On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote: > But it's an attack vector that MUST be considered, which is why I never > tell the truth in any "secret question / secret answer" boxes. Why some > sites think "mother's maiden name" is at all safe is beyond my > comprehension. And that's not counting the ones that I can't answer > because I can't find the "NaN" key on my keyboard, like "Surname of > first girlfriend". *twiddle thumbs*
If you lie to these secret questions -- and I strongly recommend that you do -- you should record the answers somewhere so you can retrieve them later, long after you've forgotten whether the name of your first pet was Obama bin Bush or Tarzan the King of the Desert. Trust me on this, you will need them. The missus has a Yahoo account, and being paranoid even by my standards for keeping her web presence completely separate from her real life, she invented fake answers to the secret questions like Your Birthday. (As you should. It is my opinion that lying to big faceless corporations is not a sin, but a duty. They are not on your side, and the more they know about you the more they will abuse the knowledge.) So fast forward a few months, and the Yahoos at Yahoo put through another bloody round of bloody so-called improvements that break everything in sight, including people's passwords. So She Who Must Be Obeyed resets her password, except now it's *permanently broken* -- no matter how many times she resets her password, Yahoo will let her log in *once* then the next time claim the password is invalid. And then a week or two ago, Yahoo added another piece of broken security theatre, and ask you to answer one of those secret questions before they'll reset your password. So now SWMBO is locked out of her account because she can't remember what she used. Mind you, Yahoo is rapidly going from Worse to Even Worse, so it was only a matter of time before she would have dumped them for good. Still, it's annoying -- it's like having your identity stolen by a hermit on some mountain top who doesn't do anything with it, except prevent you from using it. -- Steven D'Aprano http://import-that.dreamwidth.org/ -- https://mail.python.org/mailman/listinfo/python-list