Security questions?

I know next to nothing about computer security, so maybe there is something I'm missing here. What is the point of those security questions you have to choose on some services? I get that the idea is that the answer is something only I would know, but usually you can only pick a re-made question and none of the answers are secrets.

My mother's maiden name is not a secret, neither is the town I grew up in, and if you know the town you can also just try out all the elementary schools in it. Of course you could always provide a fake answer, but then you have to remember that one as well, giving you now effectively a second password to remember. That defeats the entire point of a secret question.

Unless I'm missing something, how did this retardation spread this much? Every time I sign in on eBay they want me to pick three questions. Luckily I have been able to put it off by closing the browser window, but I have also seen sites that won't let you proceed unless you pick your questions. Is this some sort of cargo cult where other tech companies are doing it, so you have to do it as well?

Attached: serveimage.png (1600x900, 811.95K)

Other urls found in this thread:

en.wikipedia.org/wiki/Sarah_Palin_email_hack
twitter.com/NSFWRedditGif

Yes.

Lawyers. This shit was accepted pre-internet as a "we did all we could" for account security and there's decades of case law to make site owners feel safe.

this is all jew tricks. From babylons 'magick' book. They need your mother's name to curse you.

en.wikipedia.org/wiki/Sarah_Palin_email_hack

Interdasting.

The purpose of security question is to effectively give you a secondary, offline password which you don't use for day-to-day logins so less likely to be sniffed or stolen.
The questions are quite old (pre-Google and pre-Facebook) and based on the assumption that people don't used to share the "secret answers".
Although on a properly designed site the secret answers should not be stored in clear text, but hashed like regular passwords (except maybe case insensitive), there are many popular closed and open-source portals which do not follow good security practicies.
It is not recommended to actually answer the question, but give a long, unique, non-identifying secondary password as an answer, which will only be used to recover your main password.

*less likely to be sniffed or stolen or forgotten

Why? You dummy

Attached: 1532278401996.png (710x577, 43.87K)

Attached: 0ecf29c9a99b9304b02a6dc7cb48b68b7c8ee676a89cbf379361b46c2dc7f0d6.jpg (720x585, 63.41K)

You're doing it wrong. You SHOULD provide a fake answer here. But it should be a 2nd password, as in "ImAMassiveFaggot" or something, a sentence you'd remember or an actual secondary password.
You're not. Security is difficult and there isn't a single good security method. Almost all good quality services have abandoned security questions anyway. This is why you register with email/phone number, and have stuff like andOTP/google authenticator.


Basically this.


Too many.
facebookcorewwwi.onion

Personally I use it as a secondary password and add it in the description of Keepass

I never understdood why the fuck you weren't allowed to come up with your OWN security question and password. I mean, it would have made a lot more sense that way.


So that's why they did away with security questions and now ask for a (((phone number))).

Normalfags, like any other cancer.
I use an honest answer encrypted with a basic cypher.

Fabricate the answer to every question. When you're out drinking with someone you don't trust, let an answer to one auth question slip. You'll get an email saying someone tried to log into your account and answered "x." Then 6 months later they die of natural causes.

Wow, didn't know that. They really jewed him hard for that "hack".

No, that's because botnet.

Yes, I understand that. Giving a true answer is like hiding the spare key under the doormat. Giving a fake answer is like hiding the spare key in a locked vault, but now instead of one key you can lose you have two keys you can lose (the key to the door and the key to the vault), so you have effectively doubled the original problem because you have two passwords you can forget.

No, it's because a phone number is a sure way to identify a user as an individual person. It's also a good way to stop spammers because their activity is dirt cheap and buying shit ton of phones to create gorillions of spam accounts doesn't bodes well with it.

doesn't work on me since I don't have one

It's not expensive to buy a phone in the third world or just steal them and use those numbers.

Yeah, well. The point is it's supposed to be a last resort to recover your account should you ever forget or lose your password.

No, it's a thinly veiled excuse to erode privacy, sign users up for spam, and build profiles for and track users, while conveniently tying their real world info to their accounts. The spam crap is just them pretending it's for improving things for good PR. It also prevents you from having alts.
The worst part is you can't use just any phone number because the owner can lock you out of the account.

You don't have to answer truthfully.

Even if you could somehow buy those at $10 a pop that's still an order of magnitude greater expense than potential profit from using it.

You mean you can't spam, sockpuppet and ban evade as easily as you used to? O tragedy!

Make the answer something you'd only know. "Name of your father" can be anyone you'd think is a good father figure from a show you watch or something. After which you should add a set of characters or numbers you'd always be able to remember.
Or, you know, just invent a formula of your own for generating a set of numbers/chars when you combine the webiste name and your login username or email. It's not that difficult.

It's complete bullshit. In the worst case the site will grant someone access to your account if he gets the security question right. In the best case these security questions are used on top of some other stuff, but no matter how you slice it, it's not secure. For example some site may grant someone access to your account if he has your email, IP, and secret question, but "forgot your password". Another example is a site will lock you out because your IP address changed (another invalid practice), and then require your security question on top of your password. While in this case it doesn't break your security, it's a huge pain in the ass for no reason.

You're doing it wrong too. You're decreasing your password strength so that you can remember multiple passwords for a single account on a single website. The only proper way is to treat each security question as a separate password that gives access to your account, and store the passwords. Of course it's better to just not use such retarded sites in the first place. A more respectable web service that exists today is cock.li, which, while it requires JS, it only makes you use one password.
nope
yep, cryptographic authentication, and failing that (because you're using webshit): a single password
no. that's worse
no.

yeah, why am I not surprised that the security questions apologist goes off talking about password hashing after 3 seconds?

no it fucking isn't, doofus

bloody hell
time to change passwords again

...

Wow, nice argument. It is difficult. You can't make something that isn't flawed and that will satisfy everyone.
Requires user to remember it.
Yes

You don't need to buy any extra phones. Unless you're a retard who got carrier locked.

A prepaid SIM card costs significantly less than that.

Use a random password generator and save the random text in an encrypted file /drive
Ez

Also have your master key extensively long and never saved nor written anywhere
Memorize it