[kminehart]

Security questions in general are a farce. I've started generating random passwords for answers and storing them in my password manager. that at least helps me feel slightly more secure about how ridiculous security questions are.

[JumpCrisscross]

> generating random passwords for answers and storing them in my password manager

My friend did this. We made a bet. I called his bank and, when challenged for the answers, laughed and said I'd mashed my keyboard and that it's all gibberish. I got through and won a free drink.

[senkora]

The key is to generate incorrect answers that are reasonable matches to the question.

Like if they ask for a city, then give a city. If they ask for a name, give a name. Etc.

[the_svd_doctor]

Exactly. This is the right answer to the problem. Random digits are a bad idea for the reason noted above.

[karakot]

Yeah, and then you have 50 places with all different question where you give incorrect answers lol. Good luck trying to recall it. IMO these questions are the worst.

[throwawayboise]

You put the answers into your password manager for that account. If your password manager doesn't have at least some kind of encrypted "notes" field for each account, get a better one that does.

[karakot]

I do, it still sucks.

[dboreham]

But not your favorite city. Very clever!

[ncallaway]

I generate random 2-4 word phrases instead of random passwords specifically for this reason.

[teeray]

I did this and once they made me read it out: “three-four-echo-alpha-two-zulu…” At the end, I felt like I just gave them the world’s longest taxi clearance.

[strogonoff]

This must have been a major hassle, but your metaphor painted such a picture it cracked me up. Maybe it was a controller who had a major personal beef with some particular pilot.

[jeff303]

There's one particular company that always asks for these on the phone, and unfortunately I have to call them somewhat regularly. "Yes, my grandma's name is 7lIMkcblbatQ7wXrmamTHc". Interestingly, they always maintain a poker face/tone throughout this process.

[kminehart]

i was just thinking about this after I posted this. To be fair there's probably plenty of ways to smooth talk a customer representative. Most of these conversations end up emailing you a link to reset your password anyways, I would hope.

[justupvoting]

This implies the cs agent was able to view the password in plain text.

Yikes.

Big bank?

[thaumasiotes]

This is an intended part of the design of security questions. They function like passwords, but they are not conceived of as being passwords.

If the bank wasn't able to view the answers in plain text, the security questions would not be able to serve their intended purpose.

[ncallaway]

Security questions are typically stored with a reversible encryption so they can be used by CS agents.

Security questions are not a password.

[MereInterest]

Which is why security questions are a horrible idea. What good does it do to have your nicely salted and hashed password when the answers to the security questions are available in plain text and get you access to the account.

[tinus_hn]

They are just equivalent to a password, as knowing the answers allows you to reset the password.

[pabs3]

I wonder if a diceware/xkcd passphrase would work better.

[hnick]

Then you'll love what United Airlines used to do (still does?), which had me selecting answers from a dropdown list. Too bad if your 'favourite sport' isn't listed!

[thatguy0900]

That wouldn't work with these, experien uses its own information about you to generate the questions and answers

[DistressedDrone]

This is possibly the worst implementation of a terrible idea.

[fedorareis]

Disclaimer, I work for TransUnion. The following thoughts are my own.

The theory behind this implementation is that probably no one other than you knows what the amount of the mortgage you took out in 1999 is or the size of the car loan you took out in 2015. So in theory it confirms that you are the person who the credit report belongs to. In practice it gets tricky because there are plenty of people who have super boring credit files (e.g. they only have a credit card and have never had a loan). With that kind of user you end up in the situation where the questions either ask about information that can probably be gleaned from public records or the answers end up being “none of the above.” For those users specifically it is a pretty useless solution. I remember signing up for Credit Monitoring and thinking that anyone with a passing knowledge of my life could answer the questions.

It turns out that verifying that someone is who they say they are without needing to see a valid ID is a hard problem to solve.

Is it a great solution no, but before data breaches became so common it was a somewhat reasonable solution. In today’s world though I would agree that it is a pretty terrible solution, but I don’t know how you would solve that without requiring notarization from a trusted third party that the person is for sure who they say they are.

[GoOnThenDoTell]

It’s almost like we need ID check kiosks around the country that generate 1time passwords for providers that have no branch offices

[KirillPanov]

Until fake kiosks start appearing.

There's a reason they tell you to never use an ATM at DEFCON...

[tinus_hn]

What would these do? Fake check your ID? Give you a fake password?

[DistressedDrone]

They are pretty much unacceptable according to 2017 NIST standards, and pretty much impossible to use correctly in the banks' use case.

[CarVac]

I call them "insecurity questions" because they just render accounts less secure.

[jfrunyon]

That helps when you set the security questions yourself, which is not the case here. The security questions these companies ask you are data from your credit file (like your past addresses and creditors).

[astura]

These "security questions" that Experian is asking aren't questions you previously given answers to, they are questions that are generated based on what they know about you based on your credit report and data from other databases. They might ask you about loans you have or had, people and phone numbers you are "associated" with, places you've lived, cars you've insured, etc.

[Aeolun]

I’m using answers that are deliberately (but consistently) incorrect.