[pieguy]

I used to answer secret questions with bogus answers that I deemed unguessable. Then I discovered that when my bank asks me the questions back it does multiple choice, displaying the answer I gave along with 4 other possible options! Sometimes my answer would not be shown and the correct answer is "none of the above", but otherwise my answer sticks out like a sore thumb.

[jonreem]

Who in the world thought this was a good idea!? I can hardly think of a less secure way to ask security questions. You should name and shame; there’s a minimum bar everyone should uphold and this is far below it.

[ggg9990]

The problem they were trying to solve is someone typing in “Woodbridge Lane” as the answer and then later typing “Wood Bridge” or “Woodbridge Ln” or “Woodbridge Ln.” when prompted.

This was the wrong solution.

[maaark]

The real problem is that "security questions" are bad security.

[Double_a_92]

Because calculating a Levenshtein distance is to complicated...

[suprfnk]

Still rather unsafe, right? "Cambridge" would be closer to "Woodbridge" than "Woodbridge Lane".

[ggg9990]

But randomly guessing Cambridge is not that likely. A bit of a pointless exercise though since security questions are dumb.

[theseatoms]

Someone who had no skin in the game.

[nkrisc]

If my bank had such weak security I wouldn't want to tell the internet where I bank.

[furyg3]

This, too, was my problem. I don't want to give out real answers to my security question for two (slightly contradictory) reasons. The first is: what if this site is hacked? Now my security question answers are floating around for use on other sites that ask similar questions. The second is: some of these questions are pretty easy to find the answer to, or guess. So I used a generated string for those questions, too. Generally worked, but sometimes made for some interesting phone calls. "My mothers maiden name is <random string>. You can guess why she took my father's."

Then they started reading back random choices, which made it pretty easy to guess what I picked.

[derekp7]

I have a third problem -- often times, the list of questions they ask are non-sense to me. "What is your favorite food?" I don't have a favorite, and can't think of anything that I'd remember later. "What was the name of your first pet?" I never had a pet. "What was the name of your high school sweetheart?" Gee, thanks a lot for stirring up bad memories.

[Trundle]

Here's a fourth that was actually responsible for me starting to just use generated passwords for those as well. They told me my answer wasn't valid.

According to them, it's impossible for your mothers maiden name to have less than six characters :/

[lysp]

Funny story - I had an old short-length insecure password on a website that I hadn't used for years.

I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.

The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.

So I put in:

* Old: 12345

* New: 717&t!1XFCWJWk!q@ut3B

* Confirm: 717&t!1XFCWJWk!q@ut3B

And got an error "your password must be 8 characters or greater".

After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.

I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.

[bitL]

> edited the javascript validation

You probably broke law there O_O

[RugnirViking]

How can there be a law that prevents running abritary code on my own box?

[foobarchu]

I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.

[mighty_atomic_c]

Oh no! My mother's maiden name is _invalid_!

[mighty_atomic_c]

Just go with the snark and out in a joke answer that you will find funny. Some of my security questions are hilariously inapplicable, so the first silly, snarky thing I think up is likely to be memorable. It is also a little hard to guess unless you know me really well to an unlikely degree, and it won't stick out as much as a sore thumb in multi-choice situations.

[solarkraft]

Except too often the strings have to exactly match. That has turned out to be a problem for me with longer answers.

[iamshs]

Yesterday, I was logging onto Australian MyGov site, and forgot the password, it sent SMS code for reset to my mobile phone, but then would not let me proceed without answering the secret questions. I usually put last word of the question sentence as an answer itself because I can't be bothered, but it was not the case this time. Not a great experience when they threaten lock out of account, and you have to go link all services again on a new account. Also, the site has no option to change mobile number for SMS code, and you will have to create a new account if you change your number.

[shakna]

MyGov is a dumpster fire of bad choices.

Some of it is legacy - integrating systems built throughout the last three decades.

Some of it is management - they fired multiple teams partway through, with 100% turnover. They also massively underfunded said teams, devoting the majority of funding to PR. Also some... Interesting technical policies, like banning version control and advocating regular backups instead. (Something to do with code "theft protection").

Some of it was technical issues - different integration teams were given different browser compatibility goals. Some teams were told they must use PHP and Apache, others they must use NodeJS and nginx. Often for related parts of the UI.

If you want to know how to screw up a multi-million dollar project, look no farther.

(Source: Worked with a team leader during one of the "fire everyone" times.)

[fowl2]

> banning version control

wtaf. embarrased to be aussie

[senectus1]

holy crap, NOW it makes sense.

[clairity]

yup, folks should give plausible but wrong answers to those questions and then put them in your password manager because you'll definitely forget.

[mirimir]

Right. That's the obvious solution.

[raverbashing]

Then don't make it stick out.

Some people think they're too smart for putting a random string as their mother's maiden name. I'd rather just put something that looks like a name there.

[chrischen]

What bank is it?