What's your Mother's Maiden Name? Your First Pet? The Street Where You Grew Up?

[FlightlessDuck]

Ever get the feeling that some of the questions on the Community Board could be used to get answers to your security questions?

 

[abdmom]

I made a post about this several years ago and no one took it seriously.

 

[GreatLakes]

Whenever you see anything like that it is likely social engineering. The same goes for those Facebook things where you select your "Jedi name" or whatever based on demographic information.

That being said when setting up security questions never answer them truthfully. I use a password generator to generate random strings for those answers and then store them with the password in my password manager. Between social media and breaches so much factual information about us is out there. Answering three questions that aren't all that secret isn't really proof of identity.

They are also all per-site. My mother's maiden name might be pgOj}(xk,Fzi4b8l9%P on one site and .ti3c|OxY94'S"|H on another. Those are what all passwords and security questions should look like.

 

[Snowflakey]

What's more alarming is there are some that ask silly questions all the time! I think to myself that they must be sitting there with a spreadsheet filling in the answers people give trying to build a file on them

 

[L&Lfan]

Dracula
Spot
Mockingbird

 

[Allison]

And if it isn't for security question answers, I just can't imagine who would find the answers to some of the questions interesting. LOL.

 

[DopeyDame]

Whenever you see anything like that it is likely social engineering. The same goes for those Facebook things where you select your "Jedi name" or whatever based on demographic information.

That being said when setting up security questions never answer them truthfully. I use a password generator to generate random strings for those answers and then store them with the password in my password manager. Between social media and breaches so much factual information about us is out there. Answering three questions that aren't all that secret isn't really proof of identity.

They are also all per-site. My mother's maiden name might be pgOj}(xk,Fzi4b8l9%P on one site and .ti3c|OxY94'S"|H on another. Those are what all passwords and security questions should look like.

I totally get what you're saying, and it makes good sense, but how do you answer those questions on the phone - like if you're calling the bank or your IT help desk?

 

[longboard55]

my favorite restaurant when I was in college? Say whaaat, I hate passwords. What bothers me is when they force you to change them

 

[GreatLakes]

I totally get what you're saying, and it makes good sense, but how do you answer those questions on the phone - like if you're calling the bank or your IT help desk?

I'm talking about password reset questions, not verbal authentication questions your bank should have . No one at any institution should have access to those password reset questions. In fact a responsible company can't access them at any level. They are stored only as hashes. No IT Help Desk should be asking them either for the same reason.

If you are calling a company that has access to your demographic information, like a bank, they should offer a security word that isn't a demographic like mother's maiden name. If they didn't I would rethink my relationship with them. In that case come up with a completely random word you use only for them and authentication.

Bank Call Center: "Can I please verify your identity with your security word".
Caller: "Appliance" (I used a random word generator to get that word so it has no selection bias from me).

 

[Squirlz]

I think that would be pretty easy to spot. The kid who posts one inane question after another is annoying, but probably harmless. Just don't reply.

 

[mjkacmom]

I'm talking about password reset questions, not verbal authentication questions your bank should have . No one at any institution should have access to those password reset questions. In fact a responsible company can't access them at any level. They are stored only as hashes. No IT Help Desk should be asking them either for the same reason.

If you are calling a company that has access to your demographic information, like a bank, they should offer a security word that isn't a demographic like mother's maiden name. If they didn't I would rethink my relationship with them. In that case come up with a completely random word you use only for them and authentication.

Bank Call Center: "Can I please verify your identity with your security word".
Caller: "Appliance" (I used a random word generator to get that word so it has no selection bias from me).

Citibank always asks for mother’s maiden name.

 

[msjprincess]

I think that would be pretty easy to spot. The kid who posts one inane question after another is annoying, but probably harmless. Just don't reply.

ITA. Plus even if I answer questions like, my mother's maiden name. No one knows who I am or where I have accounts, what my username would be.

 

[Floridaman999]

That reminds me, I need to get some aluminum foil at the store next time I go.

 

[Kitty 34]

I'm trying to get into everyone's security situations with all your airport codes you gave me on my thread.

 

[PrincessShmoo]

Ever get the feeling that some of the questions on the Community Board could be used to get answers to your security questions?

Yep.....

 

[lovin'fl]

I think that would be pretty easy to spot. The kid who posts one inane question after another is annoying, but probably harmless. Just don't reply.

That person is a kid? If it's the one or two I am thinking of???? Or three, there is that gal too.

And, yep, I had considered this. I try not to disclose too much. But I probably have.

 

[Katie Dawn]

I don't answer those types of quizzes on Facebook either for that very reason.

 

[Skellingtonj]

Geez, I think everyone is paranoid. Your information is out there. There’s not much you can do about it.

 

[RedAngie]

Security question fail.

My high school mascot was a cougar, but I don't know if it had a name.

 

[FlightlessDuck]

Security question fail.

And that error message is dumb. Just say which one it is!