Let’s Kill Security Questions

Y	Hacker News new \| ask \| show \| jobs

	Let’s Kill Security Questions (techblog.bozho.net)
	4 points by bozho 2035 days ago

2 comments

SAI_Peregrinus 2035 days ago

Security questions can be used to reset your password. They are backup passwords. They should be treated as such: randomly generated and stored in a password manager. Different for each account. Any decent password manager will have a "notes" field or other way to store such data encrypted in the vault. Since they're almost certainly stored in plaintext on the backend, they should have at least 128 bits of entropy. 20 random printable US keyboard characters, 10 diceware words, etc.

Question: What colour was your first car?

Answer: SterilityExcitableFifthAbideEnrageGaffeHazilyRecoupSacrificeIllusive

Question: What was the first street you lived on?

Answer: G]6a)ERXnVd}`<(p'tY}

Etc.

link

rzzzwilson 2035 days ago

> Almost any security question’s answer is guessable by doing research on the target person online.

That's why you never answer the question but use some "non sequitur" answer:

Question: what colour was your first car?

Answer: rumpelstiltskin

link

bradknowles 2035 days ago

This runs afoul of the rule about telling lies — you find yourself unable to remember which lie you told where.

link

bozho 2035 days ago

and also, this is some non-obvious practice for people who are not security experts. They answer honestly because that's what they are asked

link