Ok, ill disable it instantly. I was of the impression that this red text is only showing up because the normal use of such a question is to set up something you know and can remember, which might mean hacker can guess what you used as the answer.
Disabling now... might be better to disable that function completely then.
Topic: How to reset/disable secret security answer? (Read 1049 times)
Regarding the OP, it was changed recently, don't think it was ever mentioned, but it now has red text to the left, under the descriptive text for the Answer field.
"You have a secret question set. This is not recommended."
It goes away if there is no question set.
"You have a secret question set. This is not recommended."
It goes away if there is no question set.
-snip-
You are right, you really should not be using a security question
You are right, you really should not be using a security question
If used correctly it can work as a second password. A security question which has an answer that can easily obtained by social engineering and/or research online is certainly worthless. Examples would be:
What is your mothers maiden name? -> answer: *mothers maiden name*
What is the name of your first pet? -> answer: *name of first pet*
etc.
A good use of the system would be to phrase a meaningless question and put another password as the answer, e.g.:
Want some coffee? -> answer: *WtQjXeWGHSYmJuFEDvzBa2V*
If you store the answer in a secure location you have a fallback login should you ever forget your usual password.
Old thread, i know, but i sat up a security question the way you wrote. I entered a strong password as the answer. I thought it might be good to have a higher level of security though now i wondered if thats the case at all.
Is the secret answer treated the same way like the password? I mean hashed and all? Or did i open a security hole now?
Besides that, i start to ask if i can raise security with it at all. I mean if you have 2 passwords or one doesnt really make a difference when you can use both on its own.
As we learned from the last hack, theymos adviced to not use the secret question any longer as it indeed does not meet the same security features as the password.
On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings
As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.
-snip-
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings
As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.
-snip-
In terms of "how to disable it" the answer was given to remove every symbol (including whitespaces, so make sure you delete everything) and save changes.
-snip-
You are right, you really should not be using a security question
You are right, you really should not be using a security question
If used correctly it can work as a second password. A security question which has an answer that can easily obtained by social engineering and/or research online is certainly worthless. Examples would be:
What is your mothers maiden name? -> answer: *mothers maiden name*
What is the name of your first pet? -> answer: *name of first pet*
etc.
A good use of the system would be to phrase a meaningless question and put another password as the answer, e.g.:
Want some coffee? -> answer: *WtQjXeWGHSYmJuFEDvzBa2V*
If you store the answer in a secure location you have a fallback login should you ever forget your usual password.
Old thread, i know, but i sat up a security question the way you wrote. I entered a strong password as the answer. I thought it might be good to have a higher level of security though now i wondered if thats the case at all.
Is the secret answer treated the same way like the password? I mean hashed and all? Or did i open a security hole now?
Besides that, i start to ask if i can raise security with it at all. I mean if you have 2 passwords or one doesnt really make a difference when you can use both on its own.
-snip-
Instead just use an email, security questions aren't really needed if you use a strong email.
Instead just use an email, security questions aren't really needed if you use a strong email.
As we have seen recently with the GMX related hacks your email might not as strong as you think it is. The security of your email depends on a 3rd party. They might do a poor job. Especially if you are not even paying them for their services, they might be lacking the motivation and means to thoroughly protect their servers and customers. Google seems to be different in that regard though.
-snip-
You are right, you really should not be using a security question
You are right, you really should not be using a security question
If used correctly it can work as a second password. A security question which has an answer that can easily obtained by social engineering and/or research online is certainly worthless. Examples would be:
What is your mothers maiden name? -> answer: *mothers maiden name*
What is the name of your first pet? -> answer: *name of first pet*
etc.
A good use of the system would be to phrase a meaningless question and put another password as the answer, e.g.:
Want some coffee? -> answer: *WtQjXeWGHSYmJuFEDvzBa2V*
If you store the answer in a secure location you have a fallback login should you ever forget your usual password.
Instead just use an email, security questions aren't really needed if you use a strong email.
-snip-
You are right, you really should not be using a security question
You are right, you really should not be using a security question
If used correctly it can work as a second password. A security question which has an answer that can easily obtained by social engineering and/or research online is certainly worthless. Examples would be:
What is your mothers maiden name? -> answer: *mothers maiden name*
What is the name of your first pet? -> answer: *name of first pet*
etc.
A good use of the system would be to phrase a meaningless question and put another password as the answer, e.g.:
Want some coffee? -> answer: *WtQjXeWGHSYmJuFEDvzBa2V*
If you store the answer in a secure location you have a fallback login should you ever forget your usual password.
Yes, just keep it blank. Make sure that the secret question area isn't full of whitespace characters. (Spaces don't count, but some other whitespace/invisible characters do.)
Just delete it. Make sure nothing is there in either the security question nor the security answer. Then enter your password and click Change Profile.
You are right, you really should not be using a security question
You are right, you really should not be using a security question
thanks!
can I get confimation from the staff that this actually works though because I dont want to do it and then someone just enters with it left blank and can get access.
Just delete it. Make sure nothing is there in either the security question nor the security answer. Then enter your password and click Change Profile.
You are right, you really should not be using a security question
You are right, you really should not be using a security question
once you have set it you can only change it again and not reset. well it least used to be like that when i was a moderator on a smf gaming forum.
To change just put a new questions and answer in your profile. Enter you password and hit Change profile.
That's how you can change it. Profile - Account Related Settings - Secret Question:
That's how you can change it. Profile - Account Related Settings - Secret Question:
Is it even possible to reset the security question here or am I just missing something? I searched the forums via google and cant find anyone mentioning reseting the question any staff have any input?
I've set the security question on my account and I've read its not recommended even though noo one would possibly guess it how can I reset/disable it?
Jump to: