Are Your "Secret Questions" Too Easily Answered?

Research finds that the answers to secret questions used to retrieve forgotten passwords are easily guessed.

http://www.technologyreview.com/web/22662/page1/

Now... try to guess mine...

Q: What is your favorite sports team?
A: $FW!si1q$dp3&2tD7MfRC

 

More like easily forgotten, lol. In my own opinion, the secret question idea is one of the worst ideas ever. For one thing, MOST websites give you a list of questions....please tell me someone out there is NOT using their mothers maiden name as a question, please? Just using the list alone is already a security failure on the users' part. Too many use simple, common answers. On the flip side of that, using your own question, well, it can be easily forgotten if you made up a pretty random question that normally you wouldn't even get asked. You'll never even see the question again unless you've forgotten your password *raises hand*, and, if you just for the life of you can't remember what you answered that day, you're screwed.

P.s, I KNOW that's your password to something, lol

 

The secret questions are an obvious security risk. Plus, in many cases your typed in answers are not even obfuscated! I recommend using a complex password to answer each secret question and storing it all in a password manager such as KeePass. If you need to answer a secret question (for example, if your computer is not recognized by a particular site), just cut and paste. Just make sure you don't forget the master password, and always keep several backup copies of your database.

Although KeePass does not provide specific fields for secret questions, you can easily store the questions and answers in the Notes area. For example:

Name of first pet: 4rFKI4Y2pffXlQMZx7nX
Make of 1st car: 0HfAptLAcwUNlcRF9NmR
City where met spouse: 601qQ7lK3ktPyYNKi7nu

 

Like Dantz, I don't propose remembering the key phrase. I let RoboForm Pro do it for me. It generates the phrases for me and I attach them as notes to the particular site's log-in credentials.

And, no, that isn't my password to anything. I generate such random ones new for every site. I have hundreds and they're all organized. I never repeat. I even make up my usernames so they differ from one site to the next.

 

I was teasing on the password comment But, I too agree with Dantz and you.

 

How likely is that I have this type of secure answer stored safely when I have lost my password. Obviously it is not stored in my memory (as my mother's maiden name), so if my password safe is corrupted and I don't have a backup, such a clever answer will not help me much either.

 

I make up nonsensical answers to those questions (and nonsensical questions, too, when allowed) and store them into encrypted data stores for subsequent retrieval should they be needed. And I have backups, too. Some of which are also encrypted.

 

I don't remember them myself, so I think they are fairly safe ...
Mrk

 

My point is though that you guys will most likely never have to use these "secret questions" as you have your strong passwords securely stored somewhere accessible (and with multiple backups).

Unfortunately that is not the norm and the "secret question" is meant to help those users who are not that well organised. It reminds me of the comment of a customer just a few days ago, when she had password problems on our website. She was trying to use the "password retrieval function and failed to enter the new password and or username correctly. Her response to my assistance with this was and I quote
": if I want to buy something, I don't want to have to bother with logging on, passwords, etc!"

 

Well, what your customer says makes perfect sense. In order to buy something online, you don't technically need to have an account, so no username, password, logon or similar are required.
The vendor usually requires the (potential) customer to create an account, so that it is easily possible to keep track of the habits of that user on the website.
So, for once, the customer (maybe) knew what she was talking about.

 

Yes, but you listen to Frank Zappa, so you are already miles ahead of most Americans.

 

Mine aren't that easily answered... Even I forgot a few already along the road of life... Yep, I know it would be better to write them down, and I always tell myself that I will, but I never do it.

I already had to delete 2 e-mail accounts.

I know its given the chance to us to write a secondary e-mail, and I often do, and it generally works, until I also forget the password or secret answer.

Of course, I've learn it the hard way, and know I write the passwords down.

 

Now I cant remember the password of my resume that I .rar. I don't know how to recover it

 

I too create passwords similar to yours. Even if they are answers to secret questions.
I store them somewhere where no one can reach it on something that is unhackable: paper!

That sure is one hell of a sports team...