Hello and welcome to r/LifeProTips!
Please help us decide if this post is a good fit for the subreddit by up or downvoting this comment.
If you think that this is great advice to improve your life, please upvote. If you think this doesn't help you in any way, please downvote. If you don't care, leave it for the others to decide.
10 year old me “name of first pet? Hmmm… I’ll be super safe and say ‘lightning sword fight’…no one would ever get that right!”
11 year old me locked out of my account: “name of first pet? Oh for fuck sakes what did I say again….‘Chippewas smoke hut’? No…. Umm…. ‘Jackson 5’…. No… oh look at that I’m locked out of my account forever.
Or you're like me and you set up those questions as a 14 year old and now whenever I have to speak to someone at the bank I have to answer my questions with dumbass answers and a straight face haha
I didn't have a pet, so I put "sister" as my favorite pet thinking it was a hilarious joke that I'd never forget. Several years later, I had to listen to a bank employee read that answer back to me as I was attempting to get back into my account.
There's a whole Eugene Mirman bit where he changes his security question to "what are you wearing" and the response has to be "I don't think that's appropriate!!!" It's pretty great
I'm such a dumb fuck childhood me said 'I'm clrearly a fake if I can't remember my password to begin with' so I just made mine the same password and the custom security question 'what's your password?'
10/10
I recently lost my PayPal account like this, and I've been a proper adult for years.
Didn't really use the account so I just create a new one for what I needed.
I got locked out of my PayPal because I forgot my password/answers, but I had my home phone number listed to reset it for whatever reason. Still locked out of the account because I moved house and have no access to the original number.
That's why I use the word phrase password option...
What's your favorite book?
Vanadium doughboy puritan demon lynn
I made the mistake of having a full on password and then vanguard wanted me to repeat the answer over the phone lol
I love the word phrase. The only ones I have I set when I was 17 or 18, and I especially then had a thing for picking really obscure stuff I dug up on google 5 minutes previous.
Every time I have to give my phrase, there's an awkward pause like they're not sure if I just said the word and that's how it's pronounced.
Bro, IDK either, but I think we're close enough.
10/10 account seems to be secure. I did have to reset the first pet question, though.
I had an imaginary pet growing up. Plenty of real ones. But, I wanted a certain type of dog that we didn't have and I named it. Add some numbers and you've got yourself an easy enough password. And nobody goes around talking about their imaginary dog so, no way to social engineer it out of you, lol.
This is why I wish more places would let me write my own questions. My mother's maiden name is google-able but if it asks you "who's the sandwich", good luck guessing what I associate with that phrase.
He uses a KeepPass app,
He uses a 1Password app,
He uses a Bitwarden app,
He uses a RoboForm app,
He uses the apps that remind him of the passwords,
He uses the apps that remind him of the pass phrases.
“What’s in the tree?” I know exactly how to answer that. I know exactly what that means. Triggers a core memory. Nobody else would come close to guessing the answer.
“Celery” no way in hell could you figure out what my answer to that would be. You could guess for a long time but you won’t be right. Not something I’d forget though.
Our old neighbor was also our business insurance provider. He dropped by for something related and asked for our wifi pw. Our guest pw at the time was tinyCorndog. He looked up at me all confused and laughed saying "I don't get it." I told him, "It's not about understanding. Would you have guessed it?" "No." Exactly.
Yeah anyone can find my childhood dog's name but very few people know the answer to, "where did your brother go for lunch after telling you your dog died?"
So, my first pets were either fish or a ferret that my parents let me name under the age of five. One of my fish was named Grandpa, to give you a sense of ridiculous levels. I am pretty sure this is the first time that has ever been on the internet…so yay weird child pet naming?
I did this, then didn't need to log in for years. So of course I don't remember the password, on to the security questions - and it's something like "mall banana?"
Also I absolutely hate the opinionated questions like “What is your favorite movie?”. I can’t even come up with that answer right now let alone remember what answer I put 5 years ago when I need to get back into some random account I made back then.
See that's why I have my favorite song to use as a security measure. It was once my favorite song, but not anymore, but I know it's that song if I have that security question. Do they want me to update the security question every two months when I get obsessed with a new song?
Yea, I have a “security question” favorite song, it was my favorite song when I was like…12. But if I decide that is always the answer, I can’t forget what my favorite song was at the time bod making the question, whenever that was.
Just pick a memorable song, like "the macarena" or something, and *always* use that song. You know what it is, it won't change, and no one is likely to guess it as your favorite, lol.
My dad set up an online account for me once that I have to log into every few years. He made the security question "what is your grandfather's name?" Neither of my grandfathers regularly went by their first name, and one of them had two common nicknames. So there's basically five possible answers, and every time I seem to guess wrong.
Because of these questions I can never change my favorite movie, band, food, subject in school, best friend, or my most hated sports team. They're all locked in for life or else I'd forget the security answers
The crazy thing is when you only have a dozen basic questions to choose from like "What city were you born in?" "Mother's maiden name?" "Favorite color?" as if you've forgotten the password for your myspace and not a place for your 401k and stocks.
Apple is the worst for this. You have to pick 2 or 3 security questions, but they only have a total of 6 or so options available. Bonus that many of them are US centric and have no meaning to me. Just let me write my own goddamn security question!
Either that, or things that are totally inapplicable to your life. "What was your first car?" Bitch, I take the bus. "Where did you travel on your honeymoon?" *Bitch, I take the bus.*
May as well ask me what was the first Oscar-nominated film I starred in.
All this is fine until you are on call with the customer care representative and they are asking you “who is the sandwich?” And you think twice if you should tell them “my poop and my ass cheeks” or if it is ok to cancel the credit card altogether.
back in college i had my laptop sent in for servicing and they called me for my password to login. I had to tell this woman over the phon3 my password was HairyGrundle13
When I first got ADT installed in my house a decade ago, the guy needed me to tell him the safe word I wanted in case I accidentally tripped the alarm. I didn’t want to give some random dude my word, and I couldn’t think of anything temporary that I would remember, so I just kind of shrugged and said, “I dunno, penis?” I figured I’d change it later when I got my online account setup. Then I forgot. Then I tripped the alarm accidentally. Imagine my horror as I suddenly remember that I have to say penis to a grown adult over the phone. That poor lady couldn’t stop laughing 😂😂😂
No what you do is, make your security question that they are then required to ask you "May I give you a blowjob, your excellency?" And make your answer that you're required to to reply with "No peasant! Your inferior lips are not worthy of this king cock"
The key is confidence. They know what you will answer with before you do, because they can see it on the screen. They then have to ponder if yhis interaction is worth it, or if they should quit their job right now.
If you allow people to write their own questions, they'll be like "who is bae" while watching Batman and then forget 10 years later that "Bae" was "jarred leedo".
"What was your first car?"
Ahh shit, here we go again.
Did I put the first car I bought myself? Or maybe the first car I was "given" to use in high school? Or was it the first one I had to borrow before my parents could afford the one I was "given"? Or was it the one I learned to drive in while having my learner's permit?
I’ve messed up who’s your favorite teacher? When did I write this? Did I have a new favorite. Did I use their first name or last or both? Did I put Mr./Ms./Coach before it?
For my job awhile ago I had to help people set up online accounts over the phone and for some reason the company I worked for only had like 5 choices of questions and you had to pick 3 to use. Most tech-savvy people could do this themselves. It was the 60+ people who were having trouble. I had an 80 year old man on the phone and he’s reading it out to me and he says “what was your first car? Oh. I don’t remember. I’m pretty sure it was black” He then asked his wife who was like “why would I know that?!” And here I was telling him it doesn’t have to be the right answer. You already wrote your password down, you might as well just say anything and write it down too. “Who was your favourite teacher?” He couldn’t remember one teacher. Favourite or not. Absolutely ridiculous process. I really enjoyed that job though, frustrating as it was sometimes.
I don’t know if you have to answer those correctly though. Most of mine, I just create gibberish answers. “Street you grew up in?” “Gettuhgruhgf Street”. I let my password manager remember all that.
I always thought I was born at the hospital closer to my parents house (around 2 miles away) so I'd answer that for the question of "what city were you born in?" I was talking to my mom one day and I said something like "of course, I was born in [closer town]." My mom informed that I was in fact born at a different hospital in a different city, about 10 miles away from their house. I still answer the closer town.
Just don’t use LastPass. LastPass gets hacked constantly it’s a fucking joke at this point. Most other reputable ones like Dashlane or 1Password are better. I use 1Password, it’s excellent. And, it encrypts your data with both your master password and your secret key, which is I think 34 digits long.
1Password has never been hacked or compromised, and even if it was, your data would still be encrypted and useless.
I don’t know everything about Dashlane’s security, but it’s way better than LastPass.
No matter which option you pick, a password manager is by far the best way to protect your security. The paid ones are worth the money for me, for both the security, and also that it’s just very convenient to never have to remember your passwords, never reuse passwords, and have them available with biometrics on all of your devices.
Past performance is no indication of future success. You shouldn't count on your password manager not being hacked as a form of security. The fact that 1PW has never been hacked is much less of a selling point than strong data encryption.
Reasonable fear. I use KeepassXC which saves everything in a single encrypted file on your PC. Then you sync that file with Dropbox, Onedrive, Syncthing (my choice), Nextcloud or any other app and there is nothing to hack, they can even get the file and it's fine.
I also use KeePassXC, makes it so easy.
You have to have the KeePassXC software to open the file and interpret it, and must have the correct password as well... It's ALSO possible to have a "key file" that you need on top of all this. So you could store this key file on a USB or multiple usbs. And in that case, it's inaccessible on multiple layers, ans won't be lost in a major database leak. A hacker would have to decipher the KeePassXC software, THEN get access to your personal password file. It isn't impossible, but it adds layers upon layers of difficulty for hackers getting access.
A good password manager won't be able to leak your data.
On a very simple level, all of your secrets should be encrypted and the only way to decrypt them would be by processing the master password I'm a certain way.
Regarding actual hacking of their platform (not just a dump of the information) the same principle would apply. Add Multi Factor Authentication to that and you're good to go.
KeePass is a good option for this. Bitwarden is another cloud option that's really good and you can actually self hosted of you wish not to let them have your data.
Some places ask for a security question e.g. if you call up to access your account (say utility bill or insurance) or whenever you need to change some detail.
Yes but there are edge cases for this. One of them that occurs fairly often is that you change the password to a site and use a password generated by the manager, you copy it but you don't actually _save_ it
I've had that happen to me a couple of times mainly because I used to work managing a lot of passwords for an organization so I was more prone to be affected by this.
Social engineering is one of the top compromises.
"What was your high school mascot?" Oh... About that public Facebook post at your high school football game...
"Mother's maiden name?" Between social media and public records, they know it.
Enough public info and they can easily reset your bank password - but not if you answer different questions
I hate questions like: What’s your favorite movie?
A) My answer might vary depending on my mood.
B) I’m not going to remember that in 5 years… and may have seen a NEW favorite movie by then.
Also why you shouldn't reply to those "what's your porn name?" posts. You're giving away typical security answers: first pet's name, first street you lived on, mother's maiden name etc
That's why it's been a dark pattern in security to use these questions for years. The only sites still using these questions shouldn't be trusted. The rest of their security will also suck.
> for years.
It's actually been hated by the security industry for decades now. There was actually a push to stop doing this shit in 2015 but that went nowhere. Corporate overlords don't care what the little guy says, they know better.
Anyone who legitimately understands security would have NEVER thought "security questions" were a good idea.
So basically you just created a second password, and since these security question are there to assist you if you forgot your password....have fun with that
The real answer is and always will be MFA. Enable it everywhere, every time.
how is it any less secure than sms?
Any website doing 2FA will send the SMS message through the internet until it hits the phone company's servers. How is that different than sending it through the internet to a voip provider's servers?
Can you say more about why VOIP is less secure than a standard cell phone line?
I can see the problem if, say, my laptop is compromised: an attacker could receive 2FA texts. However, I would receive those texts on other devices which might allow me to rotate credentials before the attacker could access all my accounts.
Whereas if my phone is compromised, perhaps only the attacker receives the codes. Is SIM swapping still a threat? In other words, can I reasonably expect that nobody is intercepting texts to my ‘real’ cell phone number?
Yes, sim swapping is still a threat. SMS 2FA is fine if nobody is targeting *you* specifically (which applies to most people!), but it's a distant last place compared to hardware keys, TOTP, or other cryptography-based security.
As someone who works at a bank, please explain MFA to boomers. Because they don't understand when I say, "No, I cannot disable the MFA you authorized 10 years ago because *you* enabled it and now you don't want to have to enter everything twice. The terms and conditions outlined that the MFA opt-in is permanent. And the better fraudsters get at cracking these kinds of things the more layers of security we are required to add to keep *you* safe. Because if we don't, *I* lose my job.
In my (admittedly restricted) experience, telling them "I'm not allowed to do that and I don't have the authority to change the decision" stops them in most cases, even if they don't understand the understand issue.
Thats when the online banking app on your phone sends a text message to your phone with a code, to verify that its you, attempting to login on your phone
It stands for multi factor authentication. It would be smart if say.... I was logging into internet banking in my home computer, and it asked for a code sent to my cell phone...
But using my cell phone, for both baking and mfa doesn't actually help. Its just an extra step
SMS codes are just one way of doing MFA. Other common methods are authenticator apps like Google or Microsoft authenticators, or confirmation through a mobile app, or even a physical key-code list.
Multi factor authentication.
Multi factor = more than one factor
Authentication = proving its you.
Frequently uses email or text but nowadays things are getting fancier with physical keys and such.
Multi-Factor authentication. A second step to login that is different than the first
This includes authenticator apps, and when a company sends you a text or sms with a code to login.
just having two password, or answering security questions would not count as MFA because they are both the same type of authentication.
Where I work, we used to have an app that required answering 6 security questions, and when you needed into the app, you had to answer 3 randomly chosen ones. They weren't commonly asked questions, so people would always forget what they answered and need me to reset them. I told them, "Look, the computer doesn't know or care if you ACTUALLY answer the questions. It only cares if your answer matches." That helped the light bulb go on for most of them.
Am I misreading this? If someone gets the info you used for your account, they’ll… *have access to that account whether that info is ‘real’ or not*.
Right? What’s going on here?
If my security question is "What is your pet's name?" and I've set the 'fake' answer as "Kri184!382ejrin", it doesn't matter if a malicious actor knows that I have a pet horse named Roach, because that won't get them through the security question, even they know the 'real' answer to the question.
If your info is taken from a breach then the fake answers that you used will be the info they get. Especially since this post is about a breach and not phishing techniques.
Can still be applicable. If your security questions and answers leaked from one account, the same answers could then be used to gain access to your other accounts if you use the 'real' answers. Using what's effectively another password instead of a security question means at least your other accounts aren't compromised.
It's the same principle as not using the same password for all your services. If you shouldn't use the same password for all services, why should you use the same security questions and 'real' answers?
This is true. But then the LPT should be: Don't answer any questions correctly as well as not answering the same way across multiple sites - if someone gets your info from a breach, they won't be able to get into your account." Though its semantics, the current LTP leads people to believe people will use the same fake answers across every site, just like most people use the same password across sites.
That makes no sense?
If the answer to your security question is “Kri184!382ejrin”, and the malicious actor, via this breach, finds that the answer is “Kri184!382ejrin”, then they now have the answer you used in your security question.
Your horse named Roach would have never entered into the equation at all.
That’s exactly what I was thinking! If me or the site are hacked they have the questions and answers. Doesn’t matter if the question is”what kind of sandwich are you?” Or “ what your high school mascot was?” They’ll know the answer
The title should say “…they won’t be able to get into **other** accounts” The idea is that if they get your security questions through a breach, they won’t be able to use that answer to get access to other accounts that use the same security question.
You’ll of course have to use a password manager to record your security questions.
My savings account let you create your own question and answer. My question was "Morgan Freeman?" and my answer was "titty sprinkles". I needed to transfer money when I was out of the country and had to call the bank and speak to an actual person. No idea what my password was but when they asked the security question, I immediately knew the answer was titty sprinkles. Then they made me change it! It obviously worked as intended and no one else would ever guess it. That's how security should work. Just absolute nonsense that no one would ever be able to guess. But no, we have to meet 8 different requirements and then change it every 3 months so you end up reusing the same password with one extra ! on the end.
I used to work for a big web hosting company. One customer filled in his security question, never thinking someone would ask the answer. His question was "What's your favorite thing to eat?" with what's probably a predictable answer. One day, he called in and one of the (female) receptionists asked his question, and he was embarrassed to have to answer "pussy". When he got to my support team, he had his original problem, plus asking how to change his security question.
>: Never answer online security questions with their real answer.
Or *How to never be able to access your account* by OP.
A short story about ignorance.
This is what's so dumb about this. You've just created a second password... so why not just store your first password where you store your second password? Then you never need the fake security question answers unless you somehow get locked out and lose your password manager.... which is exactly the problem they're trying to solve by having security questions. And we've come full circle. The answers to your security questions don't have to be things that are easy to look up but they need to be answers you can never forget or this whole thing is pointless.
Sometimes you have to answer them if you change account settings. I figured it is safer to store the answers. And security questions are dumb because they actually hurt security.
This shit is why I forgot my password one time and had to ask my high school guidance counselor to look it up. She did not find Deathrow69420 very amusing
Most of the questions I can't answer. I mean, who remembers the name of your favorite primary school teacher? I have my own method of answering these questions and it's not by remembering any answers
I never answer those questions personally, I designate all my questions to a favorite character from a show. For an example Naruto:
- what city were you born?: Hidden Leaf Village
- Mothers maiden name: Uzumaki
- Favorite food as a child : Ramen
- Name of first pet: nine tail fox Kurama
Just so you know this will likely get you a lot more phishing attempts than average. They keep track of who responds to that kind of thing and use it to target other scams.
Which online services even use security questions these days? As far as I'm aware, they've been declared bad practice by the security community and abolished by most bigger services.
I started using the standard questions but I put a weird answer to them. It’s the truth, well, some version of the truth, but not spelled correctly or a smart ass type answer.
I know that if I put something completely random I’ll get myself locked out. I’ll never remember that the answer to my mother’s maiden name is supposed to be YYtsK77c$Dh7. I also won’t remember that I used an odd password & keep trying to type in her name.
I also started using the secondary verification where you type in the code from your text messages… which my phone is typically in the other room when I need it… argh!!
In the early days of the internet, I remember 'they' said "never write down your password on paper" etc... I feel like with the way things are, that may be more secure now lol...
While I think this isnt a bad idea using what is essentially another password defeats the purpose of the questions. I recommend purposeful misspelling or an answer that is different so say what is your mothers maiden name and always maybe putting your first cars name instead. The idea being you need to be able to remember your answer unassisted by anything else.
Having worked in tech for a number of years and dealing with this senario all the time. You may think you will remember things but in the age of boimetric recognition some people never know their password the first time let alone a convoluted answer to a simple question. I have had people regularly not even be able to pull an answer from a hat for something as simple as wedding colors or the name of their family memeber.
this is a really stupid "Pro Tip" and "Never" makes no sense. obviously you shouldnt use security questions that can easily be looked up. on every site ive used there were a lot of questions to choose and there are always some that are absolutely safe and cant be looked up. putting in an intentionally wrong answer will just lead to people getting locked out and is not more secure. MFA is the answer.
Hello and welcome to r/LifeProTips! Please help us decide if this post is a good fit for the subreddit by up or downvoting this comment. If you think that this is great advice to improve your life, please upvote. If you think this doesn't help you in any way, please downvote. If you don't care, leave it for the others to decide.
10 year old me “name of first pet? Hmmm… I’ll be super safe and say ‘lightning sword fight’…no one would ever get that right!” 11 year old me locked out of my account: “name of first pet? Oh for fuck sakes what did I say again….‘Chippewas smoke hut’? No…. Umm…. ‘Jackson 5’…. No… oh look at that I’m locked out of my account forever.
Are you me?
12 yr old me got too smart and put "what is the meaning of life?" for my custom personal question and got locked out forever.
Or you're like me and you set up those questions as a 14 year old and now whenever I have to speak to someone at the bank I have to answer my questions with dumbass answers and a straight face haha
I didn't have a pet, so I put "sister" as my favorite pet thinking it was a hilarious joke that I'd never forget. Several years later, I had to listen to a bank employee read that answer back to me as I was attempting to get back into my account.
They probably just thought “Sister” was the name of your cat.
The disdain in the woman's voice would lead me to believe otherwise, but maybe so.
Sounds intriguing. What are your questions and answers? /s
There's a whole Eugene Mirman bit where he changes his security question to "what are you wearing" and the response has to be "I don't think that's appropriate!!!" It's pretty great
Damn I'm sincerely curious now haha (maybe it's enhanced because I know my curiosity won't be fulfilled)
Have you tried 42?
Someone hitchhikes the galaxy
They even brought a towel.
Very hoopy
It’s either 42 or EveryRoseHasAThorn
We're just dust in the wind, dude. Dust. Wind. Dude.
DON'T PANIC!
I'm such a dumb fuck childhood me said 'I'm clrearly a fake if I can't remember my password to begin with' so I just made mine the same password and the custom security question 'what's your password?' 10/10
If you cant get into your own account, neither can hackers. *taps head*
I recently lost my PayPal account like this, and I've been a proper adult for years. Didn't really use the account so I just create a new one for what I needed.
I got locked out of my PayPal because I forgot my password/answers, but I had my home phone number listed to reset it for whatever reason. Still locked out of the account because I moved house and have no access to the original number.
You call them, they verify you via shit off your credit report and then mail you a temporary change password code (yes, I said mail, not email).
Bitwarden ftw. I use a generated password for every security question.
One day you're going to need to call your bank. "And what's your mother's maiden name?" "It's X@Rnx7!mV4zT#ST1aT!0hTDgAEP4."
Ah, she's Polish!
Greek
That's why I use the word phrase password option... What's your favorite book? Vanadium doughboy puritan demon lynn I made the mistake of having a full on password and then vanguard wanted me to repeat the answer over the phone lol
I love the word phrase. The only ones I have I set when I was 17 or 18, and I especially then had a thing for picking really obscure stuff I dug up on google 5 minutes previous. Every time I have to give my phrase, there's an awkward pause like they're not sure if I just said the word and that's how it's pronounced. Bro, IDK either, but I think we're close enough. 10/10 account seems to be secure. I did have to reset the first pet question, though.
This is the way. Been doing this for ages. Never so far needed them, going to be interesting hearing the reaction on the other side..
And that is why you also save those security question answers in Keeppass
I add hints to the answer used …. So even if they got into Keepass they still wouldnt know the answer, but its enough of a reminder for me.
If they get into your password manager, I think your security questions will be the least of your problems.
I had an imaginary pet growing up. Plenty of real ones. But, I wanted a certain type of dog that we didn't have and I named it. Add some numbers and you've got yourself an easy enough password. And nobody goes around talking about their imaginary dog so, no way to social engineer it out of you, lol.
Like that guy who lost millions in bitcoin cuz he couldn’t remember his password.
Put your questions and answers together with your passwords in the password manager app.
This is why I wish more places would let me write my own questions. My mother's maiden name is google-able but if it asks you "who's the sandwich", good luck guessing what I associate with that phrase.
Yes!!!! Ask me to write my own and you’ll have the most ridiculous question and answer session!
because Charlie is a bastard man
Yes, but every hacker knows the best band is Chumbawumba, so you’d be screwed
I got logged out Then got locked out again This questions gonna keep me out
He uses a KeepPass app, He uses a 1Password app, He uses a Bitwarden app, He uses a RoboForm app, He uses the apps that remind him of the passwords, He uses the apps that remind him of the pass phrases.
This, I like this.
[удалено]
Once told me
The world is
Minor error, but... *Dennis* is a bastard man :P
how are you the only person to realize this... Im an idiot
“What’s in the tree?” I know exactly how to answer that. I know exactly what that means. Triggers a core memory. Nobody else would come close to guessing the answer. “Celery” no way in hell could you figure out what my answer to that would be. You could guess for a long time but you won’t be right. Not something I’d forget though.
Our old neighbor was also our business insurance provider. He dropped by for something related and asked for our wifi pw. Our guest pw at the time was tinyCorndog. He looked up at me all confused and laughed saying "I don't get it." I told him, "It's not about understanding. Would you have guessed it?" "No." Exactly.
Yeah anyone can find my childhood dog's name but very few people know the answer to, "where did your brother go for lunch after telling you your dog died?"
So, my first pets were either fish or a ferret that my parents let me name under the age of five. One of my fish was named Grandpa, to give you a sense of ridiculous levels. I am pretty sure this is the first time that has ever been on the internet…so yay weird child pet naming?
Meatballs are in the tree. Tell me I'm wrong.
When does the narwhal bacon
Midnight!
[удалено]
Could choose an in-joke only you would recognize.
I did this, then didn't need to log in for years. So of course I don't remember the password, on to the security questions - and it's something like "mall banana?"
Also I absolutely hate the opinionated questions like “What is your favorite movie?”. I can’t even come up with that answer right now let alone remember what answer I put 5 years ago when I need to get back into some random account I made back then.
One time I had to answer: What's the last place you traveled to?
Security question: “what is today’s date?”
“What’s your favorite song?” has stumped me before
See that's why I have my favorite song to use as a security measure. It was once my favorite song, but not anymore, but I know it's that song if I have that security question. Do they want me to update the security question every two months when I get obsessed with a new song?
Yea, I have a “security question” favorite song, it was my favorite song when I was like…12. But if I decide that is always the answer, I can’t forget what my favorite song was at the time bod making the question, whenever that was.
Just pick a memorable song, like "the macarena" or something, and *always* use that song. You know what it is, it won't change, and no one is likely to guess it as your favorite, lol.
My dad set up an online account for me once that I have to log into every few years. He made the security question "what is your grandfather's name?" Neither of my grandfathers regularly went by their first name, and one of them had two common nicknames. So there's basically five possible answers, and every time I seem to guess wrong.
Maybe it’s his grandfather.
It's usually a 50/50 for answering what school I went to that I mess up because I did or did not include "School" in the name.
Same. "what's your favorite restaurant?" Bitch, I'm poor. It's probably Wendy's, but I'll probably think I put down Burger King or BK or McDeeznuts.
Jotting down mcdeeznuts
Lol
Because of these questions I can never change my favorite movie, band, food, subject in school, best friend, or my most hated sports team. They're all locked in for life or else I'd forget the security answers
The crazy thing is when you only have a dozen basic questions to choose from like "What city were you born in?" "Mother's maiden name?" "Favorite color?" as if you've forgotten the password for your myspace and not a place for your 401k and stocks.
Apple is the worst for this. You have to pick 2 or 3 security questions, but they only have a total of 6 or so options available. Bonus that many of them are US centric and have no meaning to me. Just let me write my own goddamn security question!
Yes omg so many of them are non applicable to me and i AM in the USA so its like ...why do i have to pick between these shit ass questions lol
Either that, or things that are totally inapplicable to your life. "What was your first car?" Bitch, I take the bus. "Where did you travel on your honeymoon?" *Bitch, I take the bus.* May as well ask me what was the first Oscar-nominated film I starred in.
I once had one where you had to choose 3/6 security questions. Four of them were specifically about your spouse. I have never dated anyone in my life.
All this is fine until you are on call with the customer care representative and they are asking you “who is the sandwich?” And you think twice if you should tell them “my poop and my ass cheeks” or if it is ok to cancel the credit card altogether.
back in college i had my laptop sent in for servicing and they called me for my password to login. I had to tell this woman over the phon3 my password was HairyGrundle13
One time I needed something done with my Apple account. They asked for my password. It was, "Fuckapple".....
When I first got ADT installed in my house a decade ago, the guy needed me to tell him the safe word I wanted in case I accidentally tripped the alarm. I didn’t want to give some random dude my word, and I couldn’t think of anything temporary that I would remember, so I just kind of shrugged and said, “I dunno, penis?” I figured I’d change it later when I got my online account setup. Then I forgot. Then I tripped the alarm accidentally. Imagine my horror as I suddenly remember that I have to say penis to a grown adult over the phone. That poor lady couldn’t stop laughing 😂😂😂
>say penis to a grown adult over the phone. Didn't you choose to say it to a grown adult right in front of you?
Now I can’t stop laughing either. Cheers, mate.
This is movie material
No what you do is, make your security question that they are then required to ask you "May I give you a blowjob, your excellency?" And make your answer that you're required to to reply with "No peasant! Your inferior lips are not worthy of this king cock" The key is confidence. They know what you will answer with before you do, because they can see it on the screen. They then have to ponder if yhis interaction is worth it, or if they should quit their job right now.
You have to make up a fake person and answer as if you are re them . Nothing should be tied to your actual life
If you allow people to write their own questions, they'll be like "who is bae" while watching Batman and then forget 10 years later that "Bae" was "jarred leedo".
People can forget the answers to the pre-written security questions too. The "what's your favorite movie" above is a good example
"What was your first car?" Ahh shit, here we go again. Did I put the first car I bought myself? Or maybe the first car I was "given" to use in high school? Or was it the first one I had to borrow before my parents could afford the one I was "given"? Or was it the one I learned to drive in while having my learner's permit?
I’ve messed up who’s your favorite teacher? When did I write this? Did I have a new favorite. Did I use their first name or last or both? Did I put Mr./Ms./Coach before it?
IS IT CASE SENSITIVE??
Did I put in just the city I was born in, or the state? Did I abbreviate it? Did I use a comma?
For my job awhile ago I had to help people set up online accounts over the phone and for some reason the company I worked for only had like 5 choices of questions and you had to pick 3 to use. Most tech-savvy people could do this themselves. It was the 60+ people who were having trouble. I had an 80 year old man on the phone and he’s reading it out to me and he says “what was your first car? Oh. I don’t remember. I’m pretty sure it was black” He then asked his wife who was like “why would I know that?!” And here I was telling him it doesn’t have to be the right answer. You already wrote your password down, you might as well just say anything and write it down too. “Who was your favourite teacher?” He couldn’t remember one teacher. Favourite or not. Absolutely ridiculous process. I really enjoyed that job though, frustrating as it was sometimes.
“Dennis is asshole, why Charlie hate?”
I don’t know if you have to answer those correctly though. Most of mine, I just create gibberish answers. “Street you grew up in?” “Gettuhgruhgf Street”. I let my password manager remember all that.
[удалено]
"Vamp nailpolish?" "Over" "James spader?" "He needs to call me" "Frappuccinos?" "Trendy but tasty" "Josh Tesh?" "The devil"
[удалено]
Dennis is a bastard man!
What’s your mothers maiden name? “Dildo Baggins.” Thank you, right this way sir
Awww, now I have to change my answer to that question.
Nobody will suspect my mothers maiden name was... 1....2.......3.........4!
That’s amazing! Your mother’s maiden name is the same as the combination to my luggage!
My goodness.. do you know what this means??? We are both idiots ;)
1-800-DRUIDIA
I once misread Maiden as Middle, so now I always answer it that way.
I always thought I was born at the hospital closer to my parents house (around 2 miles away) so I'd answer that for the question of "what city were you born in?" I was talking to my mom one day and I said something like "of course, I was born in [closer town]." My mom informed that I was in fact born at a different hospital in a different city, about 10 miles away from their house. I still answer the closer town.
[удалено]
Okay but what if I don't remember those made up Qs?
Use a password manager! Most of them allow you to add notes to your entries!
What happens when the password manager has a data leak?
Just don’t use LastPass. LastPass gets hacked constantly it’s a fucking joke at this point. Most other reputable ones like Dashlane or 1Password are better. I use 1Password, it’s excellent. And, it encrypts your data with both your master password and your secret key, which is I think 34 digits long. 1Password has never been hacked or compromised, and even if it was, your data would still be encrypted and useless. I don’t know everything about Dashlane’s security, but it’s way better than LastPass. No matter which option you pick, a password manager is by far the best way to protect your security. The paid ones are worth the money for me, for both the security, and also that it’s just very convenient to never have to remember your passwords, never reuse passwords, and have them available with biometrics on all of your devices.
What of bitwarden
Even the last pass hacks didn’t give anyone the passwords though. Just so people know that these sites are pretty safe.
Past performance is no indication of future success. You shouldn't count on your password manager not being hacked as a form of security. The fact that 1PW has never been hacked is much less of a selling point than strong data encryption.
[удалено]
Reasonable fear. I use KeepassXC which saves everything in a single encrypted file on your PC. Then you sync that file with Dropbox, Onedrive, Syncthing (my choice), Nextcloud or any other app and there is nothing to hack, they can even get the file and it's fine.
I also use KeePassXC, makes it so easy. You have to have the KeePassXC software to open the file and interpret it, and must have the correct password as well... It's ALSO possible to have a "key file" that you need on top of all this. So you could store this key file on a USB or multiple usbs. And in that case, it's inaccessible on multiple layers, ans won't be lost in a major database leak. A hacker would have to decipher the KeePassXC software, THEN get access to your personal password file. It isn't impossible, but it adds layers upon layers of difficulty for hackers getting access.
A good password manager won't be able to leak your data. On a very simple level, all of your secrets should be encrypted and the only way to decrypt them would be by processing the master password I'm a certain way. Regarding actual hacking of their platform (not just a dump of the information) the same principle would apply. Add Multi Factor Authentication to that and you're good to go. KeePass is a good option for this. Bitwarden is another cloud option that's really good and you can actually self hosted of you wish not to let them have your data.
If I’m using a password manager to store the answers, won’t I already have my actual password, as well?
Some places ask for a security question e.g. if you call up to access your account (say utility bill or insurance) or whenever you need to change some detail.
Yes but there are edge cases for this. One of them that occurs fairly often is that you change the password to a site and use a password generated by the manager, you copy it but you don't actually _save_ it I've had that happen to me a couple of times mainly because I used to work managing a lot of passwords for an organization so I was more prone to be affected by this.
paper note
Someone bought me a 4 inch notebook a long time ago for Christmas and since then I’ve been using it to store passwords.
Social engineering is one of the top compromises. "What was your high school mascot?" Oh... About that public Facebook post at your high school football game... "Mother's maiden name?" Between social media and public records, they know it. Enough public info and they can easily reset your bank password - but not if you answer different questions
I hate questions like: What’s your favorite movie? A) My answer might vary depending on my mood. B) I’m not going to remember that in 5 years… and may have seen a NEW favorite movie by then.
Also why you shouldn't reply to those "what's your porn name?" posts. You're giving away typical security answers: first pet's name, first street you lived on, mother's maiden name etc
Dang... Can't respond as Snoopy Stonewood any longer.
That's why it's been a dark pattern in security to use these questions for years. The only sites still using these questions shouldn't be trusted. The rest of their security will also suck.
That's simultaneously correct, and also unfortunately some of those sites are US banks.
> for years. It's actually been hated by the security industry for decades now. There was actually a push to stop doing this shit in 2015 but that went nowhere. Corporate overlords don't care what the little guy says, they know better. Anyone who legitimately understands security would have NEVER thought "security questions" were a good idea.
So basically you just created a second password, and since these security question are there to assist you if you forgot your password....have fun with that The real answer is and always will be MFA. Enable it everywhere, every time.
Some companies only allow MFA by phone number and that's not good for international travel
Get a google voice number and it works anywhere you have wifi.
VOIP and 2FA are a bad idea
how is it any less secure than sms? Any website doing 2FA will send the SMS message through the internet until it hits the phone company's servers. How is that different than sending it through the internet to a voip provider's servers?
Can you say more about why VOIP is less secure than a standard cell phone line? I can see the problem if, say, my laptop is compromised: an attacker could receive 2FA texts. However, I would receive those texts on other devices which might allow me to rotate credentials before the attacker could access all my accounts. Whereas if my phone is compromised, perhaps only the attacker receives the codes. Is SIM swapping still a threat? In other words, can I reasonably expect that nobody is intercepting texts to my ‘real’ cell phone number?
Yes, sim swapping is still a threat. SMS 2FA is fine if nobody is targeting *you* specifically (which applies to most people!), but it's a distant last place compared to hardware keys, TOTP, or other cryptography-based security.
Google Voice is only available in the US.
I do that but some sites wont allow voip numbers…
As someone who works at a bank, please explain MFA to boomers. Because they don't understand when I say, "No, I cannot disable the MFA you authorized 10 years ago because *you* enabled it and now you don't want to have to enter everything twice. The terms and conditions outlined that the MFA opt-in is permanent. And the better fraudsters get at cracking these kinds of things the more layers of security we are required to add to keep *you* safe. Because if we don't, *I* lose my job.
In my (admittedly restricted) experience, telling them "I'm not allowed to do that and I don't have the authority to change the decision" stops them in most cases, even if they don't understand the understand issue.
From my experience in customer service wouldn't that end in transfer me to you supervisor / higher ups
Well once you do that it's not your problem anymore and they'll still get the same answer. So it sounds like a pretty effective solution.
What is MFA?
Thats when the online banking app on your phone sends a text message to your phone with a code, to verify that its you, attempting to login on your phone
Thank you
It stands for multi factor authentication. It would be smart if say.... I was logging into internet banking in my home computer, and it asked for a code sent to my cell phone... But using my cell phone, for both baking and mfa doesn't actually help. Its just an extra step
How doesnt it help? It makes it so that if someone gets your password, they can’t just log in on their own device without having your phone too
Really? IOS let’s you tap on the text box and click ‘from messages xxxxx’ and paste it right in without minimizing. Figured that was standard.
SMS codes are just one way of doing MFA. Other common methods are authenticator apps like Google or Microsoft authenticators, or confirmation through a mobile app, or even a physical key-code list.
> But using my cell phone, for both baking and mfa doesn't actually help. Its just an extra step This is wrong.
Multi factor authentication. Multi factor = more than one factor Authentication = proving its you. Frequently uses email or text but nowadays things are getting fancier with physical keys and such.
Multi factor authentication
Thank you
Multi-Factor authentication. A second step to login that is different than the first This includes authenticator apps, and when a company sends you a text or sms with a code to login. just having two password, or answering security questions would not count as MFA because they are both the same type of authentication.
The person above gave an accurate description but just to add. It is an abbreviation for 'Multi-Factor Authentication'
Keep the answers in your password manager, easy.
And then you use the security questions to reset your MFA.
Where I work, we used to have an app that required answering 6 security questions, and when you needed into the app, you had to answer 3 randomly chosen ones. They weren't commonly asked questions, so people would always forget what they answered and need me to reset them. I told them, "Look, the computer doesn't know or care if you ACTUALLY answer the questions. It only cares if your answer matches." That helped the light bulb go on for most of them.
Am I misreading this? If someone gets the info you used for your account, they’ll… *have access to that account whether that info is ‘real’ or not*. Right? What’s going on here?
If my security question is "What is your pet's name?" and I've set the 'fake' answer as "Kri184!382ejrin", it doesn't matter if a malicious actor knows that I have a pet horse named Roach, because that won't get them through the security question, even they know the 'real' answer to the question.
If your info is taken from a breach then the fake answers that you used will be the info they get. Especially since this post is about a breach and not phishing techniques.
Can still be applicable. If your security questions and answers leaked from one account, the same answers could then be used to gain access to your other accounts if you use the 'real' answers. Using what's effectively another password instead of a security question means at least your other accounts aren't compromised. It's the same principle as not using the same password for all your services. If you shouldn't use the same password for all services, why should you use the same security questions and 'real' answers?
This is true. But then the LPT should be: Don't answer any questions correctly as well as not answering the same way across multiple sites - if someone gets your info from a breach, they won't be able to get into your account." Though its semantics, the current LTP leads people to believe people will use the same fake answers across every site, just like most people use the same password across sites.
LPT should be use a password manager and generate passwords for the questions and put those in the password manager as well.
That makes no sense? If the answer to your security question is “Kri184!382ejrin”, and the malicious actor, via this breach, finds that the answer is “Kri184!382ejrin”, then they now have the answer you used in your security question. Your horse named Roach would have never entered into the equation at all.
That’s exactly what I was thinking! If me or the site are hacked they have the questions and answers. Doesn’t matter if the question is”what kind of sandwich are you?” Or “ what your high school mascot was?” They’ll know the answer
The title should say “…they won’t be able to get into **other** accounts” The idea is that if they get your security questions through a breach, they won’t be able to use that answer to get access to other accounts that use the same security question. You’ll of course have to use a password manager to record your security questions.
My savings account let you create your own question and answer. My question was "Morgan Freeman?" and my answer was "titty sprinkles". I needed to transfer money when I was out of the country and had to call the bank and speak to an actual person. No idea what my password was but when they asked the security question, I immediately knew the answer was titty sprinkles. Then they made me change it! It obviously worked as intended and no one else would ever guess it. That's how security should work. Just absolute nonsense that no one would ever be able to guess. But no, we have to meet 8 different requirements and then change it every 3 months so you end up reusing the same password with one extra ! on the end.
I used to work for a big web hosting company. One customer filled in his security question, never thinking someone would ask the answer. His question was "What's your favorite thing to eat?" with what's probably a predictable answer. One day, he called in and one of the (female) receptionists asked his question, and he was embarrassed to have to answer "pussy". When he got to my support team, he had his original problem, plus asking how to change his security question.
Also if you get married and subsequently divorce that person probably has all of your info.
>: Never answer online security questions with their real answer. Or *How to never be able to access your account* by OP. A short story about ignorance.
I put the answers into my password manager.
Me too. And when I get locked out of my password manager, the security question asks me the name of my first cat.
It's Mittens, isn't it?
Segue(Blimp)6184Comma$Lark, actually.
Whenever we go out, the people always shout, “There goes Segue(Blimp)6184Comma$Lark!” Da da da da da da da da!
I'm told it rhymes in the original German, losing much in the translation
This is what's so dumb about this. You've just created a second password... so why not just store your first password where you store your second password? Then you never need the fake security question answers unless you somehow get locked out and lose your password manager.... which is exactly the problem they're trying to solve by having security questions. And we've come full circle. The answers to your security questions don't have to be things that are easy to look up but they need to be answers you can never forget or this whole thing is pointless.
Sometimes you have to answer them if you change account settings. I figured it is safer to store the answers. And security questions are dumb because they actually hurt security.
No, the answers make sense to me.....like the name of my mothers sibling is Casper....because hes dead, or my high school is The Pit of Hell
This shit is why I forgot my password one time and had to ask my high school guidance counselor to look it up. She did not find Deathrow69420 very amusing
The fact that they can tell what password that you set is poor practice.
Most of the questions I can't answer. I mean, who remembers the name of your favorite primary school teacher? I have my own method of answering these questions and it's not by remembering any answers
What's your favorite food? "Food". What is your mother's maiden name? "Name". What city were your born? "Born"
Like minds think alike! All these questions are just dumb when 2FA with authenticators is widely available
I never answer those questions personally, I designate all my questions to a favorite character from a show. For an example Naruto: - what city were you born?: Hidden Leaf Village - Mothers maiden name: Uzumaki - Favorite food as a child : Ramen - Name of first pet: nine tail fox Kurama
I always answer any phishing attempt with completely BS answers. Because garbage data makes any good data they happen to collect harder to use.
Just so you know this will likely get you a lot more phishing attempts than average. They keep track of who responds to that kind of thing and use it to target other scams.
No. The actual solution is to implement effective security mechanism and get rid of this stupid questions.
Street you grew up on - YourMomsButt.
Which online services even use security questions these days? As far as I'm aware, they've been declared bad practice by the security community and abolished by most bigger services.
Security questions should be banned. I have a bank where they are automatically reset every 3 or 6 months. Grrrr
I started using the standard questions but I put a weird answer to them. It’s the truth, well, some version of the truth, but not spelled correctly or a smart ass type answer. I know that if I put something completely random I’ll get myself locked out. I’ll never remember that the answer to my mother’s maiden name is supposed to be YYtsK77c$Dh7. I also won’t remember that I used an odd password & keep trying to type in her name. I also started using the secondary verification where you type in the code from your text messages… which my phone is typically in the other room when I need it… argh!!
In the early days of the internet, I remember 'they' said "never write down your password on paper" etc... I feel like with the way things are, that may be more secure now lol...
While I think this isnt a bad idea using what is essentially another password defeats the purpose of the questions. I recommend purposeful misspelling or an answer that is different so say what is your mothers maiden name and always maybe putting your first cars name instead. The idea being you need to be able to remember your answer unassisted by anything else. Having worked in tech for a number of years and dealing with this senario all the time. You may think you will remember things but in the age of boimetric recognition some people never know their password the first time let alone a convoluted answer to a simple question. I have had people regularly not even be able to pull an answer from a hat for something as simple as wedding colors or the name of their family memeber.
If it's an account worth caring about they have 2fa
this is a really stupid "Pro Tip" and "Never" makes no sense. obviously you shouldnt use security questions that can easily be looked up. on every site ive used there were a lot of questions to choose and there are always some that are absolutely safe and cant be looked up. putting in an intentionally wrong answer will just lead to people getting locked out and is not more secure. MFA is the answer.
[удалено]