I imagine he/she is referring to how most "security questions" use info that we typically don't hesitate to give out in casual conversation, even with total strangers.

Man I hate those security questions with a passion. They are super weakly protected backdoors into your account.

Here's how I deal with sites that require them:

site: "What is your first teacher's name?"

me: "'Fx|<n8K@W8#[_,[ (1p)jqPC"

The answer is a password equivalent, so I just treat it like a password.

Doesn't work with United MileagePlus accounts, they only allow multiple choice answers!

Yep. I believe when I created my account, I picked ones that were definitely not real answers, ie. "What's your favorite sport?" answer "lawn darts".

Even if you picked a fake answer, that doesn't stop someone from brute-forcing it, which is made very easy by the limited range of possible options.

Any social engineers reading this? :)

Just give the wrong answer and keep track in your password tracker. At least social engineers can't figure that out.

Contact their tech group and then contact their CEO and show them this article. :)

That's just appalling.

Someone pointed out that if you talk to a CS rep and try to say that off, they'd just hear gibberish- meaning if someone tried to get at your stuff, they would just have to spout off gibberish and the CS rep would probably accept it.

If you can do this, it seems weird you would ever need to contact support for help. If you can keep the security answers safe why can't you keep the original password safe in the same place?

Or is this for when the account is locked for some random reason?

To me, the scarier idea is how many of these answers are now online. Mother's maiden name and other family names can be gotten from wedding notices or obituaries. For a teenager, the first job / school / car / concert are probably all available on Facebook. Even without the Internet as a backup, I could probably answer the security questions for 2-4 of my childhood friends.

I think if I had a casual conversation and they started asking what was your pets name, where did you go to school etc I'd think it a bit odd. As an aside I usually have to write down the answers I've given in a word doc and look them up if I need to do that stuff as I can't remember which memorable place it was and the like.

Really? I'm sure it would seem odd if someone just ran down the list of questions, but I suspect you could easily maneuver the conversation so that a casual acquaintance answers one or two of them.

"Hey, how are you?"

"Pretty good. We're thinking about getting a dog so I went to the shelter this morning."

"Oh really?"

"It's tough to find one that's a good match though."

"Definitely"

"You ever have a dog?"

"Nah, wife's allergic. Had a snake as a kid though...called him Mr. Slithers."

You could build a chat bot that does that.

me: Hi Mate, what is your email password?

email recipient: Pasword123

me: thanks.

JOB DONE :-)

Well, I was hoping for something at least a little bit more sophisticated.

Nah... it's brute force all the way down. Scammers aren't brilliant men in dashing suits who swindle bankers, they're assholes who prey on the weakest. The second you do something that doesn't mark you as weak in some way, they don't want you anyway. It's the human equivalent of scanning large IP blocks for basic security holes.