Hacker News new | past | comments | ask | show | jobs | submit login

Man I hate those security questions with a passion. They are super weakly protected backdoors into your account.

Here's how I deal with sites that require them:

site: "What is your first teacher's name?"

me: "'Fx|<n8K@W8#[_,[ (1p)jqPC"

The answer is a password equivalent, so I just treat it like a password.




Doesn't work with United MileagePlus accounts, they only allow multiple choice answers!


Yep. I believe when I created my account, I picked ones that were definitely not real answers, ie. "What's your favorite sport?" answer "lawn darts".


Even if you picked a fake answer, that doesn't stop someone from brute-forcing it, which is made very easy by the limited range of possible options.


Any social engineers reading this? :)


Just give the wrong answer and keep track in your password tracker. At least social engineers can't figure that out.


Contact their tech group and then contact their CEO and show them this article. :)


That's just appalling.


Someone pointed out that if you talk to a CS rep and try to say that off, they'd just hear gibberish- meaning if someone tried to get at your stuff, they would just have to spout off gibberish and the CS rep would probably accept it.


If you can do this, it seems weird you would ever need to contact support for help. If you can keep the security answers safe why can't you keep the original password safe in the same place?

Or is this for when the account is locked for some random reason?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: