Why my mother’s maiden name is nonsense

54 点作者 mintone大约 9 年前

20 条评论

tzs大约 9 年前

For sites that let you make up both the question and the answer, Bruce Schneier has suggested having some fun with it [1] to make your conversations with support more amusing. Examples:Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.A: Go forth, and kill. Zardoz has spoken.Q: What the hell is your fucking problem, sir?A: This is completely inappropriate and I'd like to speak to your supervisor.Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.A: It's a good thing they're recording this call, because I'm going to have to report you.While you don't have as much flexibility when you do not get to write the question, I'm sure there are still plenty of amusing answers you could pick.[1] <a href="https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html" rel="nofollow">https://www.schneier.com/blog/archives/2010/04/fun_with_secr...</a>

评论 #11204950 未加载

评论 #11205110 未加载

评论 #11204999 未加载

tnash大约 9 年前

Here's what I do: random long strings as answers for each question, and save them with the credentials in KeePass. That way I keep track of each one, and they can't be used against me.

评论 #11204991 未加载

评论 #11205299 未加载

评论 #11205170 未加载

评论 #11205203 未加载

评论 #11204953 未加载

评论 #11204852 未加载

评论 #11204838 未加载

评论 #11204975 未加载

评论 #11204992 未加载

ComputerGuru大约 9 年前

I blogged about this last year; the sad reality is that the security of these "security questions" are more important than that of your password since they can be used to reset both your password for this site and everywhere else (as well as gain access to your bank, obtain credit cards in your ID, and more).We need to obscure these in the database. You can't risk losing your ID entirely just because some random site didn't bother securing these details and fixated solely on "best practices" for password storage in the DB.<a href="https://neosmart.net/blog/2015/never-store-answers-to-security-questions-in-plain-text/" rel="nofollow">https://neosmart.net/blog/2015/never-store-answers-to-securi...</a>

cballard大约 9 年前

This question is also misogynist. My mother does not have a "maiden name" she has a "last name", which has always been the same. It's not the 1950s, women don't have to subjugate themselves to their husbands name anymore.Oh, and gay people exist. Get with the times.

评论 #11205430 未加载

notahacker大约 9 年前

Other security questions are often even worse. "What high school did you attend?", for example, is something many friends and acquaintances will know and most others can trivially obtain via LinkedIn or Facebook. "Where were you born?" and "What is the first school you attended?" can be reasonably reliably guessed from the high school as well.

评论 #11205010 未加载

thowawy3116大约 9 年前

It's helpful to know that on most services the maiden name can be thought of as a second password. Only on some credit-related services does the answer actually matter, it seems.And then there are those of us who have hyphenated surnames, where the maiden name is there for all to see. I wish my name weren't hyphenated, but I'm stuck with it. It's always silly when someone asks for maiden name: I've already given it to you...Hyphenated names are also longer, making it a perpetual challenge to fit my name on forms. On standardized tests I was always penalized a minute or more as I spent time scratching in all of the letters of my name. Then there are the fields where the hyphen is not allowed, so I have to enter something that is not my legal name, or even worse are the services that accept the hypthenated name but then transparently change it for storage on the backend. This can make verification fun since there's no telling whether the hyphen was removed, replaced with a space, or some other character entirely. Better hope that you don't have a limited number of attempts to access something. It doesn't fit on credit cards either, making the name field of web payment forms a best guess (I usually put my full name regardless of what is actually on my card).Future parents out there: consider expressing your family pride or sense of nonconformity in a different way. Hyphenated names are a nice gesture, but they're totally impractical in a world where data entry matters. I'm only thankful that I don't also have a unicode character in my name...

评论 #11205438 未加载

评论 #11205187 未加载

stordoff大约 9 年前

> I’ve decided to leave the website link out in the interest of discouraging abuse of the tool.I appreciate the sentiment, but I suspect this would be a more powerful demo if people actually found their own mother's maiden name. Anyone wanting to abuse it could find it trivially anyway (Google for "type your details below so we can start tracing your family", and you only get a single result).I do wonder how complete the site's records are. I can find most of my family, but it doesn't seem to think I exist.Edit: seems to be a weird search issue - given name + family name + year of birth returns multiple people who aren't me (with different given names / years of birth), but given name + middle name + family name + year of birth finds my details. Personally not too worried about it, as I use a random name in place of my mother's maiden name for banks etc., and have recommended to family that they do the same.

emodendroket大约 9 年前

One of the most frustrating things is that many banks and other financial services seem to have the most antiquated security practices (nothing above twenty characters and no special charcters, for instance). It should be the other way around and yet here we are.That said, I've mostly seen these used as an in-addition question when you want to do something like reset your password. Who's out there using these security questions as the primary mode of authentication?

评论 #11205233 未加载

评论 #11205272 未加载

kazinator大约 9 年前

> Inevitably, I quite consistently can’t remember the word for each service – a fact that surprised this particular rep, “How do you forget your Mother’s maiden name?”.The rep is looking at the string that you gave them as your maiden's name (so that he or she can compare that with whatever you utter), and what's on the screen is obviously not anyone's maiden's name, being "nonsense", and all.These jobs don't always go to the brightest bulbs in the chandelier, do they.Gee, how on God's green Earth could anyone forget that your mother's maiden name is Z3xYFrd9.It's rude too, implying that the customer is incredibly forgetful; in a customer service role, we should refrain from making such a comment even if the string does look like a viable maiden name.Even some harmless, utterly non-sarcastic comment about anything could be taken the wrong way or take a surprising direction."Nice tattoo, where did you get that done?""It's a birthmark, which made me the target of bullying throughout elementary school."Oops!

jakub_g大约 9 年前

Talking about password recovery: Google has an interesting attitude. I recently lost password to a dev account on gmail I created few weeks earlier so had to reset password.I went through a process in which they asked questions "when more or less was account created", "when did you last log in successfully", "what last password do you remember", "what google services did you use with this account" etc. which, mixed with some other data they possess (I believe), like IP addresses, made me successfully recover the account without any "maiden name" questions.

评论 #11205399 未加载

mhurron大约 9 年前

This really is a retelling of the advice 'Your passwords should not be something that could be guessed by knowing just a little bit about you.'

AstroJetson大约 9 年前

This isn't news, I've done this for decades. I have a fake family that I use for Mom, pet's name, fathers birthplace, etc. But unlike the OP, I only have one fake family to track.It's not hard to do, just pretend you are an undercover KBG agent. Alternate plan is to just rotate family by one, so Dad moves to Mom, Mom moves to older sibling, etc and the pet rolls to the top (Dad).

xlayn大约 9 年前

I had a related issue with this kind of security measures:I can't remember them after... is your favorite book "ABC" or "A B C"? first car Nissan Fairlady or 350Z?So what I do is that you take the question, put it on an email with the key, put the key into a password generator [0] that creates the answer with a Master key just you know.[0] Password generator pro, FOSS, grab it on FDroid

评论 #11209518 未加载

Nadya大约 9 年前

Worse is that these answers are stored often in plaintext because they aren't the users "password". I'd argue having them at all puts one at greater risk of being hacked.What I'll never understand is why I can answer these questions with 64-128 characters (typically) but my password is limited to 16-32 characters.

makecheck大约 9 年前

I’m not sure which is worse, that so many sites require “security” questions (emphasize on quotation marks) or that the questions are frequently paired with asinine password restrictions that prevent the construction of a strong-enough password in the first place.

amyjess大约 9 年前

It's particularly dangerous for people who actually use their mother's maiden names.Some people were born to unknown fathers, and some people deliberately changed their names to their mothers' maiden names later in life.

m3andros大约 9 年前

The site in question is: <a href="http://www.genesreunited.co.uk/discover/index?stage=1" rel="nofollow">http://www.genesreunited.co.uk/discover/index?stage=1</a>

Chefkoochooloo大约 9 年前

I thought this to be really interesting. I found this article making good points and it is incredible that the maiden name is more important that the password itself. Seems backwards in my opinion.

chei0aiV大约 9 年前

Just use a diceware password for both those question and answers, like you do for your actual passwords.

gonyea大约 9 年前

Personally, I wouldn't give up the name Mrs. Nonsense.