10 comments

[ 2.8 ms ] story [ 26.0 ms ] thread
It still makes absolutely no sense to me why security questions are used. They're effectively a second alternative password to access your account -- a "password" that's really really easy to guess (especially if you know who the account belongs to).

You might as well just replace "username and password" with "enter your username and what's your favorite food?" or "enter your username and where'd you grow up as a child?"

Pretty secure, huh?

I agree. I put random garbage in the security question answers, a password so hard to crack that even I never remember it. ;) In other words, I opt out whenever I get the chance.
Some sites use those as surprise 2-step verification. Your method would be very painful in that case!
It is. :( I have few accounts on the net, so I have rarely run into this except on sites I do not care much about. However, I understand others differ in habit. It is hard enough to remember one password per account.
I just use random gibberish for all passwords and security answers and store all of that in a password database with a notes field.

The classic security questions are bizarre because of the premise that any person (family or otherwise) who happens to know a bit about you has your complete trust.

Sounds like a valuable database...
The "security questions" really are terribly insecure. I've seen questions as bad as "What was the color of your first car?". I wouldn't be surprised if 90%+ of answers fall into three or four colors. What I recommend to people is using a password manager like 1password or lastpass. Copy each question into the "notes" section, use the password manager to generate a random answer and then save it in the notes as well.
I've experimented with using transformations on the question text (e.g. using the third letter of the first word, the first of the second, etc, and then sprinkling capitals and l33ts by some repeatable and memorable process).

It was a pain in the neck, so I went back to gibberish answers, and accept that every year or so I will have to call a couple of banks and ask for a password reset. They always ask for my security answers. I say "I don't use them because they are less secure than my computer and my password." They usually agree.

I've also had success in the past with modifying the expiration date of the bank's "I remember you and your device" cookies. I usually forget to change them before they expire and get overwritten though.

Wow, the author of this article should be the poster child for wh Google's 2 factor should be de rigeur for anyone who actually cares about the contents of their email.
This guy remembered so little that I wonder if it really was his account to start with and he just couldn't remember receiving all those previous emails he found.