/tech/ - Technology★

Yes.

Lawyers. This shit was accepted pre-internet as a "we did all we could" for account security and there's decades of case law to make site owners feel safe.

this is all jew tricks. From babylons 'magick' book. They need your mother's name to curse you.

>>950288 (OP)

https://en.wikipedia.org/wiki/Sarah_Palin_email_hack

>The Sarah Palin email hack occurred on September 16, 2008, during the 2008 United States presidential election campaign when the Yahoo! personal email account of vice presidential candidate Sarah Palin was subjected to unauthorized access. The hacker, David Kernell, had obtained access to Palin's account by looking up biographical details such as her high school and birthdate and using Yahoo!'s account recovery for forgotten passwords. Kernell then posted several pages of Palin's email on 4chan's /b/ board. Kernell, who at the time of the offense was a 20-year-old college student, was the son of longtime Democratic state representative Mike Kernell of Memphis.

>>950301

Interdasting.

>>950288 (OP)

The purpose of security question is to effectively give you a secondary, offline password which you don't use for day-to-day logins so less likely to be sniffed or stolen.

The questions are quite old (pre-Google and pre-Facebook) and based on the assumption that people don't used to share the "secret answers".

Although on a properly designed site the secret answers should not be stored in clear text, but hashed like regular passwords (except maybe case insensitive), there are many popular closed and open-source portals which do not follow good security practicies.

It is not recommended to actually answer the question, but give a long, unique, non-identifying secondary password as an answer, which will only be used to recover your main password.

>>950431

*less likely to be sniffed or stolen or forgotten

>>950288 (OP)

>My mother's maiden name is not a secret, neither is the town I grew up in, and if you know the town you can also just try out all the elementary schools in it.

You're doing it wrong. You SHOULD provide a fake answer here. But it should be a 2nd password, as in "ImAMassiveFaggot" or something, a sentence you'd remember or an actual secondary password.

>Unless I'm missing something

You're not. Security is difficult and there isn't a single good security method. Almost all good quality services have abandoned security questions anyway. This is why you register with email/phone number, and have stuff like andOTP/google authenticator.

>>950431

Basically this.

>>950470

>How many GB of CP is on my computer?

Too many.

>Name of my favorite onion site?

facebookcorewwwi.onion

>>950288 (OP)

Personally I use it as a secondary password and add it in the description of Keepass

I never understdood why the fuck you weren't allowed to come up with your OWN security question and password. I mean, it would have made a lot more sense that way.

>>950288 (OP)

>not just using security questions as backup passwords (a la PUK in SIM cards)

>>950381

So that's why they did away with security questions and now ask for a (((phone number))).

>>950288 (OP)

>how did this retardation spread this much

Normalfags, like any other cancer.

I use an honest answer encrypted with a basic cypher.

Fabricate the answer to every question. When you're out drinking with someone you don't trust, let an answer to one auth question slip. You'll get an email saying someone tried to log into your account and answered "x." Then 6 months later they die of natural causes.

>>950381

>Kernell died on February 1 or 2, 2018, at the age of 30, from complications related to progressive MS.

Wow, didn't know that. They really jewed him hard for that "hack".

>>950479

>This is why you register with [phone number]

No, that's because botnet.

>>950479

>You're doing it wrong. You SHOULD provide a fake answer here. But it should be a 2nd password, as in "ImAMassiveFaggot" or something, a sentence you'd remember or an actual secondary password.

Yes, I understand that. Giving a true answer is like hiding the spare key under the doormat. Giving a fake answer is like hiding the spare key in a locked vault, but now instead of one key you can lose you have two keys you can lose (the key to the door and the key to the vault), so you have effectively doubled the original problem because you have two passwords you can forget.

>>950590

No, it's because a phone number is a sure way to identify a user as an individual person. It's also a good way to stop spammers because their activity is dirt cheap and buying shit ton of phones to create gorillions of spam accounts doesn't bodes well with it.

>>950831

>a phone number is a sure way to identify a user

doesn't work on me since I don't have one

>>950831

It's not expensive to buy a phone in the third world or just steal them and use those numbers.

>>950810

Yeah, well. The point is it's supposed to be a last resort to recover your account should you ever forget or lose your password.

>>950831

>No, it's because a phone number is a sure way to identify a user as an individual person

No, it's a thinly veiled excuse to erode privacy, sign users up for spam, and build profiles for and track users, while conveniently tying their real world info to their accounts. The spam crap is just them pretending it's for improving things for good PR. It also prevents you from having alts.

The worst part is you can't use just any phone number because the owner can lock you out of the account.

>>950288 (OP)

You don't have to answer truthfully.

>What is you mother's maiden name?

<none_of_your_business_69

>>950896

Even if you could somehow buy those at $10 a pop that's still an order of magnitude greater expense than potential profit from using it.

>>950902

You mean you can't spam, sockpuppet and ban evade as easily as you used to? O tragedy!

>>950810

>have two keys you can lose

Make the answer something you'd only know. "Name of your father" can be anyone you'd think is a good father figure from a show you watch or something. After which you should add a set of characters or numbers you'd always be able to remember.

Or, you know, just invent a formula of your own for generating a set of numbers/chars when you combine the webiste name and your login username or email. It's not that difficult.

>>950288 (OP)

It's complete bullshit. In the worst case the site will grant someone access to your account if he gets the security question right. In the best case these security questions are used on top of some other stuff, but no matter how you slice it, it's not secure. For example some site may grant someone access to your account if he has your email, IP, and secret question, but "forgot your password". Another example is a site will lock you out because your IP address changed (another invalid practice), and then require your security question on top of your password. While in this case it doesn't break your security, it's a huge pain in the ass for no reason.

>>950479

>You're doing it wrong. You SHOULD provide a fake answer here. But it should be a 2nd password, as in "ImAMassiveFaggot" or something, a sentence you'd remember or an actual secondary password.

You're doing it wrong too. You're decreasing your password strength so that you can remember multiple passwords for a single account on a single website. The only proper way is to treat each security question as a separate password that gives access to your account, and store the passwords. Of course it's better to just not use such retarded sites in the first place. A more respectable web service that exists today is cock.li, which, while it requires JS, it only makes you use one password.

>Security is difficult

nope

>and there isn't a single good security method.

yep, cryptographic authentication, and failing that (because you're using webshit): a single password

>This is why you register with email/phone number

no. that's worse

>and have stuff like andOTP/google authenticator.

no.

>>950431

yeah, why am I not surprised that the security questions apologist goes off talking about password hashing after 3 seconds?

>>950831

>a phone number is a sure way to identify a user as an individual person

no it fucking isn't, doofus

>>950470

>>950450

bloody hell

time to change passwords again

>>950955

>You mean you can't spam, sockpuppet and ban evade as easily as you used to?

<can't have multiple accounts for keeping normal and degenerate stuff separate

<can't just use throwaway or pseudonymous accounts without giving away your info (country+area code) and exposing yourself to spam (e.g. spam texts)

<can't sign up for multiple accounts in a game to level characters up simultaneously (useful for additional inventory slots and crafting shit in MMOs)

But what would a narrow-minded dimwit like you know.

>>950970

>Security is difficult

>nope

Wow, nice argument. It is difficult. You can't make something that isn't flawed and that will satisfy everyone.

>a single password

Requires user to remember it.

>no

>no

Yes

>>950831

>buying shit ton of phones

You don't need to buy any extra phones. Unless you're a retard who got carrier locked.

>>950953

A prepaid SIM card costs significantly less than that.

>>950288 (OP)

Use a random password generator and save the random text in an encrypted file /drive

Ez

>>951087

>>950288 (OP)

Also have your master key extensively long and never saved nor written anywhere

Memorize it