Website login security questions/ hints
Jonathan
Regarding websites that ask you to choose one or more security questions/ hints and provide answers. Is it more secure to use 1Password's password generator and enter a long random string (which I record in that site's login notes section in 1Password) than to provide genuine answers such as a pet's name?
Comments are currently closed for this discussion. You can start a new one.
Support Staff 2 Posted by Khad Young on 24 May, 2012 10:48 PM
Hi Jonathan,
Thanks for taking the time to contact us. It is absolutely more secure to use generated "passwords" as answers to security questions. The strongest passwords will make no difference if all an attacker has to do is know the name of your dog. :)
You don't have to tell the truth. You just need to know what you tell to whom. 1Password is great for keeping track of that sort of thing (just like with passwords).
My dog's name is nv}[cnwl1eBtSvWY!KGOtDLEe8~j:0#8}HLLzuwpJgEq1FrJz.
Well, at least that's I'm telling you.
If we can be of further assistance, please let us know. We are always here to help!
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
3 Posted by Jonathan on 24 May, 2012 11:00 PM
I totally agree with you about not having to tell the "truth" ;) I guess I have to take care using a random string for a security question in cases where I might have to say it over the phone or similar. I mean if the operator on the phone for whatever company/ service asks for my security answer and I simply say it is random and they accept that than obviously that company's security is faulty. In the other instance they might not be happy about listening to a long random string.
Anyway I thank you for your help!
Support Staff 4 Posted by Khad Young on 24 May, 2012 11:03 PM
So far I've not come across an instance where I needed to read such a string to anyone over the phone, but the built-in password generator does include a "pronounceable" option if you think it will come in handy. We also have some great tips on creating a strong, memorable master password (or any password/security question) if it helps:
http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
Let me know if you need anything else.
Cheers,
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
5 Posted by Jonathan on 24 May, 2012 11:06 PM
Khad,
Thanks for the link I've actually used it before to create my master password ;)
Btw is there any reason why my questions are marked as private? I don't mind if others can read this as it might answer someone else's question.
Support Staff 6 Posted by Khad Young on 24 May, 2012 11:09 PM
Funny you mention that. We actually just switched all discussions to be private by default earlier today. Since there are a number of private matters where people forget to check the box to indicate such, and we also request Diagnostics Reports for certain issues, we're trying this out to see how it goes. So far so good, but I am happy to make this discussion public. In fact, I just did.
Thanks for letting us share your great question with other 1Password users. :)
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
7 Posted by rich on 26 May, 2012 11:19 AM
I would just like to see you be able to enter the question and corresponding answer to the 3 or so security questions we are asked all within one login and 1password would be clever enough to see which question has been asked and auto fill with correct answer. To have 4 logins or so for one bank is laborious. Is this going to be possible soon.
Also if you have a memorable word and the site asks random characters, I1password should know this word and enter the 2nd or 7th character?
All other functions are great.
8 Posted by Stu Helm on 26 May, 2012 12:38 PM
HI Rich,
We're certainly looking into ways to handle security questions within a Login item, the problem is that 1Password doesn't actually know, and in most cases can't know, what question you're being asked at any given session, all we see is the website code, not the actual content.
In a similar light, these types of password prompts are close to impossible for 1Password to deal with, again we don't know which characters are being requested at any one time and even worse there's actually no common standard for how these requests are coded.
That doesn't mean we're giving up, but we have to be honest about the technical challenges, there's also a very valid question raised as to if random character requests are actually more secure, the consensus is that they're not and in some cases they can actually be less secure depending on how the 'backend' is implemented.
Stu Helm
Agile Crusader
AgileBits
http://support.agilebits.com
http://twitter.com/1Password
9 Posted by Rodney Berling on 26 May, 2012 01:21 PM
Thanks Stu for getting back, and I can understand the technical difficulties...let's hope for something in the future.
I have one final question. On some websites after logging in, the option to save the site as a login does not appear in a browser bar in safari like all other sites.
Also some other sites autofill perfectly from the iPhone but not from the desktop...?
Many thanks
Rich
10 Posted by Jonathan on 26 May, 2012 02:23 PM
Hi Stu,
Can you please elaborate on your comment below,
"there's also a very valid question raised as to if random character requests are actually more secure, the consensus is that they're not and in some cases they can actually be less secure depending on how the 'backend' is implemented."
This is not related to my question about random generated strings for security answers/ hints, right?
Support Staff 11 Posted by Khad Young on 26 May, 2012 05:10 PM
Jonathan, no. It is not related. :)
Rodney, some sites do different things to prevent 1Password from automatically saving a Login item. In these cases you can save a Login manually like this:
That can even help for many sites which are asking for answers to security questions. Give it a try.
Enjoy your weekend!
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
System closed this discussion on 07 Jul, 2012 05:10 PM.