Plus, you should never answer security questions honestly. Your favorite pet or the street you grew up on or your mother's maiden name are all not secret information. Many of my friends and family know the answers to all of these. So, when faced with a security question, I try to pick a random (but false) security answer, which I then write down in an encrypted file. This is a terrible solution, but it feels foolish to answer the questions honestly.
Why would that be the case? It just seems stupid to do so. A security answer is pretty much functionally identical to a password. Doesn't make sense not to hash it(there are no uses of the answer where you would need it in non-hashed form)
They're often used by support agents as a workaround for giving them your password (which the entire world has been diligently trained not to do, right?). They're also often case-insensitive and ignore punctuation, and while it's quite easy to handle that in a hashed scenario, they're usually implemented by programmers that don't get security.
Of course, the same apps with security questions are probably the ones not hashing your actual password in the first place.
Yeah it is stupid, probably because security answers are needed to trigger some system on the server side (not to decrypt anything) and if an attacker has access to the DB, probably can already trigger the process. But actually they are even more sensible to reuse than passwords, so they should be hashed.
I'm not sure about all security questions, but I have noticed many credit card support lines ask me for my mother's maiden name, and the answer I give is long and not easily spelled but they always confirm -- instantly -- "that's it" and and proceed.
Think about last names, as well... there's huge variety in length, spelling, etc. -- it's poor customer service to force the customer to spell it out letter by letter -- so it's necessarily just displayed there on their screen.
Yep, I always simply generate another random password and save it in my KeePass along with the actuall password, together with the question (custom or whatever was choosable).
I make up additional weird randomness (but stuff which would be hilarious but not incredibly offensive to say to a CSR) and save it in my password manager for each account.
I use it as password hint if I can (e.g. make it show the first character of my password, I'll remember it then). As answer I enter like 50 random characters which I don't write down or remember or anything, since I should simply know the password or use my recovery e-mail.
The problem is that most sites won't let you set your own question. More about my idea on security questions: http://lucb1e.com/!65
Security questions are usually just used to decide whether to send you an email with a password reset link (or more annoyingly, a new password), aren't they? I've never seen a system where being able to answer the security question(s) is equivalent to knowing your password. Anyone who knows my mother's maiden name probably also knows my email address and could more easily spam me directly than using a website to send me password reset links.
Paypal's two-factor authentication, a hardware token in my case, has a screen to enter the security code but a link that says 'i dont have my token with me'. Clicking on that link prompts for the answers to two 'security questions'. Answer them correctly and you're in!
Gmail, at least as of two years ago, let you choose a new password after correctly answering the security question. I once tried to answer the security questions to all of my close friends' accounts. I then sent the ones the I succeeded on (and was presented with a choose your new password screen which I then closed) and email suggesting that they change their security questions to something more secure.
I don't worry too much about someone trying to know the name of my first pet (I'm pretty sure anyone who knows what my answer would be to this question is dead). I do worry that there are a bunch of other organizations that I have told that information. If someone hacks one of those they can get access to my other accounts.
One of the worst sites I saw demanded that I select my security question from a list. Sweet gosh, I have absolutely no idea which of your brain-addled security choices I selected.
A long time ago I was unable to answer the security question for my AOL account. The account had been hacked and used for mass spamming. AOL would not close the account, or help me change the password (or stop the spamming) until I answered the question.
"...but the account is being used for malicious purposes." - me
"Sorry, sir but until you tell me what you named your first dog I cannot stop it." - AOL
I use pwdhash for all my primary web passwords, but I have a secondary password that I use as my response to all security questions. I think this is a decent solution, but some services (I believe Apple is one example) requires multiple security questions and requires the responses to all be distinct.
Ashamed to admit but I used to "hack" my classmates (girls) hotmail accounts like that when I was young. I tried to recover their password and if I didn't know the answer to their security question (I often did) I just asked... I was curious if they write something about me in their emails, never did...
Depending on the jurisdiction, it's entirely possible that a statute of limitations makes this irrelevant (in a legal sense). Obviously you still don't want future employers etc. to find this post.
Go ahead... hotmail by the way still let's you take over someones account by only knowing email address and answer to security question which is often maiden middle name, name of first pet, best childhood friend etc... you can find that information freely from facebook for an example. Or just ask :)
Forward all your "friends" one of those "50 Things You Didn't Know About Me: Fill In Your Answers and Forward!" question lists that includes the security questions you're targeting.
> You should submit this together with a security issue report to Facebook and Hotmail and whoever else uses security questions.
Google, too. I suggest you run through the recovery process yourself (on a dummy account, or your own) to see the kinds of questions asked. Questions like "when did you last access the account?" are easily answered; as is "name 5 regular contacts"; and so on. I could (but would not) perform the recovery process (and gain access to) acquaintances accounts, given how simple the questions are.
The key is just knowing "enough" in aggregate to pass their bar.
