1

When we set up security questions, assuming we answer fairly, we give out to the site our secrets, facts from our past. I wonder if the following is considered:

  • we are encouraged to use a different password for every account, but our mothers have only one maiden name, we've had a limited number of pets, etc. Inevitably the answers are going to repeat on many accounts.
  • we've seen many data breaches from many places, including the largest internet companies. Can the security answers become public this way? We can update passwords, but our secrets remain the same, except in case of a breach they are no longer secret. Consequences of releasing security answers might be much more serious than that of leaking a password.
  • are the companies and websites actually allowed to store such private information? Are there legal limitations?

I found the following questions on SE:

The answers range from "security questions are bad" to "they are bad but we have nothing better". Do we really have nothing better in 2020?

What are the present recommendations for the website creators?

What are the best recommendations for the users? Lie? Provide random strings as answers?

user1079505
  • 113
  • 5

3 Answers3

5

You should absolutely lie!

Security questions are only looking for a match, answers needn't even be in context to the question (usually). Not only should you lie you should lie differently everywhere.

Favorite Food:  A Red Bicycle

Of course this puts the onus on you to keep track of your lies.

Two Factor Authentication (2FA) should be used if possible/practical.

An aside on lying:

My wife was working as a librarian and was dealing with children signing up for a summer reading activity. The sign up asked for Birthday as an age determinant. My wife told the children not to put down their actual birthday, just their actual year. The children were slightly aghast at an adult telling them to lie, but it was the parents that occasionally became irate at the suggestion that their child should ever lie.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • 1
    Lying feels wrong, doesn't it? Any preference between "A Red Bicycle" and "Y1\_cvD[j|"? Both are impossible to remember, if I use a different lie on each site. – user1079505 Aug 15 '20 at 17:33
  • I always use this as an occasion to see whether the sites accepts random gibberish as "maiden name" et.al. and surprisingly I was always able to to so, even more than 30 characters. It's stored alongside the real password in my manager of course. – Marcel Aug 15 '20 at 19:41
  • @user1079505 - I generally use words in case I need to deal with someone over the phone. I'm old, back in my day we used phones for talking! – user10216038 Aug 15 '20 at 21:06
  • 1
    This. If you use a password manager, I suggest that you don't know any passwords, or security answers without your manager. When you are allowed to pick your username, then make your username something you won't remember either. Note, I've seen at least one website where when typing in security answers, casing does not matter which means the complexity is greatly reduced. I recommend mixing in numbers and characters when possible for security answers to reduce the chance of brute force cracks, in case the site doesn't limit the number of tries. – TTT Sep 24 '20 at 14:30
3

Regarding threats, of course they do. If you use the actual answer to the question, an adversary posing as you can learn one of the two:

  • The information that was protected by the password that was reset, or answering the question required.
  • Information about you if the answer to the question was just guessed.

Here are three alternatives, two factor authentication, push notification, or text messaging an OTP code, are considered the modern-day alternatives to security questions. But just like any new tech security methodology that comes up, older generations have a hard time catching up to or may never use such new technology. Thus, the reason why banks and e-mail clients/providers still give the choice to use security questions, rather than the 3 new technologies I stated in the beginning. Security questions in 2020 are not geared for the technology-oriented generation of people.

Amol Soneji
  • 346
  • 1
  • 5
2

I'd say that it depends on how the security answer is stored. Reading this Microsoft answer it appears that within Active Directory at least, security questions are stored as hashes in much the same way as passwords.

D0gfather
  • 71
  • 4