Hacker News new | ask | show | jobs
by justupvoting 1886 days ago
This implies the cs agent was able to view the password in plain text.

Yikes.

Big bank?
2 comments
thaumasiotes 1886 days ago
This is an intended part of the design of security questions. They function like passwords, but they are not conceived of as being passwords.

If the bank wasn't able to view the answers in plain text, the security questions would not be able to serve their intended purpose.

link
ncallaway 1886 days ago
Security questions are typically stored with a reversible encryption so they can be used by CS agents.

Security questions are not a password.

link
MereInterest 1886 days ago
Which is why security questions are a horrible idea. What good does it do to have your nicely salted and hashed password when the answers to the security questions are available in plain text and get you access to the account.
link
tinus_hn 1886 days ago
They are just equivalent to a password, as knowing the answers allows you to reset the password.
link