Comments on: Tighten the Security of “Security Questions”

By: Aaron Toponce

Aaron Toponce — Tue, 06 Mar 2012 18:49:01 +0000

This doesn’t fall apart at all. It just makes it slightly more difficult to read over the phone.

By: Steve Spigarelli

Steve Spigarelli — Tue, 06 Mar 2012 15:48:40 +0000

Of course, the only time this falls down is when you need to provide a valid representative with your security question’s answer. For password recovery and such this makes a lot of sense.

By: Alan Pope

Alan Pope — Tue, 06 Mar 2012 15:36:37 +0000

I just lie when asked security questions. Much easier

By: Aaron Toponce

Aaron Toponce — Tue, 06 Mar 2012 13:18:52 +0000

I wouldn’t recommend using your password as the answer to these forms, for two reasons. First, the point of these forms is in the event that you have forgotten your password, you can recover it. Second, the password SHOULD be hashed with a salt on disk by the provider. The answer to the security questions probably isn’t. So, providing your password in all fields could potentially open your account up for attack by the site administrators. Further, because these form fields are not encrypted, providing answers in the clear could build up an identity about yourself. Best to hash the answers, IMO.

By: Ricardo N Feliciano

Ricardo N Feliciano — Tue, 06 Mar 2012 12:38:27 +0000

Curious, how would you say your idea stacks up against using the password. I usually use my password, or maybe my previous password (I change them every 6 months), as the answer to security questions.

I ask because using a salt, and keeping it private, is sort of like having a password anyway.

In my opinion, sites that force security questions, (usually banks for me), actually weaken the security on my account, as in the example you provided.

By: Aaron Toponce

Aaron Toponce — Tue, 06 Mar 2012 03:58:43 +0000

Richard- Good point. I guess you’ll have two hashes to choose from then, if you can’t remember whether or not your mother’s maiden name starts with an uppercase ‘S’ or a lowercase one.

By: Richard

Richard — Tue, 06 Mar 2012 00:26:59 +0000

Websites usually handle the answers to these security questions case-insensitively. So by using a hash-based answer be mindful that you’re forced into case-sensitivity with your plaintext (including the salt), i.e. the words “Smith” and “smith” are no longer equally acceptable answers.

By: tensai

tensai — Tue, 06 Mar 2012 00:19:44 +0000

I just do the same thing I do for all passwords: generate them randomly (or semi-randomly, as seems appropriate) and write them down in a password database. I just make sure to note which of the questions I gave an answer to.

By: Christer Edwards

Christer Edwards — Mon, 05 Mar 2012 23:44:58 +0000

Get someone to write a browser plugin to automate this.