I usually just ask my password generator to generate another random password for...

Terr_ · 2025-09-19T04:10:06 1758255006

It's possible an attacker might say: "My first pet's name is random gibberish", and the person on the other end goes: "Yep, that's what it says."

I'm not sure how many companies that would happen at, but it seems... just dumb enough to be plausible.

Marsymars · 2025-09-19T04:32:59 1758256379

1Password’s default for secret questions is a sequence of English words, rather than random gibberish.

rjsw · 2025-09-19T10:18:15 1758277095

See https://xkcd.com/936/

eru · 2025-09-19T11:07:25 1758280045

Why would you want to memorise a password? That's what password managers or even paper is for.

(Writing your passwords down on paper is actually less crazy than it sounds like:

It's impossible to hack paper from the internet. And, if someone has physical access to your stuff, they could install a keylogger anyway.)

Terr_ · 2025-09-19T18:07:51 1758305271

> Why would you want to memorise a password?

You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P

> Writing your passwords down on paper is actually less crazy than it sounds

I agree that physical security can be incredibly useful against a lot of modern threats... but we can do better. I wish there was a dedicated password-keeper device format of:

* A small keyboard and screen

* The data encrypted at rest by one master password

* Only permits upload/download of the the encrypted file over USB. With some companion software, you just plug it into your computer, computer copies the encrypted file to somewhere on disk that gets regularly backed up, the disconnects and beeps to tell you it's done.

* Sturdy enough that any "Evil Maid" attack needs to be done by a professional rather than a conniving roommate or jilted partner.

* Tracks history of entries, last-changed, etc.

eru · 2025-09-20T06:04:17 1758348257

> You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P

Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Your proposed device seems a bit complicated. You can get pretty far with a piece of paper and this protocol:

Construct your password from two parts. (1) random gibberish you write down on paper, (2) a 'correct horse battery staple'-style part that you memorise.

Btw, have you looked into Yubikeys? They are better than password storage, because they can store your private keys and do signing with them. The key never leaves the device. (They can also store passwords, I think.)

Terr_ · 2025-09-20T09:06:21 1758359181

> Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

> You can get pretty far with a piece of paper

Password Papers (A) never get backed-up, meaning they'll be locked out of basically everything if the house burns down and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.

Terr_ · 2025-09-20T09:05:45 1758359145

> Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.

Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

> You can get pretty far with a piece of paper

Password Papers (A) never get backed-up and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.

eru · 2025-09-20T10:13:42 1758363222

> Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.

Why from anywhere?

OptionOfT · 2025-09-19T16:23:37 1758299017

For secret answers like this I have Bitwarden generate a set of words that I put in. The words are actual English words, so the 'random gibberish' moniker wouldn't be correct.

But at least the answer doesn't match the question.

I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.

eru · 2025-09-20T06:05:01 1758348301

> I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.

I usually pick the first or default question. But yeah, that order might change.

avhon1 · 2025-09-19T23:08:58 1758323338

Passwords in this style (passphrases) are also much easier to transcribe to devices that don't have or support password managers, or when sharing a password verbally or in writing.

juped · 2025-09-19T16:00:42 1758297642

got to have a password manager password, and a login password

eru · 2025-09-20T06:05:14 1758348314

Write that down on a piece of paper.

incone123 · 2025-09-19T06:06:12 1758261972

The CSR shouldn't see the whole string but not all systems follow that approach.

reaperducer · 2025-09-19T12:59:38 1758286778

I usually just ask my password generator to generate another random password for the secret question's answer.

Not great when you're on the phone with United Airlines and the person who's trying to help you get un-stranded asks what your favorite ice cream flavor is.

United has the absolute stupidest secret questions.

edm0nd · 2025-09-19T05:42:28 1758260548

yup same here

my high school mascot? fish-car-base-picture((#$#$&#*4303483