💾 Archived View for jacksonchen666.com › posts › 2023-07-11 › 19-38-58 › index.gmi captured on 2024-02-05 at 09:49:35. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
2023-07-11 19:38:58Z
Security questions. They're the questions you get asked if you do something like forget your password (or lose it, if you're that kind of person) so you can recover your accounts.
Security-wise... it's like yelling at everyone what your password is.
OK that was an exaggeration. Unless you yell your answers to the security questions.
But the main problem with the security questions is you probably already shared your answers to the questions without realizing.
Let's say, a service asks a security question. The question is "Which town was your first school at?"
You answer the question truthfully. That's it. Right?
Nope. Later, you then casually share that information with someone else, seemingly unrelated to the security question. After sharing the information, they now have the answer. Is your account then in danger?
My (amateur) answer is: Maybe. If the person asked the question *because* they were trying to get into your account i.e. Malicious, they probably know what they're doing and you should probably reset your security questions. But if the person isn't malicious, well the thing is you still gave the answer.
The fundamental problem with security questions is the answers are not a secret. The answers *should* be a secret, but the question doesn't allow that. Or does it?
Well, you can just give a bogus answer to the question. If you get a security question like "Where did your get your first pet?", just put a completely bogus answer into the answer box. It's a security question, are they going to care it's inaccurate?
Well, they do care if you give the wrong answer upon validation. And if you forget your bogus answer... Too bad.
Personally, if I meet upon a security question and that's for some reason required, I'll just treat it as another password box, putting a randomly generated password in there.