Ask HN: Why do sites still ask me to do security questions?
It's 2024, there are still today, sites asking for security questions when registering as a new user?
It's 2024, there are still today, sites asking for security questions when registering as a new user?
Because their "security checklist" had an item inserted 18.5 years ago that says: "must have security questions" and so to pass their security audit (i.e., check the boxes on the checklist) they have to request security questions.
The best way to answer "security questions" is below:
sort --random-sort --random-source=/dev/urandom /usr/dict/words | head -5 | tr $'\n' " " ; echo
Adjust the head -5 to adjust how many words are output. Then your answer to "what was the name of the first street you lived on" could be:
crunched shirt wins ambushed titter
You gain an answer that has no relation to the question, as well as an answer that is easy to recite over the phone to a person (should the need arise).
I second this. I have about as many (5) strings including colors, numbers, and shapes. I always select whichever string is most "opposite" of the expected answer (ie: your best friend from childhood: 78). I've run into some who are set up with criteria to keep the answers in-line with the question... not sure what logic goes into some of these "well-intended" security implementations.
They may as well just have had you create 2 different passwords - the Q&A was never good security in theory as it deals with a bad actor needing only to know a select few pieces of PII to bypass a user's legitimate password in the worst cases.
> the Q&A was never good security in theory
The 'security questions' were never about 'security' (at least not directly). As you say, they simply created a "backdoor".
They were always about: "automated forgotten password recovery".
As in, the companies did not want to employ telephone workers to handle the inevitable "I forgot my password, can you let me back in" calls [1]. They were only ever meant to allow for "reset password" via 100% automated means". That's why the questions are often so much of a sort of "ok, anyone who knows X, or does a little research on X, can figure out that answer" type. They were just that way because that also (hopefully) meant the "I forgot my password" users would not also forget their "recovery question" answer.
[1] Or, much more likely, bean counters realized that the call center size (and expense) could be reduced by 87.4% if we (bigco X) implemented a way to automate handling all those "I forgot my password" callers.
Why do we still have dumb password requirements? Why do we have SMS based 2FA? Why aren't we all using passkeys?
Security changes take forever. Old school sys admin and IT security types don't really like to keep up with web changes. And users don't know any better. And grandma is probably less likely to mess up a security question than figure out what to do when she upgrades her phone and loses all her 2FA.
Haven’t seen that for years.
Bots signing up is a solved issue and I didn't get the memo?
The bad guys get better faster than the good guys do
Technology is the antecedent of security.
Password cracking has gotten better as crackers steal password lists. They might not have the security questions. In an AT&T breach, someone stole one of my accounts and changed the security questions and cell phone number, so now I can't access it. They also got to my Twitter account and posted content that got it banned.