Comments on: Algorithms for dumb security questions

Algorithms for dumb security questions

nthdegx — Sun, 18 Nov 2007 11:09:58 -0800

By: Brockles

Brockles — Sun, 18 Nov 2007 11:15:41 -0800

From the comments: If anyone wants to hack into my accounts, my Mother's Maiden Name, my first pet, my favourite teacher and my place of birth are usually "ohfuckoff". Which was embarrassing the time I had to phone my credit union... Posted by Rod Begbie [TypeKey Profile Page] | November 15, 2007 12:56 PM Awesome. That'd be worth doing for the amusing reaction on the other end of the phone for me... :)

By: ZachsMind

ZachsMind — Sun, 18 Nov 2007 11:27:30 -0800

After reading through the link, it's occurred to me that there is no solution to this. No matter how one tries to solve the whole combating identity theft thing, there will be somebody, somewhere, responding negatively in a snarky way that engenders nervous giggles and the occasional guffaw from likeminded individuals. I find comfort in that.

By: shadow vector

shadow vector — Sun, 18 Nov 2007 11:29:51 -0800

I really hate these. My old bank switched over to a system like this a couple of months before I moved away. Favorite sports team? You're a fucking local credit union, there's only 4 options, plus a couple of colleges, that'll cover 90% of your clients. Good thinking there.

By: Foci for Analysis

Foci for Analysis — Sun, 18 Nov 2007 11:40:01 -0800

It pisses me of when people don't believe that my mother's maiden name actually is sfdjlfkjshlgfslkjdflhjgljk. Bastards.

By: you

you — Sun, 18 Nov 2007 11:47:26 -0800

Wouldn't this guy's method have the same problem as using the same password for every site? (i.e., the admin of any site will be able to guess the answer for every other site) Hm.. I guess you could combine it with a passwordlet...

By: ZachsMind

ZachsMind — Sun, 18 Nov 2007 11:58:26 -0800

If I ever got the question, "what's your favorite sports team" I wouldn't have an answer. I couldn't make up an answer that I would remember later. Honestly. For me that's like the worst possible security question they could ever ask.

By: chrismear

chrismear — Sun, 18 Nov 2007 12:17:15 -0800

Wouldn't this guy's method have the same problem as using the same password for every site? (i.e., the admin of any site will be able to guess the answer for every other site) Not if they're encrypting the password so that it's not readable by the admins.

By: chrismear

chrismear — Sun, 18 Nov 2007 12:18:17 -0800

Which, admittedly, there is an outside chance they're not doing.

By: Gungho

Gungho — Sun, 18 Nov 2007 12:27:56 -0800

It really is all about protecting stupid people from themselves. Where I work, (and I'm sure where you work) any password can be found by looking for the post-it note. In addition most people tend to use the HR (payroll) site as their home page, so we had to add a 2nd password in order to see any personal info on the site.

By: limon

limon — Sun, 18 Nov 2007 14:00:54 -0800

StupidQuestion SnarkyComment Booyah

By: sfenders

sfenders — Sun, 18 Nov 2007 14:11:05 -0800

I was kind of hoping this would tell me what happens if you answer "no" to "did you pack this bag yourself?"

By: nicwolff

nicwolff — Sun, 18 Nov 2007 14:11:23 -0800

That "passwordlet" link in you's comment is a link to a Google search that just points at my Passwdlet. Which wouldn't really solve this problem since it inserts the generated password only in password fields and fields named "password". But you could use my Password generator form to encrypt your answer.

By: lemuel

lemuel — Sun, 18 Nov 2007 16:56:11 -0800

you are supposed to write your password on the underside of the keyboard, not on post-its.

By: russm

russm — Sun, 18 Nov 2007 17:49:51 -0800

sfenders - in my experience, it leads to a small room, a *very* thorough search of the bag, your other bags, and your person, and a stern warning to Not Do That Again... of course, this did happen to be the time I was carrying a pack full of of little summer dresses and similar chick clothes for the friend I was meeting overseas at the time... "seriously, that's not my dress... I *told* you I didn't pack this bag myself"...

By: sdodd

sdodd — Sun, 18 Nov 2007 19:35:36 -0800

Computer security is often counter-intuitive. Noted security expert Bruce Schneier (author of the software cryptography bible, Applied Cryptography) recommends you write down your password. Why? Remembering many complex passwords is difficult, but "we're all good at securing small pieces of paper" on our person: we carry cash.

By: vacapinta

vacapinta — Sun, 18 Nov 2007 22:01:01 -0800

I always thought "mother's maiden name" was culturally insensitive. As someone with a Latin American surname my mother's maiden name is part of my last name - it is there on every piece of ID I have. It is my name. In other words, if Gabriel Garcia Marquez were asked this question, he would answer "Garcia." Great security there....

By: vacapinta

vacapinta — Sun, 18 Nov 2007 22:02:25 -0800

(..oops, meant he would write "Marquez"..)

By: Eideteker

Eideteker — Mon, 19 Nov 2007 05:47:22 -0800

When they ask for your Mother's Maiden Name, that's just a password. You don't need to use the actual name. Me, I like the idea of always using "ZANGIEF". Yes, that Zangief.

By: delmoi

delmoi — Mon, 19 Nov 2007 11:40:07 -0800

Yeah, but of course the problem is if you just make something up, you'll probably forget it because unlike a password you don't use it all the time and you forget it. Whatever happened to just letting people pose their own security questions? And then there is the issue of people picking obvious things. When I was in highschool one of my fellow students email address was "JesusIsRad@hotmail.com" (slightly changed in case he's still using it). His password? That's right, Jesus.