[jonpurdy]

My solution to security/recovery questions is to generate or make up ransom answers, and store the question/answer pair in the notes field of the entry in my password manager.

This kills the “knowing things about you” vector of phishing and impersonation and make it as secure as any unique and random password.

[bhandziuk]

Absolutely. Like how many times has my mother's maiden name and the name of my first pet been leaked.

[parpfish]

I hate the ones that don’t have a single objective answer. Like “name of your best friend in 3rd grade” or “city where you first fell in love”.

[appplication]

Or weirdly ethnocentric questions like “what’s your favorite food” with multiple choice answers like “spaghetti, pizza, hamburger”. Good thing everyone who recovers their password is American!

Or “what instrument do you play”, when multiple instruments I play are in the multiple choice list but only one can be correct. And what the fuck is the point of multiple choice security questions when anyone has a 1/10 chance of correctly guessing on any login attempt.

United Airlines is by far the worst major company I have ever seen in all of these and deserves to be shamed.

[ycombinatrix]

Those are the best! You're supposed to use a random answer like "cookie monster" or "flatulence"

[Loocid]

If you're storing it next to the password, then you've killed the point of the recovery questions anyway. May as well not store them at all.

[giraffe_lady]

If that's an option it's usually what I do but often they're mandatory.

[nearting]

That assumes that there's no other way to get your password than by accessing the contents of your password manager. The service itself could have its passwords/hashes leaked, and people unfortunately do reuse passwords across services even with a password manager, so it's very plausible for someone to get your password but not the answers to your questions.

[FredPret]

"What's your mother's maiden name?"

"42_red_banana_&"

[jszymborski]

This is why I choose random but plausible answers.

"Mother's maiden name? Cruz-Valdez"

"First Concert? Lil' Mermaid"

"City you were born in? Ubuntu"

[TJSomething]

The way I usually do this is with the random article button on Wikipedia, until I find something that sounds plausible.

[_dark_matter_]

1password team, integrate this feature please

[iinnPP]

This is also similar to my solution, however not so relevant here.

The "password" here is only used over the phone in place of an account number or similar where a customer can't recall other information.

The reddit user here would have had to provide this password over the phone before to another agent. It's the only way for it to get there.

[scosman]

Ditto. Have you ever had to use one? It's always a laugh.

CSR: What's your mother's maiden name? Oh wait, looks like an issue on our side.

Me: No issue. My mother's maiden name is Q5D6Erty#76cjWE1H. She's Dutch.

[gregmac]

I did do this once, but it didn't really inspire confidence in the security of the whole thing.

Me: "ok, but it's some random text: Q 5 --"

CSR: "--yeah, ok, that's fine"

Since then I just make up a random, fake but real-sounding answer so the humans don't get confused.

[spikej]

I didn't realize I would have to say the answers over the phone when choosing the answers (and thought it would only ever be me filling them in online)

CSR: "What is your mother's maiden name?"

Me: "do you really want me to say it?"

CSR: chuckling. "Yes, I need you to say it"

Me: "Diarrhea"

[sellmesoap]

The trick is to enjoy confusing humans and share the story of why when you get there. I went to the mall for the first time in a long time, every place wants to sign you up on the mailing list for a small discount. So they can email me at <Name of store>@mydomain this way I unsubscribe and if I see email coming to that address I know which store is the rat. They look confused, ask for 'a real address' well that is a real address I say, and here's why: ...

I get a little thrill every time.

[chrisfinazzo]

How can you be sure that a targeted attack can't exfiltrate all available fields?

For the record, I don't have a great answer to this either -- genuinely curious.

[umbra07]

You can't. I see that as a far lesser/more manageable risk than traditional security questions are though.