I just had to convert my online bank account to their new (2nd in a year) system, which now requires five security questions. As a single man who doesn't have a "favorite" anything, this proved to be a challenge. All questions were either regarding spouses, favorite somethings, or questions about descendants which I have no clue about.
I ended up just picking random questions and setting them all to the same answer, which has nothing to do with any of the questions - something that I can't even misspell if I tried. This is going to be my new strategy moving forward.
And don't even get me started on their silly username and password "security" rules.
"to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent"
Just because they didn't impress you by finding a side channel timing attack for the password hashing algorithm used by Yahoo, doesn't make it any less of a hack.
Why spend millions investing in a network of computers to break encryption, when the key can be gained far more easily with a $20 tire wrench applied with sufficient force to the DBA's knee caps?
I do this but it poses a problem for, as an example, banking. When they ask you the answer to your security question over the phone and you don't have access to your computer/password manager. Let's say you're one of those weird people without a laptop and your account is frozen while travelling overseas.
Having a cat named 1FD362BW9L6MBOWRD23SEF43 becomes a huge problem...
That's why I like 1Password. It's on my phone, so it's accessible, and I can do "words" instead of "characters".
So, I could very well have my mother's maiden name be "panda porpoise flutist sandpile", but I understand what you're saying. It may not be for everyone, but I work in the security sector and usually over-paranoid is better than ill-prepared.
Yes, this is the right way to go. Unfortunately it is limited to the tech savvy. Also, I know somebody who needed to contact a company by phone, and he needed tell the rep his security answer. He had to read off his 20 random characters. Pretty lol.
Right? Like "what is your favorite food"... what do you mean what's my favorite food? What am I, five years old? Who the hell has a favorite food? I like pizza. I like wings. I like burgers. I like bbq ribs. Who has a single favorite food? "What street did you grow up on" like many people, we moved quite a few times when I was a kid. "What was your favorite vacation/What was your favorite concert/What is your favorite movie" change way too often for any long term kind of thing.
"What city did you meet your spouse in", "what was your first car" and "where were you born" are way too common of knowledge to work reliably. Security questions suck.
Principal.com asked me a question about which car I've owned, and gave me a list of cars with year, make, model, and trim level. I've owned at least a dozen cars, and can't remember them all, much less in that detail. Needless to say, I failed that one.
I have a similar story. I wanted to get a copy of my birth certificate sent to me. In order to do so, I had to answer some security questions, which were apparently drawn from public records.
E.g.: "what was the name of the person you bought your house from?"
Really? Not only was that transaction about 15 years earlier, but I never even met the people. They moved out of town long before their house sold. Who the fuck cares what their names were?!?! Nowadays all that stuff is done through real estate agents and title companies.
So, while filling out an online form, I'm supposed to go rummaging through 15 year old records to find the names? And what if I stored those papers offline for safekeeping (e.g. at a bank)? How long will the question on the screen remain active before it times out?
There has to be a better way of doing these things.
I ultimately ended up calling Principal. The person on the phone asked some silly questions too, but at least she let me pass on a couple. She then reset my account and sent a link to reset my password. That wouldn't be so easy with all sites, since they don't all have reachable humans.
I'm almost tempted to sign up just to see what that's about, but I'm sure I would just be torturing myself at this point. I've been going through a mortgage refi, and my bank was just the worst offender, but some of the other site from which I needed to retrieve documents were almost as bad (I'm looking at you Principal).
I ended up just picking random questions and setting them all to the same answer, which has nothing to do with any of the questions - something that I can't even misspell if I tried. This is going to be my new strategy moving forward.
And don't even get me started on their silly username and password "security" rules.