Hacker News new | past | comments | ask | show | jobs | submit login

Stupid "security" questions, I've started answering them like "what's your favourite colour?" - "colour" or "what was your first pet's name" - "pet".

There are a few things that make me wonder if I can trust a company. Security questions, stupid password restrictions, sending me a password in plain text via email.




I recently was forced to do this by my home ISP. I used my password manager to generate 32 character length passwords, and then stored that info in the manager. However, when I attempted to save this info, the website responded with something along the lines of, 'we're sorry, please come back and try this again at another time.' This was preventing me from paying my bill online as it would not let me access my account with this info. I did this for 3 days straight. On the 4th day, I changed my answers to very simple responses similar to yours and the entire thing worked. It's not that it was fixed, because I tried the complex values first on day 4. Their system couldn't support such a value, and failed at letting me know that.


So, effectively, three security questions, like this:

  Favorite color? red

  Favorite band? yes

  First vehicle? car
In reality, they actually reduce complexity, defeating a 12 character password requirement with numbers, uppercase, lowercase and punctuation characters, because the total space of complexity can be possibly less than 9 case-insensitive letters.


I used to give my real birthday. Then I kept reading about how knowing that plus your address (usually easy to find on the internet - whitepages.com, etc.) got someone a long ways toward imitating you.

So I started making up birthdays but would have problems because I didn't remember them. So now I just use the epoch, which I think somebody here suggested.


I put January 1, 1970 as my birthday, and sometimes I can tell sites convert to timestamp and then it rejects my entry because it evaluates to zero which is falsely.


The issue then is that some services will require a copy of your ID to recover/unlock your account, and if the birth dates don't match they won't do it.


I always use plausible typos.


I use my sister's birthday. Other than the year, it's close to mine, and I don't forget it.


I use the registration date of my car (which is 4 years older than me) since at least I can look it up.


I tell the students that you really need to lie and put in some words that you remember that go with the question. Think of it as a challenge/ response, not an answer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: