answers you provide. It becomes like others have pointed out, a problem of what a hacker can get away with answering when asked by a phone representative. Although, I do think this approach provides a little more security than just answering the "what city were you born in" question with the correct answer on every site.

[np_tedious]

Sounds like a "correct battery horse staple" would fit the bill

[chiph]

Or use a memorable phrase from literature.

> This was not the last encounter between Bobby Shaftoe and Goto Dengo

[ajmurmann]

I would definitely be weary of using the same answer in multiple places. Even more so than with passwords. These stupid answers clearly get stored unhashed (how else would they be verified via phone?). Do if the system gets compromised the attacker now has your security question response for multiple targets.

Other than being pronounceable I see the exact same requirements for security questions as for passwords. If anything they need to be stronger.

[pault]

I like the appeal (and the book) but I recall, when researching diceware, reading that this is a terrible idea in practice since the entropy is lowered dramatically by using natural language that's already in the public record. Even if they can't put every printed phrase into a lookup table, the probability of certain words following others wrecks the entropy.

[FabHK]

Median novel has some 65k words. Take all (consecutive) quotes of 2 to 24 words, and you have some 1.5m phrases. Take the top 666k books (apparently there've been about 130m titles been published in total, about 5m in the Amazon Kindle store), and you're at about 1e12 phrases, or 40 bits of entropy, or worse than a password with 7 random letters/digits/symbols.

You could probably improve on it considerably by selecting fewer books, and only taking quotes starting at some punctuation mark.

For a naturally throttled attack like here (on the phone) that's fine, but for an offline attack (where the attacker has access to the password hash) that can be cracked within days.

[mighty_atomic_c]

Necronomicon quote? Nice. This has me thinking about what I can do to make my security answers to security questions untethered from PII. A book quote is a really good idea.

[teddyh]

Nope. If a phrase from literature is “memorable”, it’s guessable.

The logic of passwords is simple, once you realize that all humans are terrible random number generators.

When you allow any part of your password to be chosen by a human, i.e. yourself, you have to assume that the human-chosen part is known to an attacker. The solution is to generate passwords with enough random bits to satisfy current demands. And by “generate” I of course mean to allow a real number generator (either a computer, or dice, or anything really random; i.e. something a casino would accept) to choose the password for you. Without any restrictions except a desire to minimize length, you get the classic unmemorable 0vT2GVlncZ4pZ0Ps-style passwords. If you add the restriction “must be a sequence of english words”, you get xkcd-style “correct horse battery staple” passwords. Both are fine, since they contain enough randomness not generated by a human.

But if you yourself choose, either old-style “Tr0ub4dor&3” or passphrase “now is the time for all good men”-style, you have utterly lost, since nothing has been randomly chosen, and “What one man can invent, another can discover.”.

Note: this also applies if you run a password generator and choose a generated one that you like. Since you have introduced choice, you have tainted the process, and your password now follows an unknown number of intuitive rules (for instance, there was a story here on HN some time ago about how people prefer the letters in their own name over other letters of the alphabet), and these rules can be exploited by an attacker.

[oh_sigh]

How would the attacker know that you mashed the keyboard when answering 'What high school did you go to?' ?

[brewdad]

Most likely from a "helpful" CS agent offering up the hint above. "It's really weird" or "I've never seen that one before" or just an odd chuckle. Anything an attacker could use to gain an advantage will be used to compromise you eventually.

[dllthomas]

Or because you posted about it on HN...

[macintux]

How hard do you think it is to get a bored call center employee to give you enough of a hint to know that it’s random characters?

[musage]

But the attacker kind of has to know the answer is gibberish from the bat, otherwise they'd either guess or pretend to not remember a real answer, which is noticeably different from saying something like "oh, that's 30 random characters but I don't have the note with me right now".

[cortesoft]

Here is how it would go... attacker gives a real answer, support says no that isn't it. Attacker goes, "oh, sometimes I give fake answers for the question... is it a really long string of characters?"

Or they could go through a few things like that, always giving the excuse that they give false answers until they stumble on the right one.

[tonyedgecombe]

But we already know @sersi just mashes the keyboard for those questions :)

[sersi]

Sure, but I doubt it would be easy to find my identity from my hn account name.

[evincarofautumn]

One trick is to use pronounceable passwords as answers to security questions, like a sequence of words (“Mother’s maiden name?” “correct horse battery staple”) or arbitrary syllables that make it sound as if you’re having a mini-stroke (“Where were you born?” “prisencolinensinainciusol, oll raigth”).

[stordoff]

I try to leave them unset where I can (probably doesn't help over the phone; I'm thinking more of online accounts), such as on eBay which keeps prompting me to set security questions but going back to the homepage lets me avoid doing so.

For sites that force you to set them (and where I care - otherwise they just get random nonsense), and for my bank, I have a set of plausible but false answers I use. Not bulletproof of course, but definitely not googleable and avoids the "I just set it to something random" attack.

[LoSboccacc]

that places the liability on the phone rep, while guessing an easy answer places it on you, so still a better choice

[l0b0]

Just generate a pronounceable word, for example using KeePass*.