Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
You answer them honestly?
Somehow, that doesn't seem like an apple-specific/related problem.
dontPanic1105125dYou're not using a password manager in 2020? That's pretty cringe Bro. You know there's [place for a password manager ad, call me at 800-psswd-mngr]
For AppleID security questions? I just rolled my face on the keys for the answers and stored it all in my keepass, like everything else.
gw3n7925dI also have a special relationship with "security" questions. I usually try adding another layer of security by making up a long answer on the spot and add some unusual characters to add even more entropy :D I'm still reluctant to use the pw manager, as it's an outsourced single point of failure that I could lose control over. So I am constantly trying to come up with a better system for generating and remembering these things in my head. Safest place on earth but unfortunately not super reliable :) Especially as associations may change over time.
Security questions don't make any sense at all. Honestly who came up with the idea to create passwords that can be reseted by anyone who paid attention on the first date? Many of the questions are publicly available information.
Have some system that's unknown to anyone else and easy for you to answer by basing the answer off the question itself.
Example system: Count the number of vowels. Look for the first vowel, and turn it into a color. Find the last noun in the sentence. Rearrange to answer the question.
Another example system: start with "qxy", concat the first letter, the last letter of the second word, the length of the longest word, the first letter of the third word, the first punctuation mark, and the number of words.
Question: Which elementary school did you attend?
Answer #1: Indigo school number 14.
Answer #2: qxyWy10s?6
It sounds difficult to remember, but if it's your only system and you use it every time, it will quickly become automatic.
Dont get me wrong, it's security through obscurity, but that's totally okay for something like this.
Security through obscurity even here is no good either. Apple for instance lets their apple care people ask you the security questions through the phone.
I know that because I was young and needed the money.
So, now you are talking with an Apple Care moron who actually failed in life and needed a minimum wage job where he isn't fired and you tell him to type in "xahjdk2z" for the city where your parents met.
You get flustered, he doesn't understand it. You explain the system. And a few hours later a coach listens to the call for quality assurance reasons. He has all your information and because you sound like an attractive girl, he wants to check you out. But he has your system, so he has all security questions ever. And your email address.
That was one scenario that comes to mind. But keep in mind. Security questions are often stored in a hash and employees can just see the answers. I think working out a cypher like that is not too hard.
Never share the system. Ever.
It's possible to deduce if you have more than one sample and some time on your hands, but that's pretty unlikely. There's also the problem of companies changing the question's wording, but that's also pretty rare.
Genius: "What town did you grow up in?"
Me: ".... qxyWn...4d...7"
Genius: "But quaxy 47 isn't a city!"
Me: "You're right! but so is my answer 😁 Check!"
Genius: "How do you spell that? I left my ears in the toaster."
Me: "haha, right you are. q x y ..." smile and nod. smile and nod.
If they refuse to listen, there's always a manager. Idiots abound, afterall.
Also: if someone with access to even a little bit of personal information wants to creep, they're going to creep. there isn't much you can do, privacy-conscious or not.
A few issues. First, yeah, they often can see all your answers at once. And second, we are running in the security through obscurity core problem.
1. You might have made up a good system that is not obvious. But that doesn't mean others will make a good system as well. And you have recommended this approach to other. You cannot share your system as it would defeat your system.
2. Since there is a violation of a security principle already, why actually not violating it again. And tell someone. Maybe because you're in a relationship, and your indisposed, and someone is in the hospital and the server is on fire and there is finally after years a new episode of Futurama on the telly. I mean, something will make you tell it. There is no effective way of going back and change everything.
And last complaint: It is a hell of a lot different if someone who creeps on you can log in as you or just sees your public profile.
You can't exactly use GPG on security questions. There is no cryptographically secure solution -- and if there is, I want to know about it.
* Answering truthfully is dangerous because the answers are guessable / determinable.
* Answering everything with the same answer is dangerous for obvious reasons.
* Using answers unrelated to the questions that are unique per site/company is dangerous because you are likely to forget them. And remember, you're likely being asked the security question(s) because you just forgot your password.
* Keeping them in a password manager won't work because sometimes you won't have access to it, and the questions are intended for recovery anyway. If you have your password manager, password recovery is already moot.
The type of system I described is the best approach I've found to a flawed system. If it isn't good enough, what would you suggest instead?
This is my system.
Your points are perfectly valid. I think the best approach is not using security questions. If not using is not possible, then answer them with a secure long generated password which I add to my password manager to be able to satisfy the company's need for random checks.
As you said, the password manager approach does not make not forgetting any more likely since you would lose your password together with your security questions, but that was never the goal. The goal was to inject some sort of security into this obnoxious practise and actually render it moot where ever it cannot be deactivated.