Yet another website requires that I fill in answers to “security questions”. Terrible security practice. Most of them are public information about me, and that ignores the point that giving true answers to every site that wants to set up the same “security question” is basically the same as using the same password on every site. “Trust us…”

My solution is:

#!/usr/bin/python

import base64

f = file(‘/dev/random’)

d = f.read(12)

print base64.b64encode(d, altchars=’AB’)

Eugene Crosser June 28, 2013 10:18

I think they are simply mimicking the banks’ practice (which is admittedly as bad).

Your solution is neat, but lacks the part where the answer is stowed into some sort of crypto device (seahorse etc.).

Michael K Johnson June 28, 2013 10:20

+Eugene Crosser that’s an exercise left to the reader…

Cristian Gafton June 28, 2013 12:44

I am always torn about these security questions. sometimes they do have a question no one else asked - and that is when my alarm bell goes off - do I tell them/publish any more details about me?

That’s when additional questions like how do they store the answers, are they encrypted, etc make the decision to be truthful hard.

So, just like you, I lie my ass off. And then store the question/answer challenge in a crypto lock.

Imported from Google+ — content and formatting may not be reliable