Growing Up On
Tags: beards, security, web.
During sign up, some sites prompt new users to answer a series of security questions.
- “What street did you grow up on?”
- “What was your first pet’s name?”
- “What’s your favorite musical instrument?”
And so on. The putative purpose of these questions is to provide a mechanism for proving your identity to regain control of your account if you forget your password.
But if you answer these questions honestly, boy, that seems like a pretty big security hole! A determined attacker could identify my sixth-grade teacher, and favorite colors aren’t hard to guess. Even if I have a strong primary password, an attacker could use those security questions to route around it.
But the answers to these security questions are themselves just passwords, right? Why not treat them that way?
It’s 2020, and you’re reading a dorky blog for dorks, so you probably already use a password manager1 to create and save strong, unique passwords. You can just as easily create random passwords to answer these security questions. They’re just text, after all.
I’ve been doing this for years, and it’s worked smoothly so far. The only
wrinkle I’ve encountered has been when calling my bank’s customer service
department; they always go along with it, but they’re often mildly surprised to
learn that my favorite teacher was Mr.
You might like these related articles: