Secret questions

[toorsdenote]

I just set up an an account on the website for one of our utilities, so I had my password program generate a nice strong password for the site.

Then it asked me to answer one of the following "secret questions," which can be used to reset my password if I forget it.

I hate these things. Half of them ask for things like your hometown and your mother's maiden name, either of which could be easily gleaned from my Facebook account.

Here are the questions this site asked. It made me curious: how many of them can you answer ABOUT ME? I feel like there are a lot of people out there who could answer some of these questions correctly.

• Where is your favorite vacation spot?
• What is the name of your first pet?
• What is the last name of your best friend?
• What is the title of your favorite book?
• What is the name of your first school?
• What is your favorite food?

Comments

[http://users.livejournal.com/_tove/]

An obvious possible answer to question 3 is "Carlson."

[toorsdenote.livejournal.com]

Yeah, I was just thinking about that. I wonder what percentage of people, when asked who their best friend is, would list their spouse, sibling, cousin, etc. etc.?

[gwillen.livejournal.com]

If you care about the account, do what I do: generate random passwords for the security question answers. (I half-assume that's what you did.)

[toorsdenote.livejournal.com]

Funnily enough, it didn't occur to me to generate a random password. I did give a fake answer and save it in KeePassX, though. :-) I suppose I'm worried that I'd have no access if somehow I didn't have access to KeePassX, and I have more confidence I'll remember my fake answer than a random password.

[gwillen.livejournal.com]

Well, presumably if you don't have access to KeePassX you won't be able to get in anyway, because you won't know your password. There are KeePass compatible apps for both iphone and android; you should probably copy your database onto your phone and install one. :-)

[chrisamaphone]

i can't answer any of these without just guessing, but now i'm imagining going on an okcupid date with someone and "casually" asking them all these questions, just to see if they catch on.

[jcreed.livejournal.com]

HELLO INTERNET FRIEND WHAT IS YOUR FAVORITE FOUR DIGIT NUMBER

FASCINATING

NO IT IS NORMAL TO TAKE NOTES ON DATES WHERE I AM FROM

[mary tillinghast leneis (from livejournal.com)]

You owe me a new keyboard, I just snarfed on mine.

[(Anonymous)]

I could take a good stab at four of them. But I could probably also forge your signature and abduct your child. Be very afraid.
P.S. I'm your mum.

[toorsdenote.livejournal.com]

Well, I could forge YOUR signature and abduct YOUR child too! So there!

[mary tillinghast leneis (from livejournal.com)]

Abduct me? Or yourself? Yeah, I can forge Mum's signature. Not so good at yours, Marj, and I know there are several questions here where I would just be guessing.

Charles says there have been internet studies showing that these questions are horribly broken and are by far the easiest way to hack into an account. As a result, he has "pretend" answers for all the questions they could possibly ask. Unfortunately, he can't remember his pretend answers, so he often locks himself out of things. That and the fact that he can't remember how to spell his mother's actual maiden name.

I tend to do something similar - I don't list my ACTUAL last school attended, or my ACTUAL first pet. I list *a* school attended and *a* pet, which is still insecure.

I had to phone the bank to reset my credentials recently (because I unexpectedly logged in from work, and it wasn't the IP address they were used to, so they flagged me as possibly-hacked... not sure whether I appreciate the overzealousness or if I just find it irritating). When she asked me for a memorable date, she was taken aback that the date wasn't within my lifetime. What's the point of having a memorable date if you can probably guess two, maybe three digits of the year?

[meshach.livejournal.com]

I've heard of people answering a similar question, but not actually the same one.

For example give the first name when it asks for the last. Or the state if it asks for a city.

[mary tillinghast leneis (from livejournal.com)]

Ooh, that's a good idea. For added security, you could have a default prefix/suffix that you always include in the questions. So if it asks for city of birth, if you not only put a state but put "5$.Montana" it would be a bit more secure...