Brokerage login now requiring I answer these questions. Not a single one of these has a single answer I’d actually remember. They all have problems regarding what would actually count or multiple possible answers to choose from, or these are not things people would remember or they just don’t apply to most people.
For security questions I usually put a random long 10 word passphrase. LPT for you guys
Yeah, don’t answer truthfully. My favorite food has been a waterslide for ages.
Now if you would just provide me with your other account information…
Born on January first 1900. Undefined gender.
Got him! Send in the seals.
First partner is fine. First foreign country isnt terrible. The rest range from pretty bad to “what human thought this was a good security question”
Yeah but first boyfriend/girlfriend drives me crazy because then I’m going back through my various early relationships trying to figure out who counts as a “girlfriend”. I’d say Sherry was the first but she always said we were never really together. Well now you’re a security question answer so you can’t deny it anymore Sherry.
The best insight I remember reading about questions as MFA, is to consider the answer as a password. If you use a password manager, don’t feel forced to use actually true answers. The answer doesn’t have to be true, you just need to know it. Use a password manager and invent answers which you store. This is so much more secure than relying on the truth.
Edit: others mention the same thing.
Yeah I use a 10 word passphrase for these
Ahh yes, my favorite account on “x”. OqY4LO%&1Xv&e9YbRczM^nc3tD*f$4um3
Just make the answers diceware passwords and store them in your password manager.
This is the right answer. I never answer those, you add new entries in your password manager in the notes for the main site.
If you answer truthfully to any one of those “security questions”, your account is at risk.
Don’t add as notes, add as a new hidden option in bitwarden. Use the password maker to generate a string of crap
I just make an extra entry in KeePass with a suffix and different icon. I treat the answer just like an additional password and put the question as username or in the notes.
Holy shit, that’s so smart. Now to see if Bitwarden can auto-fill them
It’s unlikely since it uses the field ID and not the text, so it wouldn’t know which question went with which answer.
It’s so rarely needed to actually use these anyway, that it’s a non-issue IMO. You should never opt to use security questions as they are terrible from a security standpoint. This is just for when they are required by stupid websites.
I’m waiting for the day I need phone support and have to tell them 512 random characters over the phone 😆
I always called them insecurity questions. Im almost sure its easier for someone or thing with a dossier on me to answer any of them than me.
One method to approach this is to use a simple personal algorithmically to create answers here. As in, you could put any security question in front of someone that uses this method, even those questions never seen, and the personal algorithm would produce an answer only the user would know. Here are a couple algorithms I made up to show an example for this post.
Input security question (the first from OP’s list): What was the first stock you ever bought?
- Algorithm number one answer: eight - Algorithm: How many words in the security question?
- Algorithm number two answer: sold - Algorithm: Ignore all words except the verb, in this case “bought”. Whatever the verb is, the answer is always the opposite verb.
This way you don’t necessarily have to write down your security question answers. Most certainly never write down your personal algorithm. Using this method it is trivially easy for you (and only you) to produce an answer from any security question given to you and equally easy for you to reproduce the answer when you need it in the future.
So-called “security questions” like these are prohibited under various standards (there’s a NIST one that I can’t remember exactly, and OWASP ASVS) because they’ve always been really terrible at verifying it’s actually you answering them, and not just someone who happens to know the answer. Mother’s maiden name being the notorious example.
Also many of them have extremely likely answers.
“What’s the first app you installed on your smart phone?”
How many of these accounts can now be compromised by answering X/Twitter/Facebook/Instagram/What’sApp?
Joke’s on you, no one will ever know that the first app I ever installed is TCPMP on a Windows Mobile smartphone to play ogg vorbis audio from the SD card!
Most of these read like ads. Most of the rest read like information found in an advertising profile (the kind of info that ad companies purchase). Only a couple read like actual things people care about.
Doesn’t need to be real answers. Can just use combo nonsense like correcthorsebatterystaple or whatever.
But yeah, lots of other people are fucked.
Wrong community. Extremely infuriating.
Choose questions, write them down, place the Q’s & A’s in the notes of your password app. Use paper to smoke them mara-ju-anas.
use a local password manager
you can usually log these questions and your answers in there.
make sure your answer has nothing to do with the content of the question.
Why would you answer the actual question anyway? That just means if someone knows the actual answer, they can get into your account. The question shouldn’t matter. It should be treated as a secondary/tertiary/etc password.
“What’s your mother’s maiden name?”
“c@#Wz6Ani5$!Z8L5$1$DJybIWaq^BwZw”
“She’s French.”
