11

When a website asks me to enter security questions in addition to a password what is best practice on my part? This often happens with banks and other institutions but I see it less with other websites.

Should I choose the most obscure questions that are difficult to guess? Or should I just enter a gibberish password and save that in addition to my regular password?

dgn
  • 124
  • 2
  • 4
  • 13
Fernando
  • 705
  • 5
  • 17
  • 1
    In that case the security question becomes your password, so you should follow the same rules you follow when generating passwords. –  Dec 21 '14 at 05:41
  • 2
    Try to avoid questions that its answer to are easy to find on social media etc. I know this is a no brainer, but worth mentioning I guess. – Jeroen Dec 21 '14 at 06:08
  • Nowadays, [information gathering](https://github.com/laramies/theHarvester) is so easy.Everyone share most important information on social media.If question is so simple and not changeable , you can give different answer.For example question:Where were you born? Answer:1900. – dgn Dec 21 '14 at 12:09
  • Those are good points, but are there any best practices? e.g. just always use a new password for each security question? Or will some institutions not allow that? – Fernando Dec 21 '14 at 18:36

1 Answers1

11

The best practice by far is to chose any of the questions but enter random text as the answers.

As others have said in the comments, it is far too easy to discover the answers to most of the well-used questions now.

Of course, this requires you to carefully keep track of the answers and be able to get hold of them when required.

Generally I use Keepass as a password store and this supports additional QA security as well as the enter n characters from a password type entries. It is well tried and trusted and has 3rd party versions for pretty well all platforms including mobile ones.

Julian Knight
  • 7,092
  • 17
  • 23
  • 2
    +1. The only potential drawback of this is that you might sound a bit odd in you need to authenticate yourself on any phone call with the service. `Q: What's your first pet's name? A: xyX777&kjNoPo033h.a` – SilverlightFox Dec 22 '14 at 11:16
  • 5
    :) It does confuse the heck out of call centre handlers if you ever need to use them over the phone! I generally chose a word, after all, they aren't passwords so they don't need to be totally random. Q "Whats your favorite pet?" A "New York". – Julian Knight Dec 22 '14 at 11:44
  • 2
    You don't have to choose random letters, just the "wrong" answer: Q-mothers maiden name A:Rumpshaker – Jim B Dec 22 '14 at 16:09
  • 1
    Perhaps your answer doesn't have to be really random, but it does have to be secure, i.e. not guessable, not repeated for different online accounts, and resistant to whatever attacks the service is vulnerable to. Given the sloppy way security is often implemented, that might even include a way for an attacker to try all English words or common phrases. Sigh. What a bother. Now we have multiple "password-equivalents" to manage per account. – nealmcb May 20 '19 at 00:13
  • Thanks @nealmcb, They don't really need to be "secure" in the same way as a password and they very often won't be stored in as secure a way anyway (though they should be really). If you are prompted for the full answer each time (rather than a few letters), they only need to be, as you say, different from other sites and different from reality. – Julian Knight May 23 '19 at 06:07
  • 1
    A diceware-like answer (with words that are easy to spell) is the way to make phone call authentication less tedious. It doesn't eliminate the awkwardness but it does make the other person's job easier. – Future Security May 25 '19 at 14:47
  • Though it can be fun with a really complex one too! For you, not for the operator. Perhaps they shouldn't be asking for dumb security questions anyway ;) n1 letters out of a word is more secure in all cases I think. – Julian Knight May 25 '19 at 21:19
  • Why do you say they don't need to be secure? Depending on how they're implemented and used, they do, and the user typically doesn't know. – nealmcb May 27 '19 at 02:33
  • I didn't say that, I said "in the same way". A password on its own has to have the highest level of security. A set of security questions should have reasonable security but what is important is that it shouldn't be possible for all of them to be accessed easily. – Julian Knight May 27 '19 at 14:51