Harry R. Schwartz

Software engineer, nominal scientist, gentleman of the internet.
Member, ←Hotline Webring→.

bearded cartoon drawing of the author hacker news gitlab sourcehut pinboard librarything 1B41 8F2C 23DE DD9C 807E A74F 841B 3DAE 25AE 721B

Vancouver

British Columbia

Canada

vegan

he

him

his


Growing Up On Shoshah4muufuiB Drive

Growing Up On Shoshah4muufuiB Drive

Published .
Tags: beards, security, web.

During sign up, some sites prompt new users to answer a series of security questions.

  • “What street did you grow up on?”
  • “What was your first pet’s name?”
  • “What’s your favorite musical instrument?”

And so on. The putative purpose of these questions is to provide a mechanism for proving your identity to regain control of your account if you forget your password.

But if you answer these questions honestly, boy, that seems like a pretty big security hole! A determined attacker could identify my sixth-grade teacher, and favorite colors aren’t hard to guess. Even if I have a strong primary password, an attacker could use those security questions to route around it.

But the answers to these security questions are themselves just passwords, right? Why not treat them that way?

It’s 2020, and you’re reading a dorky blog for dorks, so you probably already use a password manager1 to create and save strong, unique passwords. You can just as easily create random passwords to answer these security questions. They’re just text, after all.

I’ve been doing this for years, and it’s worked smoothly so far. The only wrinkle I’ve encountered has been when calling my bank’s customer service department; they always go along with it, but they’re often mildly surprised to learn that my favorite teacher was Mr. ootusa3thax2Pae.

  1. If not, you’re missing out on a great thing! You might try the free and open source KeePass, commercial options like 1Password or LastPass, or, my PGP-based personal favorite, pass


You might like these textually similar articles: