The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.

Whats the name of the first school you went to?

"School"

Whats the name of your first pet?

"Pet"

---

I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...

That’s twice in this thread that someone has revealed pretty potent details of their personal security.

it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.

Any company employing low cost workers is vulnerable to social engineering and bribery.

I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.

Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.

What's the absolute worst that could happen if you crack my free account on some cooking website?

Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....

> What's the absolute worst that could happen if you crack my free account on some cooking website?

The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.

If you didn't do that, then the impact is approximately zero.

Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...

Wherever you can publish text or media (eg, on a cooking site) speech crimes can be committed under your account.

Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?

Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!

I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.

Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.

That's Amazing! I've got the same security answers on my luggage!

In this case a password like “to be repeated exactly: <random string>” has the same properties and can be divulged without affecting opsec particularly.

(Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."

If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.

Don't play games.

Not that I condone this strategy, but what is the threat model where an impersonator knows to say, "It's to be repeated exactly, and then adso&#fjsou..."?

I'd go with "putting your security question strategy on a public forum", for starters.

Security through obscurity strikes again.

Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.

If they're willing to brag about their passwords on the internet, I'd be willing to bet that family and friends have the same information.

Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).

Im always shocked by how small the fields for some of those inputs are though. How much space for entropy do you have left after including the notice about needing an exact match?

This is where "correct horse battery staple" password generators might be good.

Well, hell, I got off with just saying "I don't remember it" an then following up with details of _recent_transactions_ not one time. This whole "personal question" scheme is useless.

I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.