Security questions are actually mostly INSECURE
 

You know those security questions you use to reset your password? Many sites use canned questions like "your pet's name" or "your mother's maiden name" ... if a cracker has access to your email they can probably access other things, how difficult do you think it would be for them to find out that info? Probably not hard at all.

The best way is for the site to allow you to specify the QUESTION as well as the ANSWER, since it allows you to obfuscate it. If your wife named Joan Jill Doe has a mole you could choose something like "mole middle"... and the answer is "jill" (the middle name of someone with a mole). To someone who doesn't know your wife personally the question will make no sense.

Thoughts?

I disagree wholeheartedly. Security questions and even passwords for that matter should be easy to guess. :2 cents:

The real problem is that those security questions tend to open up your accounts to social engineering and inside attacks.

When you're targeting random people, they're useless, but when you're targeting a specific person (e.g. a celeb, someone you want to scam, etc), they make it lots easier.

For example, let's say you're trying to get the PayPal account of a specific person. You know their email address, have tried to get the password, and have found out what the security question for that email address is.

You can give the person a call and come up with a story like "I'm doing genealogical research at the moment, and it seems you might be related to historical figure X. Your mother's maiden name was XYZ, right?". The answer will often be "No, it was XXX", giving you the answer you needed.

Or, if it's someone you actually know, it's even easier. You wouldn't tell people you know your passwords, but you would tell them random, seemingly unimportant trivia if those came up in conversation.

yea, I agree many of them are terrible... I've seen ones like "what year did you graduate from high school?" "How many kids do you have?" "what high school did you go to?"

You could very easily bruteforce these...

I actually hate sites that force me to answer these questions...as most of my passwords are like...

b78T5jsn12vdi9dww2

force brute that bitches.

You're thinking of a password reminder (which is probably better since it can also be obfuscated, although that won't help people who use "coffee"), I'm talking about a password reset function... answer the question right and you're emailed a new password.

:1orglaugh

Going Rogue!

i dunno - i use the 'mother's maiden name' one and 'your first phone number' or 'name of public school' - you could ransack my house nevermind my computer and not find any of those answers.