[transreal]

I've been getting pretty annoyed by the "Security Questions" some sites have you setup.

A client I work with gave me a vendor account, with a preset list of security questions I had to answer. One was 'What was the color of your first car?'. I typed in 'Red', and got an error that the entry needed to be at least 4 characters long.

[julianwachholz]

The name of my childhood pet was "FVrE9msW9DLBAx". Makes for fun conversations on the phone.

[joshuaissac]

It is better to pick names with actual words. An attacker can otherwise say that the answer is just a bunch of random characters, and there is a risk that a naïve customer support representative may accept it.

[wool_gather]

In order to deploy this successfully, the attacker would have to know that you used a random string...how would they know this without having access to the string itself?

[coryfklein]

Not necessarily - they're given multiple "tries" so they can just pick "a bunch of random letters" as one of their first few choices in hopes that they guessed correctly.

[softawre]

Ugh...

[pvorb]

Mine was "78 nails and 7 Greek philosophers", which works a little better on the phone. ;-)

[peterwwillis]

That's really the best use for security questions: have fun with customer support.

"Pet's name?"

"ICUP."

"Can you ........ Oh."

[usr1106]

Another nasty experience I had recently: On an account I hadn't used for ages and for unexplicable reasons was not covered by my pw manager they did not present me the security question for password reset. Instead they gave me the whole list and said answer the security question you had chosen at registration. Of course I didn't remember, the list had no option I would always pick.

[Strom]

I've ran into this a few times and so now I always store the question in my password manager too.

[toper-centage]

That actually makes it slightly more acceptable to use security questions I guess.

[VMG]

Normal users will probably try different question-answer combinations until they get a hit, submitting a lot of personal data in the process

[xioxox]

Yes - Apple are one of the worst. I truthfully could not answer most of their questions, some of which seemed very US-centric. For example, I've never owned my car and do I really have a favourite colour?

[yek]

Yup this happened to me. Apparently 10 is not a valid response to "What is the street number of the house you grew up in?". It needed to be at least 3 characters for some reason.

[pvorb]

ten

[alanbernstein]

What bugs me about security questions is when they give you questions that have subjective or time-varying answers. "What's your favorite X" is a terrible security question for me, I am not likely to remember an answer I chose 2-3 years ago

[snegu]

A government site I have to use for work asks "If you were a tree, what kind of tree would you be?"

[Cogito]

A Ms. Tree!

[teeray]

United is the worst offender with security questions. Not only are the questions preset, but the answers are a dropdown too! There’s also no way to input a “custom answer,” so you’re stuck with absurdly low entropy “security questions.”

[bityard]

As far as my credit card company knows, the name of my kindergarten teacher is Danny DeVito and I met my wife in the upper atmosphere of Venus.

[originalbryan2]

Haha, that's terrible.

I get annoyed by the security questions in a different way. If they are all based on "firsts" such as first school, first address, first friend, etc, I'm screwed. I moved 23 times growing up and went to 9 different schools. I have no idea what my "first" things were.

[ianlevesque]

I have a credit card that requires you to answer a security question just to make a payment, with an existing linked account. I can't fathom what scenario they think they are protecting against here.

[wool_gather]

Perhaps they're protecting themselves against you making an on time payment and not accruing any interest. ;)

[Ayesh]

My former bank sends an SMS OTP every time I make a transaction. Not TOTP support. If it's the same security question, password managers can easily fill it out, no?

This SMS annoyance is a major reason why I left them.

[yreg]

Maybe they expected you to label it as a Google Pixel color: e.g. `really red`.

[mandelbrotwurst]

Yeah, I've seen a similar restriction on mother's maiden name =/

[sbarre]

My mother (and many many women in this modern world) _goes by her maiden name_ so it's not exactly a secret.

I always (politely) point this out when I'm dealing with a human at an institution who asks me for this information as part of the security process.

[glitcher]

Even when a woman does change her last name after marriage, believing that her maiden name is somehow secret information in this day and age seems about as secure as "what street did you grow up on?", or "what was your high school mascot?". The root of the problem is believing that security questions are a good practice to begin with.

[csunbird]

On top of that we are living in the era of social media, where these type of information are no longer hard to find.

[CathedralBorrow]

Yep, plus all the people who don't live in a culture where "maiden name" implies anything.

[mandelbrotwurst]

Good point.