In my old days, when needing to set up unique passwords, I'd use high ASCII charactersabsolute zero wrote: ↑Sun May 24, 2020 10:26 amThis is why I disable security questions whenever possible. When they are required, I use a complex random string of characters.FIREchief wrote: ↑Sun May 24, 2020 12:38 amIsn't this just reinforcement for why you should never use "real" answers for security questions? For internet forums, retail sites, etc? Sure. Financial accounts? Not so much.... Once you get to the point of sending a password reset to email, you're on very thin ice. I think we're close to the day where we can choose to require a phone call with voice recognition and perhaps other authentication to reset a forgotten password. I look forward to that day.oldfort wrote: ↑Sun May 24, 2020 12:12 am You can make recovery via email, but in Vanguard's view, email may be less secure than SMS. For 99% of the population, the recovery to your email is via SMS. You can make recovery via snail mail. This works great for credit card companies, but you have to tolerate being without access to your account for a week or two. This wouldn't bother me, but may be unacceptable for some customers. You can use printed recovery codes, but the people who forget their passwords are the same people who won't remember where they put their recovery codes. The ideal solution would be some form of biometrics.
There have been a couple times where I’m asked to verify by phone, which makes things somewhat interesting.
Agent: Can you verify your identify by providing the name of your childhood best friend?
Me: Sure, my childhood best friend was Pk4x19gTf99Jmb.
Try telling the CS rep those!
(I don't think they are recognized by systems anymore, but it certainly helped prevent some brute force attacks since hackers never included those in their character sets.)