Discussion:
[Link Posting] Don't Give Away Historic Details About Yourself
(too old to reply)
Rich
2018-04-10 23:15:57 UTC
Permalink
Raw Message
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################

<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Social media sites are littered with seemingly innocuous little quizzes,
games and surveys urging people to reminisce about specific topics, such
as "What was your first job," or "What was your first car?" The problem
with participating in these informal surveys is that in doing so you may
be inadvertently giving away the answers to "secret questions" that can
be used to unlock access to a host of your online identities and
accounts.
I'm willing to bet that a good percentage of regular readers here would
never respond - honestly or otherwise - to such questionnaires (except
perhaps to chide others for responding). But I thought it was worth
mentioning because certain social networks - particularly Facebook -
seem positively overrun with these data-harvesting schemes. What's more,
I'm constantly asking friends and family members to stop participating
in these quizzes and to stop urging their contacts to do the same.
On the surface, these simple questions may be little more than an
attempt at online engagement by otherwise well-meaning companies and
individuals. Nevertheless, your answers to these questions may live in
perpetuity online, giving identity thieves and scammers ample ammunition
to start gaining backdoor access to your various online accounts.
...
Batchman
2018-04-10 23:46:37 UTC
Permalink
Raw Message
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Once again, thanks! Your contributions are much appreciated.
Rich
2018-04-11 01:08:39 UTC
Permalink
Raw Message
Post by Batchman
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Once again, thanks! Your contributions are much appreciated.
You are welcome.
Richard Kettlewell
2018-04-11 07:22:03 UTC
Permalink
Raw Message
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Social media sites are littered with seemingly innocuous little quizzes,
games and surveys urging people to reminisce about specific topics, such
as "What was your first job," or "What was your first car?" The problem
with participating in these informal surveys is that in doing so you may
be inadvertently giving away the answers to "secret questions" that can
be used to unlock access to a host of your online identities and
accounts.
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
--
https://www.greenend.org.uk/rjk/
Rich
2018-04-11 10:25:45 UTC
Permalink
Raw Message
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Social media sites are littered with seemingly innocuous little
quizzes, games and surveys urging people to reminisce about
specific topics, such as "What was your first job," or "What was
your first car?" The problem with participating in these informal
surveys is that in doing so you may be inadvertently giving away
the answers to "secret questions" that can be used to unlock
access to a host of your online identities and accounts.
Only if you answer the ?secret questions? accurately, which is a daft
thing to do. Your first job and car are not secrets.
You'd be surprised at how high a percentage of internet users do answer
such questions accurately.

The Sarah Palin yahoo email breakin of almost ten years ago is said to
have happened because someone made use of other public info. available
elsewhere to answer yahoo's "password recovery questions" and reset the
password on the account.

https://en.wikipedia.org/wiki/Sarah_Palin_email_hack

And she was someone who should have had people around her to tell her
"don't do that".
Jerry Peters
2018-04-11 20:21:07 UTC
Permalink
Raw Message
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Social media sites are littered with seemingly innocuous little quizzes,
games and surveys urging people to reminisce about specific topics, such
as "What was your first job," or "What was your first car?" The problem
with participating in these informal surveys is that in doing so you may
be inadvertently giving away the answers to "secret questions" that can
be used to unlock access to a host of your online identities and
accounts.
Only if you answer the ?secret questions? accurately, which is a daft
thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions & answers
in the comments for each entry. Of course it also makes it more
difficult to *forget* my password.
Rich
2018-04-11 21:10:07 UTC
Permalink
Raw Message
Post by Jerry Peters
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Social media sites are littered with seemingly innocuous little quizzes,
games and surveys urging people to reminisce about specific topics, such
as "What was your first job," or "What was your first car?" The problem
with participating in these informal surveys is that in doing so you may
be inadvertently giving away the answers to "secret questions" that can
be used to unlock access to a host of your online identities and
accounts.
Only if you answer the ?secret questions? accurately, which is a daft
thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions & answers
in the comments for each entry. Of course it also makes it more
difficult to *forget* my password.
I also do the same, and yes, because of the password manager (Password
Gorilla in my case) I don't even need the "recovery questions" to be
present, because I don't forget my password (I also don't /remember/ it
either....).

So for those of us using password managers, it would be nice to have an
option "disable insecure recovery questions".
Richard Kettlewell
2018-04-12 10:30:48 UTC
Permalink
Raw Message
Post by Rich
Post by Jerry Peters
Post by Richard Kettlewell
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions & answers
in the comments for each entry. Of course it also makes it more
difficult to *forget* my password.
I also do the same, and yes, because of the password manager (Password
Gorilla in my case) I don't even need the "recovery questions" to be
present, because I don't forget my password (I also don't /remember/ it
either....).
So for those of us using password managers, it would be nice to have an
option "disable insecure recovery questions".
They’re passwords by another name. I pick a random string and secure it
in the same way as I do any other password.
--
https://www.greenend.org.uk/rjk/
Rich
2018-04-12 11:35:11 UTC
Permalink
Raw Message
Post by Rich
Post by Jerry Peters
Only if you answer the ?secret questions? accurately, which is a
daft thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions &
answers in the comments for each entry. Of course it also makes it
more difficult to *forget* my password.
I also do the same, and yes, because of the password manager
(Password Gorilla in my case) I don't even need the "recovery
questions" to be present, because I don't forget my password (I also
don't /remember/ it either....).
So for those of us using password managers, it would be nice to have
an option "disable insecure recovery questions".
They?re passwords by another name. I pick a random string and secure
it in the same way as I do any other password.
As do I, but I'm also now hearing that for many (most?) of the
underpaid, temporary, boiler room operators that make up the telephone
call handling department, that if you call, and they ask you "what was
the name of your first pet" and you reply "I don't remember, it was
some random string of gibberish characters" that more often than not
the cust. service rep. will respond: "That's right, welcome Mr. Trump,
thank you for banking with bigocorp bank, what can I do for you today"
and you are "in".

Which means someone wanting to impersonate you can get "in" via the
same means if they suspect your 'recovery questions' are "random
strings of characters".
Jerry Peters
2018-04-12 20:17:39 UTC
Permalink
Raw Message
Post by Rich
Post by Rich
Post by Jerry Peters
Only if you answer the ?secret questions? accurately, which is a
daft thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions &
answers in the comments for each entry. Of course it also makes it
more difficult to *forget* my password.
I also do the same, and yes, because of the password manager
(Password Gorilla in my case) I don't even need the "recovery
questions" to be present, because I don't forget my password (I also
don't /remember/ it either....).
So for those of us using password managers, it would be nice to have
an option "disable insecure recovery questions".
They?re passwords by another name. I pick a random string and secure
it in the same way as I do any other password.
As do I, but I'm also now hearing that for many (most?) of the
underpaid, temporary, boiler room operators that make up the telephone
call handling department, that if you call, and they ask you "what was
the name of your first pet" and you reply "I don't remember, it was
some random string of gibberish characters" that more often than not
the cust. service rep. will respond: "That's right, welcome Mr. Trump,
thank you for banking with bigocorp bank, what can I do for you today"
and you are "in".
Which means someone wanting to impersonate you can get "in" via the
same means if they suspect your 'recovery questions' are "random
strings of characters".
Why bother with random strings? Just use a word that has absolutley no
relation to the question; even someone who has some information about
you, say from fakebook or another info harvesting source hasn't any
way to guess what the random answer is.
Rich
2018-04-12 21:06:12 UTC
Permalink
Raw Message
Post by Jerry Peters
Post by Rich
Post by Rich
Post by Jerry Peters
Only if you answer the ?secret questions? accurately, which is a
daft thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions &
answers in the comments for each entry. Of course it also makes it
more difficult to *forget* my password.
I also do the same, and yes, because of the password manager
(Password Gorilla in my case) I don't even need the "recovery
questions" to be present, because I don't forget my password (I also
don't /remember/ it either....).
So for those of us using password managers, it would be nice to have
an option "disable insecure recovery questions".
They?re passwords by another name. I pick a random string and secure
it in the same way as I do any other password.
As do I, but I'm also now hearing that for many (most?) of the
underpaid, temporary, boiler room operators that make up the telephone
call handling department, that if you call, and they ask you "what was
the name of your first pet" and you reply "I don't remember, it was
some random string of gibberish characters" that more often than not
the cust. service rep. will respond: "That's right, welcome Mr. Trump,
thank you for banking with bigocorp bank, what can I do for you today"
and you are "in".
Which means someone wanting to impersonate you can get "in" via the
same means if they suspect your 'recovery questions' are "random
strings of characters".
Why bother with random strings?
Because my password generator has a handy "generate random string"
function already available. And I didn't consider the "low paid phone
tech" workaround fully.
Post by Jerry Peters
Just use a word that has absolutley no relation to the question; even
someone who has some information about you, say from fakebook or
another info harvesting source hasn't any way to guess what the
random answer is.
Yes, that's the workaround to avoid the "low paid, uncaring, phone
tech" angle.
Jerry Peters
2018-04-13 20:03:45 UTC
Permalink
Raw Message
Post by Rich
Post by Jerry Peters
Post by Rich
Post by Rich
Post by Jerry Peters
Only if you answer the ?secret questions? accurately, which is a
daft thing to do. Your first job and car are not secrets.
I use Keepassx to track passwords & put the secret questions &
answers in the comments for each entry. Of course it also makes it
more difficult to *forget* my password.
I also do the same, and yes, because of the password manager
(Password Gorilla in my case) I don't even need the "recovery
questions" to be present, because I don't forget my password (I also
don't /remember/ it either....).
So for those of us using password managers, it would be nice to have
an option "disable insecure recovery questions".
They?re passwords by another name. I pick a random string and secure
it in the same way as I do any other password.
As do I, but I'm also now hearing that for many (most?) of the
underpaid, temporary, boiler room operators that make up the telephone
call handling department, that if you call, and they ask you "what was
the name of your first pet" and you reply "I don't remember, it was
some random string of gibberish characters" that more often than not
the cust. service rep. will respond: "That's right, welcome Mr. Trump,
thank you for banking with bigocorp bank, what can I do for you today"
and you are "in".
Which means someone wanting to impersonate you can get "in" via the
same means if they suspect your 'recovery questions' are "random
strings of characters".
Why bother with random strings?
Because my password generator has a handy "generate random string"
function already available. And I didn't consider the "low paid phone
tech" workaround fully.
So does mine, but it's just quicker to pick some random word that has
no relation to the question & enter it.
Post by Rich
Post by Jerry Peters
Just use a word that has absolutley no relation to the question; even
someone who has some information about you, say from fakebook or
another info harvesting source hasn't any way to guess what the
random answer is.
Yes, that's the workaround to avoid the "low paid, uncaring, phone
tech" angle.
Richard Kettlewell
2018-04-12 22:50:34 UTC
Permalink
Raw Message
Post by Jerry Peters
Post by Rich
Post by Rich
So for those of us using password managers, it would be nice to have
an option "disable insecure recovery questions".
They?re passwords by another name. I pick a random string and secure
it in the same way as I do any other password.
As do I, but I'm also now hearing that for many (most?) of the
underpaid, temporary, boiler room operators that make up the telephone
call handling department, that if you call, and they ask you "what was
the name of your first pet" and you reply "I don't remember, it was
some random string of gibberish characters" that more often than not
the cust. service rep. will respond: "That's right, welcome Mr. Trump,
thank you for banking with bigocorp bank, what can I do for you today"
and you are "in".
Which means someone wanting to impersonate you can get "in" via the
same means if they suspect your 'recovery questions' are "random
strings of characters".
If that’s possible then someone hasn’t followed through the obvious
consequence of “they are passwords by another name”, which is that they
must be secured in the same way as any other password, rather than
stored in plain and compared by eye in a call center.
Post by Jerry Peters
Why bother with random strings? Just use a word that has absolutley no
relation to the question; even someone who has some information about
you, say from fakebook or another info harvesting source hasn't any
way to guess what the random answer is.
Why would I choose to be the weak point in the system?
--
https://www.greenend.org.uk/rjk/
Paul Sture
2018-04-13 02:24:12 UTC
Permalink
Raw Message
Post by Richard Kettlewell
Post by Rich
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
Your full CV is an absolute gold mine of personal information.

You should very selective about handing out the full version.
--
"Intrum" is a word that sounds like Latin, but has no meaning in that
language. "Justitia" is the name of the lady of justice in Roman
mythology.
Richard Kettlewell
2018-04-13 07:53:13 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Richard Kettlewell
Post by Rich
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
Your full CV is an absolute gold mine of personal information.
You should very selective about handing out the full version.
I’m not sure what your point is. My first job is known (if they care to
remember) to friends, relatives, former colleagues, various bits of the
state, customers and partners of that employer, my current employer,
people who are good at using Google, and more besides. Treating it as a
secret would be absurd.
--
https://www.greenend.org.uk/rjk/
Rich
2018-04-13 13:00:02 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Rich
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Only if you answer the ?secret questions? accurately, which is a
daft thing to do. Your first job and car are not secrets.
Your full CV is an absolute gold mine of personal information.
You should very selective about handing out the full version.
I?m not sure what your point is. My first job is known (if they care
to remember) to friends, relatives, former colleagues, various bits
of the state, customers and partners of that employer, my current
employer, people who are good at using Google, and more besides.
Yep..
Treating it as a secret would be absurd.
Exactly. Yet, far too many of the "password recovery questions" used
by too many websites include "what was your first job" as one of the
possible questions one can answer.

They also include such gems as "name of city where you were born" and
"name of first pet", etc. Not one of which should be considered secret
in any way. But the websites that use these questions treat them as
secret identifiers of the identity of a human at a computer.
Paul Sture
2018-04-14 23:35:46 UTC
Permalink
Raw Message
Post by Richard Kettlewell
Post by Paul Sture
Post by Richard Kettlewell
Post by Rich
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
Your full CV is an absolute gold mine of personal information.
You should very selective about handing out the full version.
I’m not sure what your point is. My first job is known (if they care to
remember) to friends, relatives, former colleagues, various bits of the
state, customers and partners of that employer, my current employer,
people who are good at using Google, and more besides. Treating it as a
secret would be absurd.
I was actually thinking of the personal bits such as National Insurance
number, date of birth and other tidbits which will exist on what was once
a hand written form.

In my early career I noticed that job application forms had industry
specific sections, criminal record for the warehouse industry for
example, and it was very easy to get into the habit of including such
stuff by force of habit. Other industries aren't interested in this or
they'd ask for it, so don't include such stuff, "just because you always
have done".

Going back 20-30 years, I would happily supply my passport number on an
initial job application form, if for no other reason than to let the
reader know that I already had that angle covered (You'd be surprised
how many folks don't realise that to get a foreign work visa you need
your current passport to be valid to cover at least the length of the
proposed stay, plus say 3 months). That's the sort of detail I won't
supply until later in a job application process nowadays.
--
"Normal IMAP" isn't a thing. :) There's just a cluster of largely
similar implementations including Dovecot & Cyrus and a diffuse flock of
weird other things like GMail and Exchange that are only vaguely related
to IMAP. -- Bill Cole - MailMate mailing list
Richard Kettlewell
2018-04-15 08:01:59 UTC
Permalink
Raw Message
Post by Paul Sture
Post by Richard Kettlewell
Post by Paul Sture
Post by Richard Kettlewell
Post by Rich
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
Only if you answer the ‘secret questions’ accurately, which is a daft
thing to do. Your first job and car are not secrets.
Your full CV is an absolute gold mine of personal information.
You should very selective about handing out the full version.
I’m not sure what your point is. My first job is known (if they care to
remember) to friends, relatives, former colleagues, various bits of the
state, customers and partners of that employer, my current employer,
people who are good at using Google, and more besides. Treating it as a
secret would be absurd.
I was actually thinking of the personal bits such as National
Insurance number, date of birth and other tidbits which will exist on
what was once a hand written form.
My date of birth isn’t a secret; again, lots of people know it or can
fairly easily find out. At least one financial institution asks me for
it as part of my login credentials (although that’s not the most bizarre
login scheme I’ve encountered).

My NI number is indeed not on my CV and gets exchanged with HR when they
need it, along with bank details and the like. (Not that I’ve changed
employer for a long time.)
Post by Paul Sture
In my early career I noticed that job application forms had industry
specific sections, criminal record for the warehouse industry for
example, and it was very easy to get into the habit of including such
stuff by force of habit. Other industries aren't interested in this or
they'd ask for it, so don't include such stuff, "just because you always
have done".
Agreed.
--
https://www.greenend.org.uk/rjk/
Nomen Nescio
2018-04-22 03:01:13 UTC
Permalink
Raw Message
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://krebsonsecurity.com/2018/04/dont-give-away-historic-details
-about-yourself/>
<snip>

Fake Contact Information Generator
https://names.igopaygo.com/people/fake-person

Loading...