Every time I'm confronted with these types of questions I just roll my eyes and add a 'Mothers maiden name' text entry to my password manager with a 16 digit random string.
I shares worries I've seen expressed elsewhere that this opens up a social engineering attack vector where an imposter gets through to phone support and says "oh I just typed a bunch of gibberish for the answer and can't remember it." Wouldn't a false, long, maybe hyphenated, but plausible surname be better for this reason?
I also generate them with a password manager. FWIW, I always start with “it’s a long gibberish string” and no one has ever been satisfied with that. I’ve always had to recite it. Anecdotal I know.
Sure, but you're not spending all day running customer service "DoS attacks" against people's bank accounts. Even if "it's gibberish, and I forgot it, can't you please help me out" only works one time out of a thousand, do you really want to bet your bank balance on a weak link customer service rep who's just a tad too eager to help?
I think it’s all debatable. That human will always be a weak link. It just takes one representative to forget to ask or get convinced with “oh it’s my wife’s mother’s maiden name and my wife isn’t here and I’m in a real bind”.
But in exchange, my security answers are no longer compromisable online. I think overall it’s a positive trade off, but that’s just my hunch.
I agree, I think they’re a real problem. I think it’s possible to eliminate human error over the phone too. Perhaps design a system that doesn’t let the representative into your account until they type in the 2FA token your phone provides or something (I don’t really know, I’m far from a security expert)
I just wrote a mini rust script (https://github.com/rtaycher/make_password) to spit out 5 random dictionary words for secure passwords I need to share. Everything else gets auto generated by keepass, i should probably just figure out how to write a keepass plugin
1Password allows you to generate word based passswords instead of random strings. I do this because it’s much easier to type manually if I’m logging into a system where I can’t copy paste from 1P
To protect against such attacks, I write some normal English before getting to the randomness, something along the lines of “This MUST be quoted exactly or it is wrong”. That’s ~40 characters “wasted” (they’ll normally have distressingly low character limits, but I find them to normally be at least 50 characters), but I’m optimistic about it offering reasonable protection against such an attack.
In practice, I’ve never actually had to quote such a string to anything but a machine, so it is mere optimism on my part.
Which makes it less secure. Customer support rep may find it reasonable to dismiss it as random characters and let the attacker bypass the check entirely.
If the attacker knows it looks like gibberish, they can try "Heh, whoops, I just put in random characters at the time. Can we try something else?"
I think a false, convincing, and unlikely answer is reasonable. "My childhood dog's name was Alexander Hamilton."
OT: Just wondering why so many people are using password managers. When you use a password manager you have one single point of attack and failure. I wouldn't like to give all my credentials to one single entity.
Unfortunately I haven't found a reasonable alternative.
I have to use HUNDREDS of passwords every few weeks. HUNDREDS! Some for work, some for personal. Occasionally a service gets broken into so I can't have all of them be the same password and I can't have a system where I add, say "FB" to the end of the password to denote a service as that makes it pretty vulnerable.
So I am forced to use a password manager. I hate it and I'm terrified it'll get broken into one day. But what alternative do I have? I enable 2 auth on everything that I can but those are a very, very small handful compared to all of the usernames and passwords I have to use.
How do you not use a password manager is my question.
Well, personally, prior to using a password manager, I had one user name (plus variations for when that user name was already taken) and something like three different passwords for all of my services.
The passwords weren't horrible, brute-forcing them would have taken a while, but if you have the same user name and password in many services, then it just takes for one of those services to get compromised to have many of your accounts be compromisable.
And generally speaking, unless you're a high-ranking target, it's far more likely for a service to get compromised than for someone to even bother attacking your device.
And yeah, sure, I could have just remembered more different passwords and user names, but I'm a human and that requires effort.
Now when using a password manager, I can easily choose different user names, e-mail addresses, passwords and far more complicated passwords as well. And all of that with basically no effort.
This also improves privacy, as with different user names it's much harder to link up my different accounts' postings. And I can now easily maintain multiple accounts for the same service, too, allowing me to spread out postings across those, so that you can't follow back my post history for all eternity to link up all kinds of information that I've posted over time.
That's why I don't use a cloud password manager. I use one that allows syncing my devices directly with my phone via wifi. Doesn't even touch a file hosting service like Dropbox.
Yes, that makes the physical devices a vulnerability, but the attacker would still need to guess or brute-force the master password to decrypt the vault. It's also a much less juicy target than a million customers of a cloud service.
And as someone else pointed out, using the same password everywhere is a non-starter. Nor is memorizing the passwords for more than a tiny fraction of the roughly 1000 entries in my password manager.
The password manager is typically on a machine you control. If your machine is owned, you've got issues regardless. A password manager provides a way to effectively utilize higher-entropy, per-account passwords. As with all security-related matters, it's a tradeoff. I expect many choose password managers for this reason.
In terms of physical control of the machine? In terms of what software is loaded on the machine? Would you elaborate on what you mean "typical password manager user" and "does not control"?
Also why would you use internet banking for your primary bank account its just increasing your attack surface.
I only have internet banking enabled for my secondary account (which has 2fa) which never has more than £100 in it and I only did that so I could xfer money to my p2p account.
I use diceware-type passphrases (a bunch of entirely random real words) for security questions for this reason. Bit weird to say "I was born in 'correct horse battery stapler'" but it doesn't seem to bother banking phone reps much.
I love just how pervasive the influence of xkcd is! I do the same as you by the way, and no one has ever called me on using something that is obviously not a name.
I go out of my way to come up with particularly ridiculous answers to these questions in cases where I know someone might eventually want me to answer them over the phone.
The next time I need to answer a secret question that might be used over the phone I'm going to write the answer in as:
"No thanks, that information is private and I'd rather not share it over the phone. I know, you're probably going to say that you can't help me without this information and you're doing this to help prevent identity theft but I stand by my choice to not partake in answering your question. Can I speak with a manager?"
I’ve toyed with the idea of replacing my signature with 8 random hex characters. Possibly selected spontaneously, different each time. Or writing “handwritten signatures are outmoded; use digital signatures that actually mean something” or similar.
