On Fri, May 29, 2015 at 1:42 AM, Joe Abley <jabley@hopcount.ca> wrote:
That's what I should do. Instead, I pull down the list of candidate questions and think to myself... ... - I don't have a favourite colour
My favourite color is Red, but the answer is rejected because it's less than 6 characters long; it turns out your favorite color can be Yellow, Orange, or Purple, but not Blue, Green, Gray, or Pink.
and around this point, I start to think - I am going to look for amusing cats on youtube
After finding one, now you have a favorite pet.... I suggest generating a random string for secret answer questions, just as if it was another password. Write down the answers; stick them in a lockbox. Some websites will prompt for the answers during normal login later as if answering personal questions was some legitimate way to confirm a login from an "untrusted" computer....... in that case, save a copy as secure notes in the password vault, Or put the answers to a .txt file encrypt - using GPG. It is a bit bogus: the whole notion of asking in a format where the response can easily be automatically entered, for authentication purposes, the sort of questions about you that would be easily looked up using public records, or that distant acquaintenances and former schoolmates would know the answers to... There is an improvement in use cases where the traditional response is just to accept the request and e-mail a new temporary password. In cases where "the answer" is used as if it was a second factor, that's fairly obnoxious and generating a false sense of security in the process. In cases where it can be used to reset password directly or call in over the phone and reset a password or change the account --- the strength of the password is weakened to the strength of the weakest security answer.
Joe -- -JH