Ask Hackaday: Security Questions And Questionable Securities

Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

For this reason, I have always used complete gibberish when filling in security questions. Whenever I did forget a password, I was generally lucky enough to solve the problem through a recovery e-mail. Recently, however, my good luck ran out. It was a Thursday evening, and I logged on to check my forex trading account. I realised I hadn’t updated my phone number, which had recently changed.

Upon clicking my way into the account settings, I quickly found that this detail could only be changed by a phone call. I grabbed my phone and dialed, answering the usual name and date of birth questions. I was all set to complete this simple administrative task! I was so excited.

“Thanks Lewin, I’ll just need you to answer your security question.”

“Oh no.”

“The question is… Chutney butler?”

“Yes. Yes it is. Uh…”

“…would you like to guess?”

Needless to say, I didn’t get it.

I was beginning to sweat at this point. To their credit, the call center staffer was particularly helpful, highlighting a number of ways to recover access to the account. Mostly involving a stack of identification documents and a visit to the nearest office. If anything, it was a little reassuring that my account details required such effort to change. Perhaps the cellular carriers of the world could learn a thing or two.

In the end, I realised that I could change my security question with my regular password, and then change the phone number with the new security question. All’s well that ends well.

How do You Deal with Security Questions?

I want to continue taking a high-security approach to my security questions. But as this anecdote shows, you do occasionally need to use them. With that in mind, we’d love to hear your best practices for security questions on accounts that you care about.

Do you store your answers in a similar way to your passwords, using high entropy to best security? When you are forced to use preselected questions do you answer honestly or make up nonsensical answers (and how do you remember what you answered from one account to the next)? When given the option to choose your own questions, what is your simple trick that ensures it all makes sense to you at a later date?

We’d love to hear your best-practice solutions in the comments. While you ponder those questions, one mystery will remain, however — the answer to the question that nobody knows: Chutney butler?

42 thoughts on “Ask Hackaday: Security Questions And Questionable Securities

  1. I usually get 1Password to generate a random string for me, paste that string into the answer and save it in the “Notes” portion of the 1Password entry. Something like: Username: , Password: , Notes: Mother’s Maiden Name: ef24rasdkcn88@#%vsad. First school: @#Rcvw%$Vsce^. Save everything and done. For those sites where the answers are pre-selected, I just pick one at random (and make sure what I pick is not what can be guessed googling me), take a screenshot of my answers and save it to 1password as well as an attachment.

  2. I used to use gibberish as an answer to security questions because I felt uneasy about answering them for multiple reasons, some of which you’ve pointed out.
    But then I’ve made the mistake of tweeting about my practices.
    A day after I’ve sent out the tweet I realised that I opened myself up to following support call anyone could make:
    Evil person: “I forgot my pw and I only used gibberish as answers to your questions”
    Support guy: “No worries, I’ve got you”

  3. Store high entropy nonsense in LastPass along with the question that was asked.
    If a security question can be used to reset a password, then it must also be as strong as a strong password.
    That said, the comments text box in the LP dialog is probably not as secure as the password field, but it is the easiest place to do this.

  4. I usually let the question itself provide the answer as in I will put in a string of gibberish for the question and then have an algorithm in mind for decoding said gibberish into an answer. Answers to questions across multiple sites/institutions do not have the same cipher key but can be remembered as each key is related to the specific site/institution that the security question is from.

  5. Quite often, the available security questions are not only very, very insecure, but it is also fairly common for them to be things for which I have no answer. Favourite colour? Really? Might this change in ones life? Or is it possible, that I have no preference? Or I am colour blind? Mothers maiden name? That’s gonna take a court order, and I may still not find out. But, if I use my own last name, it generally gets rejected, meaning that the significant portion of the population where the mothers maiden name matches the fathers, or the mothers maiden name is used for the child, no joy. Make up my own? Such that it is going to be memorable, the answer will most likely be discoverable.

    1. Yes, those questions are indeed frustrating. Even if you have a strong opinion on favourite colour, there aren’t all that many colours people can name. White, black, red, yellow, green, blue… Those six are going to cover a vast majority of answers. The maiden name is better on that front, though not all that great either, but indeed comes with strong assumptions about family (children are born to married couples) and culture (in marriage, the wife takes the husband’s name)

  6. Or, what I like to do is choose an answer to the question that’s not quite right. Example, for “name of first girlfriend?” I might choose my second girlfriend. “Name of first pet?” how about name of third pet, etc.

  7. I just bang on the keyboard and type in pure gibberish when asked a secondary question, in an attempt to render these secondary passwords completely unusable for anybody. Then I hope if I do somehow need to recover the account that I can use some other method.

  8. I keep my passwords in a Keepass encrypted password manager.
    In addition to that, I use the Notes field for each account in Keepass to maintain the list of questions and answers. I.e.:
    Q1: Street Lived on when you were 13
    A1: Nutella spread
    Q2: First pet Name
    A2: Volatile compounds

    I answer the questions wrong too.

  9. I use the same procedure I use for generating passwords: head -c 50 /dev/random | tr -dc 'a-zA-Z0-9'. Anything else opens up holes in the armor.

    Of course this means that I have to store them all. Sigh. But it’s better than using my dog’s (or any dog’s) name.

    And for the record, I have once been on the phone with an actual person, telling them that my high school was called “AKoZTXLhlSvZqwsY”. To their credit, they didn’t even ask.

    1. ‘And for the record, I have once been on the phone with an actual person, telling them that my high school was called “AKoZTXLhlSvZqwsY”. To their credit, they didn’t even ask.’

      I’m glad I’m not the only one that’s been through that. I use PWGEN, set to the default of eight digits ,to generate my responses, so it’s much simpler when your first boyfriend or girlfriend is named: “5pMCoPeV”.

  10. The only time I had problems with my ISP passwords for e-mail is when AT&T made the mistake of allowing Yahoo to display their e-mail. Let’s just say it was resolved.

    I always thought that the one of the entries for Sarah Palin, was “I am a complete idiot in politics.” and the other was “I lie a lot more then any other politician”.. And you don’t want to know what John Cleese said about that idiot……

  11. I usually answer with a full sentence related to the question. I try to let the answer go on somewhat of a tangent to make it more secure. My answers are saved as secure notes in LastPass.
    I did have one security question (don’t remember where right now) that would only allow a single word answer with no punctuation.
    My solution to that?

    Holy$#!%ThisIs*%&#!^~Insecure

    They didn’t allow special characters either.

  12. i hate password systems. i wish we would go to longer passphrases with really high minimum password length requirements, down with draconian (and often quite stupid) password requirements, and do away with of password recovery entirely. if i can choose a password i can actually remember, then perhaps i wouldn’t need to recover it. two factor is also rather annoying. when used for password recovery it makes sense but when you have to log into two things instead of just one every single time just to do something stupid, its just a pita which could be solved with ip range logging. and i cant help but worry that when one account becomes compromised that it might give away the keys to the others.

  13. Give the same pseudo deterministically random answer for all of them.

    What’s your mother’s maiden name? maiden parrot pie
    What was your highschool’s mascot? highschool parrot pie
    What ..? .. parrot pie

  14. The names I used for high scores in arcade machines, unit conversions to drawn to ridicule decimal points, and mental associations.
    The last one seems the most secure, since you’d need access to my brain to understand the link between question and answer.
    Ex.
    Q: What cafe has terrible coffee, but great sweets?
    A: cream cheese, baby carrots, and tuna.

  15. much like a lot of others, gibberish, or completly wrong answers, saved to Keepass. but with a twist: I have an own domain, so I am making a new alias email address for every site, with some logic, like: asdf.hd@mydomain.com (hd would be the HaD). so the email+pass is unique, and if some site start to spam (or gets hacked, and the email is stolen), I just delete the alias, and thats it :)

  16. The worst offender I’ve seen is Citibank. They not only require one to pick the question from a list, but that list is only one item long. Like… Never had a pet? Tough luck, that’s the question you will answer in any case.

    I consider myself lucky that the security question fad has never really taken hold this side of the pond. Places that require extra security, like banks, use 2-factor authentication (mobile app, 2FA token, card with random numbers printed on…) and/or multiple channels (usually SMS or phone call to authenticate or authorize web activity)

  17. I go for odd combinations when asked to provide both the question and answer.
    For example (one I dont use)
    Whats yellow and shaped like a banana.
    Donkey.

    I can remember that. And lots of others of a similar odd theme.
    I’m sure if someone of enough intelligence got a few of mine they’d be able to guess them as there would no doubt be a pattern.

    I hate the ones which ask for stuff people tend to put on facebook (not that I use facebook nor would disclose). So I also answer them randomly and yep sometimes this ends up with problems.

    Worst time I ever had with security questions was getting locked out of my barclaycard account. They were asking me about transactions on my bill. But they were not making sense.
    For example they said “a purchase from an internet service provider” they meant amazon.
    And a few others like that. Idiocy. I failed the test.
    Rang back, got someone else with more sensible questions and got in.
    Cancelled the card on the same call.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s