Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Meta
Re: How to reset/disable secret security answer?
by
shorena
on 22/07/2015, 14:50:11 UTC
Quote from: SebastianJu on July 22, 2015, 10:53:42 AM
Quote from: sho_road_warrior on January 18, 2015, 07:54:38 AM
Quote from: Quickseller on January 18, 2015, 01:08:24 AM
-snip-
You are right, you really should not be using a security question

If used correctly it can work as a second password. A security question which has an answer that can easily obtained by social engineering and/or research online is certainly worthless. Examples would be:
What is your mothers maiden name? -> answer: *mothers maiden name*
What is the name of your first pet? -> answer: *name of first pet*
etc.
A good use of the system would be to phrase a meaningless question and put another password as the answer, e.g.:
Want some coffee? -> answer: *WtQjXeWGHSYmJuFEDvzBa2V*

If you store the answer in a secure location you have a fallback login should you ever forget your usual password.

Old thread, i know, but i sat up a security question the way you wrote. I entered a strong password as the answer. I thought it might be good to have a higher level of security though now i wondered if thats the case at all.

Is the secret answer treated the same way like the password? I mean hashed and all? Or did i open a security hole now?

Besides that, i start to ask if i can raise security with it at all. I mean if you have 2 passwords or one doesnt really make a difference when you can use both on its own.

As we learned from the last hack, theymos adviced to not use the secret question any longer as it indeed does not meet the same security features as the password.

Quote from: theymos on May 25, 2015, 02:39:49 PM
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.
-snip-

In terms of "how to disable it" the answer was given to remove every symbol (including whitespaces, so make sure you delete everything) and save changes.