1. 34

  2. 19

    The best way to combat this is to not answer the questions for password reset at all. Use a password manager, and when a company asks something like “what was the name of your favorite teacher” give an answer like “zod the destroyer 7899” and never mention or tell anyone about this. Even if someone knows your favorite teacher, it won’t help them.

    1. 3

      I generate all the answers with my password manager too - and don’t re-use them between systems. It’s a bit of a pain to generate them but they’re not often asked for and I don’t want to have to inform my mother her maiden name is part of a data breach.

      1. 3

        Unfortunately you do need to be a bit careful with this. It’s possible (however dumb) that these answers are stored in plaintext and then presented to the user either as-is (multiple choice) or partially obscured (complete this name).

        If an attacker is trying to get through the reset process and are confronted with “What’s your mother’s maiden name? a) Jones, b) Smith or c) F32djsb/.$%” they might have better than 1-in-3 odds :-)

        1. 2

          I’m partial to being born somewhere like: Earth Sol System Orion Minor Galactic Arm Milky Way Galaxy

          And my favorite pet sometimes has ended up being something like: Leeloominai ekatariba tchai ekbat de sebat

          And favorite colors being Steve.

          I just plug all that crap into my password manager so that all my random “copy something from an open webpage” answers don’t go away.

          1. 1

            I do this (except the answers are randomly generated) and it turns out it mostly doesn’t matter. I’ve had to call services that use them and talk to customer service representatives. They’ve asked me the questions, along with other identifying information, and I told them that I didn’t know the answer. All I said was that it was probably random junk. They just ignored it and continued to deal with my problem.

            What’s even more interesting is that rep on the phone would admonish me for forgetting the answer, telling me that they ask these things for my own security. It didn’t seem to register, even after I mentioned it, that it obviously doesn’t since I just bypassed them.

            1. 1

              A number of sites now do “identity verification” through (I believe) the credit agencies, where they’ll ask you questions about previous addresses based on the records those agencies have–not based on answers you provided yourself at any point.

              1. 2

                Yeah but that costs money and it still doesn’t fix the problem because your previous addresses can be know by the attacker.

                1. 2

                  Right, my point was that it’s not enough to use fake answers to security questions, because the real answers (at least regarding previous addresses) are still useful to attackers against these identity verification systems.

                2. 1

                  Not that you nor I can do anything about it here and now, but that practice should be heavily discouraged. The whole point of security questions is to answer stuff only I know. Which also makes 90% of the currently available choices (“Mother’s maiden name”, “First pet”, etc.) really poor choices. Allow me to make my own question and answer, and it should improve handily for some people, whereas people who fall back to the default questions are no worse off.

              2. 10

                Related to this, I know someone who got fired because of innocent activity on LinkedIn.

                I don’t remember his exact dates, but he put something like “June 2009 – November 2010” on LinkedIn and “June 2009 – February 2011” on his CV. He started a new job and got caught in “the lie”, but it wasn’t. His last day of work was in November, but his severance period continued for three months.

                He did nothing wrong; but he was fired anyway, because his new company didn’t want to be stuck with someone who’d lost a job in the past.

                It’s an evil world where workers have no power and surveillance of us by employerfolk is ubiquitous and easy. Unless you get into the 0.1% who becomes a YouTube celebrity or a bestselling author, you shouldn’t want any public reputation; it can only hurt you. I realize that there’s some apparent hypocrisy in me, of all people, saying this; but hear it from someone who’s suffered.

                1. 13

                  I almost lost a job offer because of something like that. I worked for a university group that didn’t really have a “home”. For a while my paycheck came from the associated research foundation, later it came from the University itself. My team/boss/work never changed. I put it as one job on a resume and was called out on it. I had to get a former boss to take a call on vacation to sort it out.

                  Glad I didn’t take that job. When a company gives you a peek into how they do things: believe them.

                  1. 6

                    I’m curious about your opinion of _why? He took the approach of being public, without sharing any details. His success ultimately led to a deanonimzation, reversing everything.

                    I guess the question is: how do you actively participate in conferences, and other valuable learning opportunities without building a public reputation? And, of course is there a way to go back to that? Seems highly unlikely.

                    1. 5

                      I couldn’t tell you to the month when I started/stopped most of my past jobs. Some of them I couldn’t even tell you the year.

                      1. 4

                        I am in this situation right now. I have a number of months of severance, and am still on the payroll, so that I have some time to pack up and leave before I’m fully terminated and my visa invalidated.

                        Had no idea this could be used against me, so thanks!

                        1. 8

                          Best way to play this is to keep your story, whatever it is, consistent. The thing to remember about HR Mooks is that they can’t tell who’s lying and who’s not, and they assume most people are lying (because, well, a lot of people lie). So, your best bet, if you’re on severance or “gardening leave” is to consistently treat the severance as time you were employed.

                          1. 1

                            Definitely agree there, HR stuff can really be eye opening when you realise they’re there for the company rather than the human. I’m not sure how on the wording/employment contracts for severance in the US work but in the UK if you are placed on gardening leave, you are still employed and not able to start at a new place of employment. Which can be great or very stressful depending on your circumstances!

                      2. 2

                        Security questions are silly and should definitely not be relied upon.

                        My only malicious hacking event was accessing someone’s account after receiving their username and password. When they changed their password, I still wanted to access their things. I got access to their email by answering a secret question to access their email, which was something like “what’s your favourite sports team”. I’m from the other side of the world, but Wikipedia had a list of teams for their country and I just tried a few of them until one worked.

                        1. 8

                          “What was the first felony you committed” was not one of the choices for security questions.