Hacker News new | ask | show | jobs
by torton 457 days ago
The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.

In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
5 comments
phanimahesh 457 days ago
That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.
link
mdaniel 456 days ago
1Password actually has built-in support for that very flow: https://support.1password.com/generate-security-questions/#c...

The only thing is you sometimes have to warn the customer service agent that you have an unusual answer to "childhood best friend" but otherwise I've never had a problem with it

link
Symbiote 456 days ago
"Can you tell me the name of your favourite teacher... hmm..."

"Oh, it's a load of random letters and numbers, starts with X"

"Yes, let's proceed"

Happened to me once, I can't remember the company as it was many years ago.

link
mdaniel 456 days ago
I don't mean to discount your experience, and I'm guessing the social engineering opportunities are unlimited no matter the protections, but the screenshot I provided shows that by default it uses words, not password-style, generation so your childhood best friend would be "couch tulip wheel" and not cafe8675309$
link
charleslmunger 456 days ago
There's other good reasons not to use a random string! Try calling up customer service, they'll ask you the question, and you can say "oh it's just a bunch of random letters and numbers".

Unlike a code or password, these security questions are fuzzy matches generally based on the judgment of human on the other end.

link
mitthrowaway2 457 days ago
Definitely, but it's very hard to convince your whole family to adopt this practice...
link
Sohcahtoa82 455 days ago
I choose answers that only barely make sense. ie...

"Where is your favorite vacation spot?"

Narnia

"What was your first pet's name?"

Falkor

Even my closest friends who know me would never guess those, even if they knew I was giving bullshit answers, simply because I was never into "The Lion, The Witch, and the Wardrobe" or "Never Ending Story".

(Note: These are not ACTUAL answers I've given, but you get the idea)

I save the bullshit answers into my password manager. But yeah, it's probably a better idea to just use an actual pass phrase.

link