Hacker News new | past | comments | ask | show | jobs | submit login

My mother's maiden name on exactly one website is "X729gD9naatotKORNKkuV0BwSm4A8GnL". On another it's "7RQCpeaG66ffxxgEoUKwvcSZfj6hEZ3Z".



That may work in cases of online password resets, but I believe it has been demonstrated that they are not great for social engineering reasons. A hacker can just say, "oh I just mashed the keyboard for that" or worse, the agent thinks it is an error or glitch and let's the hacker in.

I think best to use a real, but different last name on all your sites.


Do most websites have call centres where you can try to trick agents? Also, how gullible are call centre agents at financial institutions? If they're really giving out access to random people claiming to have forgotten the security answer, it's pretty clear-cut the bank should be on the hook for damages if money gets stolen. Nothing like the prospect of having to pay out damages for gullible call centre agents to motivate training agents to be smarter.


Additionally many institution's gaurd against this by having systems that hide the security question from the customer service representative and only authenticate on a correct answer. If they are showing the "secret questions" to their entire customer service department you don't even need to worry about outside attacks because your organization is ripe from the inside


I speak from anecdotal experience here but have seen a bank account password reset using only the confirmation of address, name, DOB and bank card #.


The customer support rep once let me into my 2FA Bank of America account when I simply lost my phone. Just had to answer some questions you could find in a WHOIS query.

"Surely financial institutions are more secure" is only a pleasant thought.


In this case a long passphrase (a la xkcd: https://xkcd.com/936/) is probably the best choice. It still looks legitimate, while being more secure than any random real name.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: