security questions

1pwuser31547
1pwuser31547
Community Member

Does anyone have any guidance/ best practice recommendations about rotating security questions for accounts?

I know routine/periodic changes to login passwords are no longer recommended. Besides, since servers store these as hashes and if your password is strong enough, it's hash would be resistant to precomputation.

However, I would think that most types of security questions by their nature of having to be read by humans, can't be stored encrypted.
So in the event of a server breach, these passwords could be potentially exposed as plaintext.
I really hate them- terrible for security, but unfortunately many sites require them for online access.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • danco
    danco
    Volunteer Moderator

    Since the answers do not need to be true, you could use separate answers for each site, and save your answers in the notes section of your 1PW entry.

  • XIII
    XIII
    Community Member

    Indeed. I (often) use randomly generated "memorisable passwords" of a few words as answers to the questions.

    I store them as custom fields of type password, so they are even hidden in 1Password by default.

  • That is what I do as well. :) As for rotating them... I would likely only consider doing that if the site reported a breach.

    Ben

  • 1pwuser31547
    1pwuser31547
    Community Member

    I appreciate the responses.
    I also do store them as random/unique passwords in custom fields and copy/paste them into the sites.
    I wish I could autofill them but there doesn’t seem an easy way to do that...

    Thanks again

  • AGAlumB
    AGAlumB
    1Password Alumni
  • 1pwuser31547
    1pwuser31547
    Community Member

    Thanks.

    By the way, what is your personal opinion on periodic changing of answers to security questions since they may not be routinely stored hashed or encrypted like log in passwords?

    I'm thinking about Yahoo- their breach revealed that they were storing answers to security questions unencrypted (so I've read).

    I spoke to a representative at a major financial firm. They could see my answers to security questions- scary.
    While other financial sites seem to have security question usage more automated rather than human read.

    Hopefully these security questions aren't being used for account recovery.

  • I don't think it would be a terrible idea to rotate the answers to security questions after any interactions with customer service. As you say, at some (many?) companies, these questions & answers are visible to customer service reps.

    Ben

This discussion has been closed.