Security Questions Are Stupid

Radiating

macrumors 65816
Original poster
Dec 29, 2011
1,018
7
Just a little rant. Let me give you an example:

Where were you on January 1st, 2000?

South Beach

South Beach Miami

South Beach, Miami

South Beach Miami Florida

South Beach, Miami Florida

South Beach Miami, Florida

South Beach, Miami, Florida

Miami

Miami Florida

Miami, Florida

Florida

What was your first job?

Salesperson

Salesman

Merchandise Specialist

salesperson

salesman

merchandise specialist

Crate & Barrel

Crate and Barrel

Crate & Barrel & Co.

Crate & Barrel & Co

Crate & Barrel, & Co.

Crate & Barrel, & Co

Crate and Barrel and Company

Crate and Barrel, and Company

Crate and Barrel and Company, LLC

Crate and Barrel, and Company, LLC

That's a total of 154 different ways to answer those questions correctly.


This is literally the worst possible way to solve this problem.


Jim: "Hey Bob, this whole passwords being stolen thing is a problem."

Bob: "Sure is! Hey I have a great idea, what if we made a second secret password?"

Jim: "That's a great idea! So if the main password is compromised, nothing will happen?"

Bob: "Exactly, except for this password lets have it be in the form of an answer to a question. So that way the user won't even remember exactly what it is"

Jim: "A non-specific password?"

Bob: "There's nothing more secure than a password can't even be used 99% of the time even when you know it."
 

MathBunny123

macrumors regular
Just a little rant. Let me give you an example:

Where were you on January 1st, 2000?

South Beach

South Beach Miami

South Beach, Miami

South Beach Miami Florida

South Beach, Miami Florida

South Beach Miami, Florida

South Beach, Miami, Florida

Miami

Miami Florida

Miami, Florida

Florida

What was your first job?

Salesperson

Salesman

Merchandise Specialist

salesperson

salesman

merchandise specialist

Crate & Barrel

Crate and Barrel

Crate & Barrel & Co.

Crate & Barrel & Co

Crate & Barrel, & Co.

Crate & Barrel, & Co

Crate and Barrel and Company

Crate and Barrel, and Company

Crate and Barrel and Company, LLC

Crate and Barrel, and Company, LLC

That's a total of 154 different ways to answer those questions correctly.


This is literally the worst possible way to solve this problem.


Jim: "Hey Bob, this whole passwords being stolen thing is a problem."

Bob: "Sure is! Hey I have a great idea, what if we made a second secret password?"

Jim: "That's a great idea! So if the main password is compromised, nothing will happen?"

Bob: "Exactly, except for this password lets have it be in the form of an answer to a question. So that way the user won't even remember exactly what it is"

Jim: "A non-specific password?"

Bob: "There's nothing more secure than a password can't even be used 99% of the time even when you know it."
I agree with you...I also dislike the idea of verifying your login.
 

samiwas

macrumors 68000
Aug 26, 2006
1,595
3,574
Atlanta, GA
I have no idea what this thread is about? Are you upset because someone could easily come up with the answers to your questions?

That's why I always choose "what was the name of your first pet". No one is guessing that one. And even with "Where were you on whatever date", what are the chances that someone else is going to know the answer to that? I just don't understand what the beef is here.
 

velocityg4

macrumors 601
Dec 19, 2004
4,978
1,522
Georgia
Like the emails you get after registering for an account? Those are awful! :D
The much worse logging into a site you visit regularly but on a different computer, at a different location or just after cleaning the cache. Even if you get the username and password correct on the first try. They require a confirmation from a text message, email or security question.
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,913
1,606
No, answering them truthfully is stupid. I just use another random password that has nothing to do with the question. It's much easier to remember.

----------

I have no idea what this thread is about? Are you upset because someone could easily come up with the answers to your questions?

That's why I always choose "what was the name of your first pet". No one is guessing that one. And even with "Where were you on whatever date", what are the chances that someone else is going to know the answer to that? I just don't understand what the beef is here.
No, it's that you could have the correct answer in mind, but there are a hundred ways you could have typed it in. It's maddening to have to remember if you said your first car was a Volkswagen, VW, Jetta, VW Jetta, Volkswagen Jetta, Volkswagon Jetta, Jetta TDI, VW Jetta TDI, Volkswagen Jetta TDI, Diesel Jetta, etc.
 

Astroboy907

macrumors 65816
May 6, 2012
1,387
13
Spaceball One
I have no idea what this thread is about? Are you upset because someone could easily come up with the answers to your questions?

That's why I always choose "what was the name of your first pet". No one is guessing that one. And even with "Where were you on whatever date", what are the chances that someone else is going to know the answer to that? I just don't understand what the beef is here.
Well, no one except for family and close friends, maybe your vet, etc :D

----------

No, answering them truthfully is stupid. I just use another random password that has nothing to do with the question. It's much easier to remember.
This made my day, so much simpler. Why didn't I think of this! :rolleyes:
 

Melrose

Suspended
Dec 12, 2007
7,808
397
If you treat security questions as additional high strength passwords, you'll do better. Using common information that anyone can find on your Facebook page is right up there with the 2 lonely IQ points of Jennifer Lawrence.

Instead of Miami Florida, put "&nan23#BFm):3n", and instead of C&B put "wH*b38f7q&$b98b!"... bingo. High security.

I use encoded phrasing for my passwords. I have multiple phrase lifted from Shakespeare, Göethe, etc, that I reduce to what looks like random junk, but I can remember it easily. I will say I have a selection of about 5 or 6 that I use for everything, but it's still more secure than using common information.
 

samiwas

macrumors 68000
Aug 26, 2006
1,595
3,574
Atlanta, GA
Well, no one except for family and close friends, maybe your vet, etc :D

Seeing that this pet died over 30 years ago, I think my mom, dad, and possibly my sister would be the only people who would know its name. And it's a very uncommon pet name, so it's secure enough for most of my purposes.
If you treat security questions as additional high strength passwords, you'll do better. Using common information that anyone can find on your Facebook page is right up there with the 2 lonely IQ points of Jennifer Lawrence.

Instead of Miami Florida, put "&nan23#BFm):3n", and instead of C&B put "wH*b38f7q&$b98b!"... bingo. High security.

I use encoded phrasing for my passwords. I have multiple phrase lifted from Shakespeare, Göethe, etc, that I reduce to what looks like random junk, but I can remember it easily. I will say I have a selection of about 5 or 6 that I use for everything, but it's still more secure than using common information.
Outside of my banking, I can't think of anything that I need to worry about security that much.
 

Melrose

Suspended
Dec 12, 2007
7,808
397
Outside of my banking, I can't think of anything that I need to worry about security that much.
...that's exactly my case too. I should say I use secure passwords for most things, simply because even sites like Fiverr are connected to my money and/or business. I have much simpler passwords I use for stuff like that's not associated with finances.
 

ejb190

macrumors 65816
If you treat security questions as additional high strength passwords, you'll do better. Using common information that anyone can find on your Facebook page is right up there with the 2 lonely IQ points of Jennifer Lawrence.

Instead of Miami Florida, put "&nan23#BFm):3n", and instead of C&B put "wH*b38f7q&$b98b!"... bingo. High security.

I use encoded phrasing for my passwords. I have multiple phrase lifted from Shakespeare, Göethe, etc, that I reduce to what looks like random junk, but I can remember it easily. I will say I have a selection of about 5 or 6 that I use for everything, but it's still more secure than using common information.
I do something similar but I use song lyrics. For instance "Happy Birthday" would become something like Hbd2u.Hbd2u! And the song always relates back to the question. First Car? Use Little Duce Coupe by the Beach Boys or Love Shack by the B-52's (I got me a Chrysler, it seats about 20, So hurry up and bring your jukebox money). Pretty much unguessable.
 

Melrose

Suspended
Dec 12, 2007
7,808
397
I do something similar but I use song lyrics. For instance "Happy Birthday" would become something like Hbd2u.Hbd2u! And the song always relates back to the question. First Car? Use Little Duce Coupe by the Beach Boys or Love Shack by the B-52's (I got me a Chrysler, it seats about 20, So hurry up and bring your jukebox money). Pretty much unguessable.
I do the same thing, except I sub out letters for numbers, e=3, s=5, and vice versa. Double letters get swapped and the double turns into a 2. bottle, for example, becomes B0t2l3. Simple words like at and and get changed for symbols as well. Starting and ending letters get capped. I also bracket it in a special character, usually asterisks. It sounds complicated but I've been doing it for years and it helps me remember complicated strings easily and keeps my private stuff private.

A long enough string and it looks like utter balderdash but I can read it pretty easily. "*4S+5y40f2b40tC*" is the opening line of the Gettysburg Address. :)
 

samiwas

macrumors 68000
Aug 26, 2006
1,595
3,574
Atlanta, GA
A long enough string and it looks like utter balderdash but I can read it pretty easily. "*4S+5y40f2b40tC*" is the opening line of the Gettysburg Address. :)
A museum I was working in used this kind of thing for their wifi password. Except it wasn't just one or two words. It was something like "TheGrandRapidsArtMuseumWirelessInternetAccess", except it was all in numbers and symbols and lower case Ls for I's and all that. It freaking SUCKED to type it, especially on the iPhone.
 

Melrose

Suspended
Dec 12, 2007
7,808
397
A museum I was working in used this kind of thing for their wifi password. Except it wasn't just one or two words. It was something like "TheGrandRapidsArtMuseumWirelessInternetAccess", except it was all in numbers and symbols and lower case Ls for I's and all that. It freaking SUCKED to type it, especially on the iPhone.
...yes, that is the downside. But 1Password is free, so that helps. :)
 

LIVEFRMNYC

macrumors 604
Oct 27, 2009
7,613
9,252
I use the same answer for every security question and in CAPS.

Foe example: It's easier to put something ridiculous like "PAPERGOAT" as the answer for every single question.
 

sk1wbw

Suspended
May 28, 2011
3,483
1,006
Williamsburg, Virginia
If passwords were nullified and everyone switched to those awful "capchas" or whatever those things are called, I'd be royally screwed. I've never ever been able to get those right.
 

Roller

macrumors 68030
Jun 25, 2003
2,571
1,062
Security questions were originally designed to be convenient, hence the ubiquitous "What was your mother's maiden name?" query. But it eventually became obvious that the responses were easy to find using search engines. It's probably safest to treat them like another set of passwords, though it may be difficult to remember them if you're trying to reset your password by talking to a customer rep over the phone.

Frankly, I wish that two factor authentication were more widely available, at least as an option.
 

LostSoul80

macrumors 68020
Jan 25, 2009
2,136
7
Better stick with a password. Too bad for people that can't come up with a decent one.
 

mtneer

macrumors 68030
Sep 15, 2012
2,886
2,051
Well, no one except for family and close friends, maybe your vet, etc :D


That is if you choose to answer correctly. I always choose the common questions used across many sites so I can remember the connection. For example, when're I get the pet question I put in the name of the kid I didn't like in all my years of high school. I will not forget that connection and I surely won't forget that guys name. And those associations are not known to anyone but me.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.