[asdkhadsj]

Yea, I ran into a bank that did that too. Then they proceeded to ask me a half dozen "security" questions from a massive list I could choose. Most of which I didn't know the answer to.

I answered all of them (and put my answers down in my pw manager) with something like "X bank has terrible security, I hate this bank" - hoping that one day I'll have to answer those by phone haha.

[tvanantwerp]

I always answer the security questions with gibberish that I also save with my password manager. I now use a method like correct-horse-battery-staple to create answers, but I used to use long alphanumeric strings. I switched methods because, yes, one day I had to read the answer over the phone.

Rep: "Tell me the answer to this question."

Me: "Ok, let me see what I set it to..."

Answer: F^O9dA66@wUPpK5$lTXBbrQ#yLP1EGl$

Me: "Oh... Oh no."

[ceejayoz]

I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

Lately, I've been making up a seemingly correct, but random response (and different each time). My favorite vegetable? Sea cucumber! I store that in my password manager.

[thaumasiotes]

> I'm a bit worried about social engineering there. "Oh, it's a bunch of gibberish" may pass muster with a support rep (in both of your approaches), leading to compromise.

I can confirm that this is the case. I provided a gibberish answer to a security question for Blizzard. I didn't bother to write it down, relying on not forgetting my password.

I never forgot my password, but Blizzard shut down my account anyway because I was making payments with a card that was not listed as the account's "primary payment method". (The card I was using was listed on the account, but another card was the "primary payment method".) When I had to call support and answer my security question, the answer I'd filled in just meant that I wasn't required to provide the correct answer.

[zifnab06]

I've found it's better to give them correct answers that are entirely fake. The make of your first car is an astin Martin. Your nearest sibling lives in lunar colony 1.

This way "it's a bunch of gibberish" doesn't get past their security.

[metafunctor]

I use something like this: “the secret password is tango-seven-alpha-romeo-zero-zero-victor-sierra-foxtrot-quebec".

Never had to use these for real yet, but it should be a bit harder to be seen as a “a bunch of gibberish”.

[ceejayoz]

"Oh shoot, it was a bunch of random words. I'm so sorry, I had it written down but I can't find the paper..."

Remember, an attacker can call support hundreds of times, getting a different rep every time. There's a good chance it'll work eventually.

[metafunctor]

Seems to me like that’s not really a criticism against using random answers for secret questions.

[ceejayoz]

Clearly random answers are a problem. You're going to find support reps inclined to accept "oh it's just something random", which means you're guaranteed get compromised if you're a big enough target to spend some hours on.

Random but outwardly appearing valid ones are fine (but you'd want to avoid using the same answer on different sites). One site's "first car" could be Porsche 911, another's Aston Martin. Both aren't true, but the support rep doesn't know that.

[AdmiralAsshat]

I've had the same situation before, and I don't think I've ever had to read them the entire thing. Usually we did something like this:

Rep: "Tell me the answer to this question."

Me: "Ok, let's see.....ah. So, it looks like a random string of gibberish, right?"

Rep: "Um, well...(unsure if he's allowed to say Yes or No)"

Me: "Yeah, I use a password manager for all my stuff, so all my passwords are randomly generated. I didn't think I'd ever have to read it over the phone. Sorry about that! I can read it out for you, but it might take awhile. If I read you the first three characters and the last three characters, is that sufficient to demonstrate for you that I know the Answer?

Rep: "Yes, I think that would be fine."

Me: "Alright, then! First three, 'F', 'caret', 'capital O'. Last three, 'capital G', 'lowercase l', 'dollar sign'.

---

As I said, I've never had anyone challenge me to read the full thing out. When I explain why it is that way and give them the bookends, they are usually convinced that I'm me.

[austhrow743]

Theres a security issue there in that you don't want them in "I think that would be fine" territory.

Some of those reps may have been fine with you saying "oh no. I didn't think I'd ever need that and just mashed the keyboard".

Better to use something that's still made up, but is plausibly true.

[traviscj]

"I didn't smash this F^O9dA66@wUPpK5$lTXBbrQ#yLP1EGl$"

[aaronmdjones]

As is demonstrated time and time again, the weakest point in any security system is usually a human being.

[user5994461]

If the operator gives up after the 10th random character given on the phone, it's still quite secure.

[btilly]

I am reminded of https://xkcd.com/1181/.

What garbage string is there doesn't matter. Just as long as it is recognizably garbage and you know it.

[dwyerm]

I use GPW strings for this use-case. GPW has weaknesses that make them somewhat poor for use as first-line passwords, but they're still really good for passwords that you need to read to someone over the phone.

In my most recent experience with them, the company allowed to be set both the question AND the answer. So, they had to read a random string to me, and I had to read one back. It went quite well, actually.

https://multicians.org/thvv/gpw-js.html

[hfdgiutdryg]

I do the same thing, but I only use strings that are maybe four or five characters of letters only. Most of these answers are expected to be things like people and street names, so I think it's still vastly more secure without looking like the system had an internal error.

[zwayhowder]

The only change I make to this process is my security questions are stored in a separate password manager to my passwords. That way if I lose access to my passwords and actually need the stupid (ahem, security) questions I can find them.

[coastal-fiesta]

This is exactly what I do. Keep it easily human readable but it should still be nonsense that no one could social-engineer their way into getting.

[ceejayoz]

I thought I'd seen it all until I had to set my United Airlines security questions.

Not only are the questions picked from a list, but the answers are. http://www.slate.com/articles/technology/future_tense/2016/0...

[mpeg]

I did that at a certain corp, my security answers were all long sentences completely unrelated to the question (mostly things like "This question is useless" which made for some interesting phone conversations until they got it)

Basically if you wanted to reset your employee password, which gave you access to corp vpn etc, you could call a 24/7 support line and give them your security answers.

The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.

[ceejayoz]

> The problem with this is that most of the questions were not things that are inherently secure, things like "what was the name of your primary school" are easy to guess or research.

They're also inherently unanswerable in many cases.

As an example, I went to two different primary schools. I don't have a favorite musician or sports team, and the answer to "where did you meet your wife" might be the school, the city, or "in class".

Last time I had to update my Apple security questions a good 80% of the questions weren't ones I felt I could answer in a way that'd be memorable a few years later.

[pandler]

Not to mention, these things are usually case sensitive. Sure, I can remember my childhood address, but how did I capitalize it? Did I abbreviate street? If I abbreviated street, did I add a period to make it "St." or "St"?

Fortunately, I don't notice too many services requiring security questions these days. Unfortunately, most of them are banks or other services that probably also have my SSN.