Waldo   96 #1 Posted March 31, 2017 I'm doing a security audit; updating passwords for logins etc. Some sites (incl. banks) have 'security' questions; you let them know answers to questions such as, your fave band, where you were born, etc. The idea being that if you forget your password, you can reset it, if you know the answer(s) to your security question(s). What's the point of having a secure password (randomly generated long string of characters) if hackers can gain access to your account by answering your 'security' questions?  Do I need to also use randomised strings for the answers to my security questions? Share this post Link to post Share on other sites Share this content via...
sgtkate   10 #2 Posted March 31, 2017 You should never give genuine answers to those questions. The most secure way is to have unique passwords and security question answers for each website that you can remember. Some people use an algorithm based on the website name for this, but if someone manages to work out your algorithm then you are scuppered. Second best is using random passwords and answers but store them in a secure and good password manager like Keepass or Lastpass. Again, if someone gains your password vault password then you are scuppered. Sadly through years of trying to make things secure we've managed to make things hard for us to remember but easy for a computer to crack...  To add to the security questions though, the only way to reset a password should be via an email request to the account named on the system, so even if a hacker did know your security questions they'd also have to compromise your email too to be able to do anything with it, and that's where the difficulty begins and why it's used. If they allow you to change your password or email without this extra step then I wouldn't use them as my bank.  This sums it up perfectly: https://xkcd.com/936/ Share this post Link to post Share on other sites Share this content via...
nightrider   13 #3 Posted March 31, 2017 Some people just write them down in secure places. After all how likely is it someone breaks into your house and ransacks it to find your online account passwords? Share this post Link to post Share on other sites Share this content via...
Obelix   11 #4 Posted March 31, 2017 Get a program called Keepass. Works on windows, Linux and android.  You create a database and it will generate secure random passwords for you for sites, and even enter them automatically. You can also store extra text with the entries so you can store made up strings for the questions - just list the questions given and the made up answers.   The whole database is encrypted so you need a single VERY good password - perhaps using something like Diceware and change that sort of regularly - but you only have a single password to remember.  My Keepass database lives in an encrypted folder on my cloud storage so I can get it anywhere in the world if I need it.  https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases  ---------- Post added 31-03-2017 at 17:28 ----------  https://xkcd.com/936/  Withouot looking I bet that's a horsey stapling battery....? Share this post Link to post Share on other sites Share this content via...
Waldo   96 #5 Posted March 31, 2017 (edited) Thanks.  Already have a password manager (using 1Password on Mac and iOS, and also Android). I generally have 2 categories of password. 1. passwords I need to remember. 2. passwords I don't need to remember (these are randomised strings of 20 to 30 characters).  Also, the horse stapling battery correct thing, is not great advice. Password crackers will try strings of dictionary words and strings of 4 dictionary words, I imagine, are not safe.  I'm mostly just concerned about 'security questions'. If to use randomly generated strings for those; or if as part of the process of account recovery, the institution would need to send some activation code to your physical address etc. Otherwise, any old joe could recover your account.  ---------- Post added 31-03-2017 at 18:57 ----------  This is a good article on the subject:  http://lifehacker.com/four-methods-to-create-a-secure-password-youll-actually-1601854240  Also:  http://boingboing.net/2014/02/25/choosing-a-secure-password.html  (which discusses why the xkcd horse battery staple thing, isn't as good as you may think)  ---------- Post added 31-03-2017 at 19:02 ----------  To add to the security questions though, the only way to reset a password should be via an email request to the account named on the system, so even if a hacker did know your security questions they'd also have to compromise your email too to be able to do anything with it, and that's where the difficulty begins and why it's used. If they allow you to change your password or email without this extra step then I wouldn't use them as my bank.  This goes some way to relieving my concerns. So long as the email address you use is itself secure.  Kinda begs the question, how easy is it for someone to recover your email address? Edited March 31, 2017 by Waldo Share this post Link to post Share on other sites Share this content via...
Ghozer   112 #6 Posted March 31, 2017 I just have 3 passwords, all different strengths....  the lowest strength I use for things that don't really matter,  the middle things like game logins etc...  this strongest I use for things like online banking etc...  If one is compromised, I just have to change anything using that 1 password.... Share this post Link to post Share on other sites Share this content via...
Waldo   96 #7 Posted March 31, 2017 If one is compromised, I just have to change anything using that 1 password....  I imagine the problem is, when one is compromised, you may not realise it for a number of years...  I found a few of my accounts had been compromised using the following site:  https://haveibeenpwned.com Share this post Link to post Share on other sites Share this content via...
altus   540 #8 Posted March 31, 2017 To add to the security questions though, the only way to reset a password should be via an email request to the account named on the system, so even if a hacker did know your security questions they'd also have to compromise your email too to be able to do anything with it, and that's where the difficulty begins and why it's used. If they allow you to change your password or email without this extra step then I wouldn't use them as my bank. Do you use your credit card online? Verfied by Visa and Mastercard SecureCode only require your date of birth in addition to the details on your credit card to reset your password!  A more thorough examination of how bad they are can be found in this PDF:- Verified by Visa and MasterCard SecureCode: How Not to Design Authentication. Share this post Link to post Share on other sites Share this content via...
Ghozer   112 #9 Posted March 31, 2017 I imagine the problem is, when one is compromised, you may not realise it for a number of years... I found a few of my accounts had been compromised using the following site:  https://haveibeenpwned.com  Already know about that site - checked up and it's telling me sites I have been 'pwnd' on - but back in 2012, and I have already changed the password(s) for said sites...  so I question the accuracy... (all it does is search if your username or email was in the list of 'hacked' accounts from said sites... . it doesn't know if you have already changed the password for those sites or not) Share this post Link to post Share on other sites Share this content via...
Scutts   10 #10 Posted April 1, 2017 You should never give genuine answers to those questions....  Why not??? Share this post Link to post Share on other sites Share this content via...
altus   540 #11 Posted April 1, 2017 Why not??? Because the answers to the questions they ask are usually fairly easy to find out. Share this post Link to post Share on other sites Share this content via...
swarfendor437 Â Â 14 #12 Posted April 1, 2017 I always thought Keepass was the best one but a couple of sites are recommending Lastpass 4.0 (which has a free and a paid for version) as the best one out there. Â http://uk.pcmag.com/password-managers-products/39332/guide/the-best-free-password-managers-of-2017 Â http://www.techradar.com/news/software/applications/the-best-password-manager-1325845 Â http://lifehacker.com/5944969/which-password-manager-is-the-most-secure Share this post Link to post Share on other sites Share this content via...
