[furyg3]

This, too, was my problem. I don't want to give out real answers to my security question for two (slightly contradictory) reasons. The first is: what if this site is hacked? Now my security question answers are floating around for use on other sites that ask similar questions. The second is: some of these questions are pretty easy to find the answer to, or guess. So I used a generated string for those questions, too. Generally worked, but sometimes made for some interesting phone calls. "My mothers maiden name is <random string>. You can guess why she took my father's."

Then they started reading back random choices, which made it pretty easy to guess what I picked.

[derekp7]

I have a third problem -- often times, the list of questions they ask are non-sense to me. "What is your favorite food?" I don't have a favorite, and can't think of anything that I'd remember later. "What was the name of your first pet?" I never had a pet. "What was the name of your high school sweetheart?" Gee, thanks a lot for stirring up bad memories.

[Trundle]

Here's a fourth that was actually responsible for me starting to just use generated passwords for those as well. They told me my answer wasn't valid.

According to them, it's impossible for your mothers maiden name to have less than six characters :/

[lysp]

Funny story - I had an old short-length insecure password on a website that I hadn't used for years.

I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.

The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.

So I put in:

* Old: 12345

* New: 717&t!1XFCWJWk!q@ut3B

* Confirm: 717&t!1XFCWJWk!q@ut3B

And got an error "your password must be 8 characters or greater".

After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.

I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.

[bitL]

> edited the javascript validation

You probably broke law there O_O

[RugnirViking]

How can there be a law that prevents running abritary code on my own box?

[foobarchu]

I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.

[mighty_atomic_c]

Oh no! My mother's maiden name is _invalid_!

[mighty_atomic_c]

Just go with the snark and out in a joke answer that you will find funny. Some of my security questions are hilariously inapplicable, so the first silly, snarky thing I think up is likely to be memorable. It is also a little hard to guess unless you know me really well to an unlikely degree, and it won't stick out as much as a sore thumb in multi-choice situations.

[solarkraft]

Except too often the strings have to exactly match. That has turned out to be a problem for me with longer answers.