[jsonau]

Another worst offender are security questions to unlock accounts. Answers to these questions are usually visible to customer service reps and similar set of questions are asked among different services. This is scary.

It's dangerous as having password stored in plain text as answers to the security questions can potentially unlock many other accounts.

I highly suggest everyone answers each of them with a unique answer.

[Sendotsh]

I answer these with random wrong answers and add the question/answer combo to the Notes section in my password manager.

Don’t just mash the keyboard or use random strings, as customer support will regularly accept “I don’t remember, I just put random stuff”. Make it believable but wrong.

[manigandham]

I use fake answers. Treat them as basically secondary passwords. I do keep them as real words though since sometimes they need to be answered over the phone and you don't want to read a long random string of characters.

[panopticon]

Yeah, I used to use randomly generated strings until a customer service rep asked me to recite my security question answer to them... Now I use something like Diceware for real words.

[SketchySeaBeast]

That's excellent, I had no idea that existed, I'll have to start using that. Though it is fun to do a game of security question chicken - how much letters are they going to listen to me say until they go "ok, that's good enough"?

[ltc5505]

Customer Rep.: "What is your mother's maiden name?"

Scammer: "I just entered a bunch of garbage."

Customer Rep.: "Yup! Thanks for verifying that Mr. Smith!"

[SketchySeaBeast]

"A bunch of garbage" is actually kind of a fun answer in itself. "Who was your childhood best friend?" "A bunch of garbage."

[ltc5505]

Haha that's pretty funny. "Who was your first college roommate?" "A bunch of garbage."

[deadbunny]

I recently closed a bank account I opened purely to take advantage of their decent interest.

After draining both accounts online I then called up to close them, the first question was "Who is your favorite superhero?" I blanked, no idea, I set these accounts up like 2 years ago.

No problem they just set me up some new "security" questions after confirming my name/address/dob.

Suffice to say I'm glad they're not holding any of my money now.

[scarface74]

My bank uses the mobile app as 2FA when you call in. You first have to login to your mobile app and then have to verify it. That alleviates the stolen phone number issue.

[XorNot]

I've long since started just putting in random password strings for these.

[Someone1234]

I used to also, until this blew up in my face.

Put random stuff as the security answers in my Trial World of Warcraft account in 2005. In order to merge it into my Battle.net 2.0 account around 2009 I needed to know it, and even though I had the correct password there was no way to change security questions and I had to beg customer support (which was a long process, involving software serial numbers, scans of ID, the whole works).

Ultimately they told me what my mother's maiden name was: qewqewdfskjr3924kjasdf

[bscphil]

I assume when people suggest putting random strings in these fields, it's implied that you're supposed to save that data in a password manager or something. Mine (KeePassXC) supports storing arbitrary data as "notes" in each entry, along with TOTP information (great as a backup in case you lose your phone), and other stuff.

I worry more that a particularly dull customer support agent is likely to be convinced by a random caller to reset the password if they can see that those fields are garbage.

[syntheticcdo]

Use randomly generated words. A CSR might be convinced by "idk I just put random words in there LOL" when the security question answer is uaisehf8wefjh0824m, but if they see "correct-horse-battery-staple" as the answer, it might be a bit harder to convince.

[checkyoursudo]

This is what I do, although like others mention I still use real words. I add my bogus answers to security questions as notes in my password manager. This method has worked well for me for a long time without any risk that I have discovered.

[soulofmischief]

Currently locked out of my bank for the weekend because of this :)