You know those questions you have to answer when you get locked out of your account and need to reset your password, "what was your first-grade teacher's name", that kinda thing?
These questions should never be subjective. You think I can tell you what I thought my favorite movie was when I signed up for this account ten years ago? Who do you think I am, Roger Ebert? I couldn't tell you conclusively what my favorite movie is now. If I was forced, today, to answer that question to sign up for an account, I promise I won't remember what I said a couple years from now.
Also, for the love of god, don't make the answers case sensitive! I got locked out of an account recovery process for guessing purple, blue, and Purple. Luckily, it let me try again 30 minutes later. Turns out the answer was Blue. Why did past me decide this word deserved the proper noun treatment? I dunno, you'll have to ask them.
On the one hand subjective questions can't be found with a background search to steal your account. On the other, nothing forces you to be honest with them, make a secure fake password. Should have picked blurple for your favorite color, more memorable. I don't get this problem as much, as I use password recipes so I can reverse engineer the password I used based on the service and some other factors that I shouldn't say here because DON"T SHARE YOUR PASSWORD< ME! I also use a designated memorable answer for these questions, whether it's true or false is moot I pick the answer that I will remember best, not the movie I think is best. I mean moot in the american english way, not the british english way. English to American mistakes just come so easily.
(originally posted Aug 13 2025)
I use a password manager at home, so I rarely run into this problem on my own time. At work we have a million sites we have to log into very periodically, and we're not allowed to install browser extensions, and they tend to be sites with a lot of security theater. Usually when I have to do the account recovery, it's because I just haven't logged in to a particular site in a few months. A randomly generated password in bitwarden + 2FA would be essentially unbreakable, all the password shuffle does is introduce a bunch of weak points for social engineering. It's very silly.
Also, I didn't know "moot" meant something different in US and UK English. Neat! They're so close in meaning I don't know if I'd ever pick it out on my own.
(originally posted Aug 13 2025)