Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.


Whats the name of the first school you went to?

"School"

Whats the name of your first pet?

"Pet"

---

I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...


That’s twice in this thread that someone has revealed pretty potent details of their personal security.


it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.


Any company employing low cost workers is vulnerable to social engineering and bribery.


I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.

Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.


What's the absolute worst that could happen if you crack my free account on some cooking website?

Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....


> What's the absolute worst that could happen if you crack my free account on some cooking website?

The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.

If you didn't do that, then the impact is approximately zero.

Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...


Wherever you can publish text or media (eg, on a cooking site) speech crimes can be committed under your account.

Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?


Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!


I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.


Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.


That's Amazing! I've got the same security answers on my luggage!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: