fuck security questions!
in fact, fuck passwords too!!
truth is, the questions do serve a purpose… with naive users, who don’t properly store their passwords and so the lazy admins can rest, unless they also want to go the extra step of theater like apple do. not to mention the millions the banks think they’re saving. all it takes to lose all those savings is one security breach there, and SQ’s are easily opening a huge cam of worms.
devs: just send a temporary password to the email. it’s still much more “secure” than those bullshit questions. and good enough for most cases.
probably the most secure solution: use some kind of single sign on (or all of ’em) and 2 step auth. by all means, do allow to add a backup password if someone might want it, with a warning “you’re on your own, don’t lose this, we can’t help you”. and since you’re doing-it-right™, why not tossing in an ssh key along? it sure will get the word of mouth in any hacking community.
meanwhile, if you’re a worried user and need to give answers to keep your account super mega secure, get a vault for you passwords already and store them along as something equally impossible to anyone guess and at least 16 characters long.
you don’t need to take my word:
We all know we should create secure passwords. But, for all the time we spend worrying about our passwords, there's a…www.howtogeek.com
The notion of using robust, random passwords has become all but mainstream-by now anyone with an inkling of security…www.wired.com
Problem 1: The answers aren't secrets Stop asking stuff that the internet knows better than I do. The birthplace of my…kristopolous.blogspot.pt