[JumpCrisscross]

> generating random passwords for answers and storing them in my password manager

My friend did this. We made a bet. I called his bank and, when challenged for the answers, laughed and said I'd mashed my keyboard and that it's all gibberish. I got through and won a free drink.

[senkora]

The key is to generate incorrect answers that are reasonable matches to the question.

Like if they ask for a city, then give a city. If they ask for a name, give a name. Etc.

[the_svd_doctor]

Exactly. This is the right answer to the problem. Random digits are a bad idea for the reason noted above.

[karakot]

Yeah, and then you have 50 places with all different question where you give incorrect answers lol. Good luck trying to recall it. IMO these questions are the worst.

[throwawayboise]

You put the answers into your password manager for that account. If your password manager doesn't have at least some kind of encrypted "notes" field for each account, get a better one that does.

[karakot]

I do, it still sucks.

[dboreham]

But not your favorite city. Very clever!

[ncallaway]

I generate random 2-4 word phrases instead of random passwords specifically for this reason.

[teeray]

I did this and once they made me read it out: “three-four-echo-alpha-two-zulu…” At the end, I felt like I just gave them the world’s longest taxi clearance.

[strogonoff]

This must have been a major hassle, but your metaphor painted such a picture it cracked me up. Maybe it was a controller who had a major personal beef with some particular pilot.

[jeff303]

There's one particular company that always asks for these on the phone, and unfortunately I have to call them somewhat regularly. "Yes, my grandma's name is 7lIMkcblbatQ7wXrmamTHc". Interestingly, they always maintain a poker face/tone throughout this process.

[kminehart]

i was just thinking about this after I posted this. To be fair there's probably plenty of ways to smooth talk a customer representative. Most of these conversations end up emailing you a link to reset your password anyways, I would hope.

[justupvoting]

This implies the cs agent was able to view the password in plain text.

Yikes.

Big bank?

[thaumasiotes]

This is an intended part of the design of security questions. They function like passwords, but they are not conceived of as being passwords.

If the bank wasn't able to view the answers in plain text, the security questions would not be able to serve their intended purpose.

[ncallaway]

Security questions are typically stored with a reversible encryption so they can be used by CS agents.

Security questions are not a password.

[MereInterest]

Which is why security questions are a horrible idea. What good does it do to have your nicely salted and hashed password when the answers to the security questions are available in plain text and get you access to the account.

[tinus_hn]

They are just equivalent to a password, as knowing the answers allows you to reset the password.

[pabs3]

I wonder if a diceware/xkcd passphrase would work better.