Brokerage login now requiring I answer these questions. Not a single one of these has a single answer I’d actually remember. They all have problems regarding what would actually count or multiple possible answers to choose from, or these are not things people would remember or they just don’t apply to most people.
pick the first three, then always punch in your own version of “none1” “none2” “none3” as the answers. This isn’t rocket surgery.
Haven’t you ever had places randomize the question order when you have to answer the. Later?
Do you not get the basics of this? You’re not asked to pick from all the questions when you answer the security questions in an authentication scenario… lmao
Do you not understand what I’m saying?
Let’s say it asks you to pick from multiple questions.
- X
- Y
- Z
- A
- B
- C
You choose questions Y, B, and C. You answer them as none1, none2, and none3.
When you need to answer a security question, it randomly gives you question Y. But question Y is not numbered. How do you remember that the answer to question Y is none1 and not none2 or none3?
“your version”
Dunce
Doesn’t need to be real answers. Can just use combo nonsense like correcthorsebatterystaple or whatever.
But yeah, lots of other people are fucked.
Most of these read like ads. Most of the rest read like information found in an advertising profile (the kind of info that ad companies purchase). Only a couple read like actual things people care about.
Wrong community. Extremely infuriating.
Just make the answers diceware passwords and store them in your password manager.
Holy shit, that’s so smart. Now to see if Bitwarden can auto-fill them
It’s unlikely since it uses the field ID and not the text, so it wouldn’t know which question went with which answer.
It’s so rarely needed to actually use these anyway, that it’s a non-issue IMO. You should never opt to use security questions as they are terrible from a security standpoint. This is just for when they are required by stupid websites.
I’m waiting for the day I need phone support and have to tell them 512 random characters over the phone 😆
This is the right answer. I never answer those, you add new entries in your password manager in the notes for the main site.
If you answer truthfully to any one of those “security questions”, your account is at risk.
Don’t add as notes, add as a new hidden option in bitwarden. Use the password maker to generate a string of crap
TIL about hidden options in Bitwarden, thanks!
I of course already use the password generator to make up the random string, and often you can’t use special characters there since they expect real words as answers.
The best insight I remember reading about questions as MFA, is to consider the answer as a password. If you use a password manager, don’t feel forced to use actually true answers. The answer doesn’t have to be true, you just need to know it. Use a password manager and invent answers which you store. This is so much more secure than relying on the truth.
Edit: others mention the same thing.
Yeah I use a 10 word passphrase for these
Ahh yes, my favorite account on “x”. OqY4LO%&1Xv&e9YbRczM^nc3tD*f$4um3
These questions make me feel old as hell.
Why would you answer the actual question anyway? That just means if someone knows the actual answer, they can get into your account. The question shouldn’t matter. It should be treated as a secondary/tertiary/etc password.
“What’s your mother’s maiden name?”
“c@#Wz6Ani5$!Z8L5$1$DJybIWaq^BwZw”
“She’s French.”
Nokia 5.1 Nothing else would make any sense to use.
use a local password manager
you can usually log these questions and your answers in there.
make sure your answer has nothing to do with the content of the question.
So-called “security questions” like these are prohibited under various standards (there’s a NIST one that I can’t remember exactly, and OWASP ASVS) because they’ve always been really terrible at verifying it’s actually you answering them, and not just someone who happens to know the answer. Mother’s maiden name being the notorious example.
Also many of them have extremely likely answers.
“What’s the first app you installed on your smart phone?”
How many of these accounts can now be compromised by answering X/Twitter/Facebook/Instagram/What’sApp?
Joke’s on you, no one will ever know that the first app I ever installed is TCPMP on a Windows Mobile smartphone to play ogg vorbis audio from the SD card!
One method to approach this is to use a simple personal algorithmically to create answers here. As in, you could put any security question in front of someone that uses this method, even those questions never seen, and the personal algorithm would produce an answer only the user would know. Here are a couple algorithms I made up to show an example for this post.
Input security question (the first from OP’s list): What was the first stock you ever bought?
- Algorithm number one answer: eight - Algorithm: How many words in the security question?
- Algorithm number two answer: sold - Algorithm: Ignore all words except the verb, in this case “bought”. Whatever the verb is, the answer is always the opposite verb.
This way you don’t necessarily have to write down your security question answers. Most certainly never write down your personal algorithm. Using this method it is trivially easy for you (and only you) to produce an answer from any security question given to you and equally easy for you to reproduce the answer when you need it in the future.
I always called them insecurity questions. Im almost sure its easier for someone or thing with a dossier on me to answer any of them than me.
For security questions I usually put a random long 10 word passphrase. LPT for you guys
