Comments on: Password Recovery Questions Make Online Accounts Vulnerable

By: La opción de recuperar el password por preguntas secretas hace las cuentas más vulnerables

Sat, 01 Aug 2009 22:05:07 +0000

[...] Vía: Ghacks [...]

By: Roman ShaRP

Roman ShaRP — Sat, 04 Jul 2009 19:26:57 +0000

I always choose custom questions and put in them things that nobody else can know.

By: Tobey

Tobey — Sat, 04 Jul 2009 09:10:47 +0000

True indeed. This leads me to an idea to use the same string for the answer as for password itself and of course, for the worst case, have the password backed up in KeePass/alternative. Will start implementing that as of now since forced question-answer measures are a serious vulnerability, all the more if you’re not offered a more “safe” question. IMHO asking for mother’s maiden name is one of the stupidest options, literally anyone can find out, possibly even using the Net/social networks.

Thanks for the tips

By: Dave

Dave — Thu, 02 Jul 2009 12:28:19 +0000

If you have a password manager that you are storing answers to recovery questions in, wouldn’t you already have the forgotten password in the manager as well?

Regardless, one of my greatest pet peeves about password recovery questions is the use of subjective questions. “What’s your favorite movie” will probably be different 3 years from now when I forget my password and need to recover it. They should be more concrete like “What city was your father born in?” That will never change.

So anyway, I *love* the idea of putting an answer completely unrelated to the question. That’s brilliant. Thanks for the suggestion.

By: Greg

Greg — Thu, 02 Jul 2009 10:13:41 +0000

Yeah, to be honest a lot of the questions are things like

“what’s your mother’s maiden name?”
“what’s your first pet’s name?”
“in what town was your high school?”

This is all stuff that people close to me would know, particularly family members and as you can pick your friends, not your family…. I would trust my family the least out of anyone!

By: Transcontinental

Transcontinental — Thu, 02 Jul 2009 09:00:51 +0000

The last password recovery question I encountered was the name of my pet : I admit I never had a pet named: $WSo,)EEI4KMy_#YUS\wUba-Bd9+a62(
Poor cat!

By: xdmv

xdmv — Thu, 02 Jul 2009 04:16:14 +0000

A useful tip is think that you are ANOTHER person. Then the answer would be honest, but not for YOU… ;-)

By: DanTe

DanTe — Thu, 02 Jul 2009 02:31:36 +0000

The answer to all my password recovery question is: sakljg;aghjk’sl;ksfhgait
q4\=q3i5

I keep all my passwords in one master encrypted spreadsheet stored on a detached Ironkey USB drive.

By: John

John — Thu, 02 Jul 2009 01:00:21 +0000

About time someone saw sense on this matter. Banks are even worse than websites. These days I lose my temper when they ask for my mother’s maiden name as a security marker – half the financial institutions on this planet (and their staff) must have that info by now – as a security device it gets 1/10.

But – as a more sensible bank employee assured me – the answer doesn’t of course need to be literally correct. You can say your mother’s name was Chewbacca just as long as you remember that.

But that still doesn’t, of course, address the issue that a large proportion of the security problem originates from WITHIN banks and financial institutions where – I am MOST reliably informed – the standards of internal security are often laughable.

By: cmpm

cmpm — Wed, 01 Jul 2009 21:39:18 +0000

I have an answer that has nothing to do with the security question.
It’s not likely any one could figure out the answer to any question,
when the answer is totally unrelated to the question or any question.
But I also try not to confuse myself as well, :)