The answer is yes, and the TL;DR is not to use them, use 2FA, and not share personal details online (which is hopefully all obvious advice)

cross-posted from: https://lemmy.world/post/12060980

  • WhoresonWells@lemmy.basedcount.com
    link
    fedilink
    English
    arrow-up
    9
    ·
    10 months ago

    Once, I made an account for something that let me write my own security question and answer. I thought that was much better than the usual options and wrote something that cryptically referenced a difficult problem I once worked on. The answer could possibly be found online, but only to someone who properly understood the question. Later, when I needed to authenticate myself again, I got my security question. The answer isn’t something you typically memorize, but I knew what the prompt meant and how to work it out so I did so.

    But I was too slow. Apparently you had to answer within one minute. It took me about ten so it locked me out. Tech support helpfully reset my password after merely verifying my phone number and SSN which are probably known to thousands.