Are Your "Secret Questions" Too Easily Answered?

Discussion in 'privacy problems' started by snowdrift, May 19, 2009.

Thread Status:
Not open for further replies.
  1. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    Research finds that the answers to secret questions used to retrieve forgotten passwords are easily guessed.

    http://www.technologyreview.com/web/22662/page1/

    Now... try to guess mine...

    Q: What is your favorite sports team?
    A: $FW!si1q$dp3&2tD7MfRC
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    That's your password right?:D Who'd have ever guessed.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    More like easily forgotten, lol. In my own opinion, the secret question idea is one of the worst ideas ever. For one thing, MOST websites give you a list of questions....please tell me someone out there is NOT using their mothers maiden name as a question, please? Just using the list alone is already a security failure on the users' part. Too many use simple, common answers. On the flip side of that, using your own question, well, it can be easily forgotten if you made up a pretty random question that normally you wouldn't even get asked. You'll never even see the question again unless you've forgotten your password *raises hand*, and, if you just for the life of you can't remember what you answered that day, you're screwed.

    P.s, I KNOW that's your password to something, lol:D
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The secret questions are an obvious security risk. Plus, in many cases your typed in answers are not even obfuscated! I recommend using a complex password to answer each secret question and storing it all in a password manager such as KeePass. If you need to answer a secret question (for example, if your computer is not recognized by a particular site), just cut and paste. Just make sure you don't forget the master password, and always keep several backup copies of your database.

    Although KeePass does not provide specific fields for secret questions, you can easily store the questions and answers in the Notes area. For example:

    Name of first pet: 4rFKI4Y2pffXlQMZx7nX
    Make of 1st car: 0HfAptLAcwUNlcRF9NmR
    City where met spouse: 601qQ7lK3ktPyYNKi7nu
     
  5. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    Like Dantz, I don't propose remembering the key phrase. I let RoboForm Pro do it for me. It generates the phrases for me and I attach them as notes to the particular site's log-in credentials.

    And, no, that isn't my password to anything. I generate such random ones new for every site. I have hundreds and they're all organized. I never repeat. I even make up my usernames so they differ from one site to the next.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I was teasing on the password comment :) But, I too agree with Dantz and you.
     
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    How likely is that I have this type of secure answer stored safely when I have lost my password. Obviously it is not stored in my memory (as my mother's maiden name), so if my password safe is corrupted and I don't have a backup, such a clever answer will not help me much either.
     
  8. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    I make up nonsensical answers to those questions (and nonsensical questions, too, when allowed) and store them into encrypted data stores for subsequent retrieval should they be needed. And I have backups, too. Some of which are also encrypted.
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    I don't remember them myself, so I think they are fairly safe ... :)
    Mrk
     
  10. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    My point is though that you guys will most likely never have to use these "secret questions" as you have your strong passwords securely stored somewhere accessible (and with multiple backups).

    Unfortunately that is not the norm and the "secret question" is meant to help those users who are not that well organised. It reminds me of the comment of a customer just a few days ago, when she had password problems on our website. She was trying to use the "password retrieval function and failed to enter the new password and or username correctly. Her response to my assistance with this was and I quote
    ": if I want to buy something, I don't want to have to bother with logging on, passwords, etc!"
     
  11. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Well, what your customer says makes perfect sense. In order to buy something online, you don't technically need to have an account, so no username, password, logon or similar are required.
    The vendor usually requires the (potential) customer to create an account, so that it is easily possible to keep track of the habits of that user on the website.
    So, for once, the customer (maybe) knew what she was talking about.
     
  12. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    Yes, but you listen to Frank Zappa, so you are already miles ahead of most Americans.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Mine aren't that easily answered... Even I forgot a few already along the road of life... Yep, I know it would be better to write them down, and I always tell myself that I will, but I never do it. :D

    I already had to delete 2 e-mail accounts. o_O :eek: :oops:

    I know its given the chance to us to write a secondary e-mail, and I often do, and it generally works, until I also forget the password or secret answer.

    Of course, I've learn it the hard way, and know I write the passwords down. :-*
     
  14. incursari

    incursari Registered Member

    Joined:
    May 16, 2004
    Posts:
    153
    Location:
    SG
    Now I cant remember the password of my resume that I .rar. I don't know how to recover it :argh:
     
  15. demonon

    demonon Guest

    I too create passwords similar to yours. Even if they are answers to secret questions.
    I store them somewhere where no one can reach it on something that is unhackable: paper!

    That sure is one hell of a sports team...
     
Loading...
Thread Status:
Not open for further replies.