In order to print out a tax form, I’ve just had to go through some silly security question rigmarole with my online bank. The wish-it-was two-factor authentication is getting quite out of hand these days. They are really desperate to give the appearance of security. In addition to displaying a chosen/random image and “security phrase” – ostensibly to prevent phishing and enable me to recognise that I’m in the right place – they asked me to pick five security questions and answers. The usual tripe like what was my high school mascot, what is the name of my hometown newspaper, etc.
I briefly toyed with the idea of putting in weird answers (high school mascot? half a dog) but in the end went with mashing the keys to produce 10-12 characters of alphanumeric nonsense for each answer. Since they’re going to ask me these questions in future, I copied them and sent them to myself in an encrypted email.
The strange thing is that they do this instead of enforcing a well-chosen password. So it’s actually (if properly answered) nowhere near as secure as a 10-12 character randomised password.