[Terr_]

Related stupidity: "Security Questions" that enable someone to take over your account just by collecting not-so-secret information that is often shared because the site insists you pick from their own set of questions which other sites have already used.

[torton]

The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.

In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.

[phanimahesh]

That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.

[mdaniel]

1Password actually has built-in support for that very flow: https://support.1password.com/generate-security-questions/#c...

The only thing is you sometimes have to warn the customer service agent that you have an unusual answer to "childhood best friend" but otherwise I've never had a problem with it

[Symbiote]

"Can you tell me the name of your favourite teacher... hmm..."

"Oh, it's a load of random letters and numbers, starts with X"

"Yes, let's proceed"

Happened to me once, I can't remember the company as it was many years ago.

[mdaniel]

I don't mean to discount your experience, and I'm guessing the social engineering opportunities are unlimited no matter the protections, but the screenshot I provided shows that by default it uses words, not password-style, generation so your childhood best friend would be "couch tulip wheel" and not cafe8675309$

[charleslmunger]

There's other good reasons not to use a random string! Try calling up customer service, they'll ask you the question, and you can say "oh it's just a bunch of random letters and numbers".

Unlike a code or password, these security questions are fuzzy matches generally based on the judgment of human on the other end.

[mitthrowaway2]

Definitely, but it's very hard to convince your whole family to adopt this practice...

[Sohcahtoa82]

I choose answers that only barely make sense. ie...

"Where is your favorite vacation spot?"

Narnia

"What was your first pet's name?"

Falkor

Even my closest friends who know me would never guess those, even if they knew I was giving bullshit answers, simply because I was never into "The Lion, The Witch, and the Wardrobe" or "Never Ending Story".

(Note: These are not ACTUAL answers I've given, but you get the idea)

I save the bullshit answers into my password manager. But yeah, it's probably a better idea to just use an actual pass phrase.

[AbstractH24]

The problem becomes when a CS rep needs you to answer those questions on the phone.

How do you handle that?

[Terr_]

Not parent poster, but generating a sequence of randomized dictionary words will work provided the answer-field isn't too small and none of them are too hard to spell.

[DidYaWipe]

This question reminds me of another brain-dead and rather incredible password policy I encountered. I was trying to set a password for United Healthcare. Their password requirements were shown, and I was complying with all of them. Yet it was failing over and over.

I finally called them to report the problem, and the first question out of the rep's mouth was, "Does your password contain swear words?"

I shit you not, UHC secretly audits your passwords for "swear words." Doing so is bad enough, but not mentioning it in the rules is doubly offensive for deliberately stealing users' time.

[RandomBacon]

Make sure it is a plausible-sounding answer.

Don't give an attacker an opportunity to social engineer and say, "it was a bunch of random letters or words" and the customer service person lets them in because it looked like someone was just typing random stuff.

(Insert xkcd here)