I'm forced to use Windows 7 at work. I run Linux in virtualbox to get round this limitation. It keeps corporate IT departments happy because they can enforce patching policies and audit software.
Same here. Our network is heavy on MS Active Directory authorization, so really the only way to run Linux at all is to host it on a Windows/Virtualbox VM.
Last time I ran into problems with web filters at work, it was because they had blocked a lot of security-related things on the grounds that they could potentially be useful to hackers. For example, the websites for most popular fuzzers were blocked.
When I'm purely in a dev mode, I do. But often, I'd like to be able to jump into online games with my friends on the same PC, and the games I like to play simply work better on Windows. It's nice to have the same or equivalent tools available on Windows for when I'm already there, so I don't need to switch back to my other boot or fiddle around with a virtual machine.
Very much a hobbyist dev machine, and I primarily write video games and related tools on this machine. Some of my emulator projects are cross-platform, so I need to be able to test on Windows for those anyway; it's kind of a general purpose workhorse.
The computer I use for my day job is exclusively Linux, as I have no need for Windows software or online games there. (I'm guilty of playing Minecraft during my lunch break, but that fortunately runs quite pleasantly under Linux.)
Office more specifically Excel and I know linux has alternatives but they are not as good and everyone else i am working with is using/sending excel.
I excitedly installed the new crossover linux because of there office 2017 support in my manjaro machine at home and yea i guess it "works" but the experience was slow, painful, and i wouldn't call it stable.
Beyond that i find i am constantly having to put work into my linux machine to get things to run YES its a million times better than it used to be AND I WANT to run linux but its always more work.
Windows has better support for touch screens, pens, and dictation, all of which I rely on. I use WSL to be productive, and have a separate Linux PC (with touch screen) too.
Because you want to run real software, too! There's nothing like the Adobe Creative Suite, Microsoft Office, plus great backup utilities, media playing and management, etc. If you're targeting Linux, run it in a VM so if you screw something up, your host OS stays intact.
What's your point? All interpreted languages have to be compiled anyway, you have to create an AST, convert it to bytecode, and then interpret it or JIT it.
The initial claims made about Jean Charles de Menezes included that he ran, he jumped the barrier, he did not buy a ticket, he was wearing a thick jacket. In reality he walked, bought a ticket, used the barrier normally and was wearing a t-shirt. This is visible on the cctv footage.
Yes, but the part I'm specifically talking about was how he got up from the seat on the tube when confronted in a way the officer in question thought was aggressive, but that in reality is something you often see on the tube. There's no doubt there was lots of bullshit coming from the police over it too, but that he stood up was one of the few claims the jury in the inquest agree was proven, an it stands out because the testimony relating to it as far as I remember made the officer seem genuinely to not realize why someone might get up that way, which is quite unlike their other excuses in that it exposes ignorance compared to the other attempts to describe things in a way that could have actually contributed to giving them an excuse.
The author is doing video editing work. The point of the 5k screen is to have a 4k video displayed at 1:1 pixel and controls displayed alongside it. I.e. the author may be part of that small subset of people that actually want 5k in order to do their job.
I'm not sure that was the main factor in their decline. I think it was more that they were internally divided over what direction the party should take. The members that wanted the full-fat fash street violence left for the EDL. The remnants weren't able to effectively compete with UKIP's money and ground game at elections.
FF has for me crashed more times in the last week than in the previous year. - Multiple installs on different Linux systems. The last crash was with a clean profile.
And then there's the disappearing dev tools - that's fun.
EDIT:
I hope that there is something weird with my systems. But I fear that the rush to push this out might have been a little hasty.
EDIT EDIT
Apart from the crashes the new FF has been nice. I've been able to largely stop using chromium for dev work - so not all is bad.
You can go to "about:crashes" to get some more information about reported crashes. If you open a crash report and click the "Bugzilla" tab, you can find out if a bug is on file for that specific stack trace.
I have been using Firefox for several months, using Windows 10, and several GNU/Linux distributions, different hardware, etc., and have never experienced a crash.
It's definitely something weird to do with your systems, meaning it's a real bug that you are experiencing, and I am not.
So please share crash reports, and file bug reports. Different hardware/software quirks may reveal bugs in Firefox/Linux/drivers/window managers/anything. By submitting a bug report for Firefox, you may be able to help find a video driver bug, etc.
But many of the electric car owners live in the cities. Here they can drive in the bus lanes and don't pay the road tolls. This makes an electric car an excellent commuter choice.
The more modern theory is that walrus tusk (which was extremely valuable until elephant ivory became available) prices crashed meaning the ships had little reason to travel to Greenland for trade.
I think that this coincided with the Black death which truly devastated the Norwegian population.
> My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager
The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account..
> The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account
I used to do this and then lost my password file. Fast forward to a call with AT&T. I told them I forgot my secret answers. They offered that it was "a super weird answer," which let me use the "mashed keyboard" line and got in. TL; DR I think this system is less safe than just making up cars, cities, et cetera.
Yea, I always use a handful of random words. That way, it's something pronouncable over the phone.
Still, I expect "oh, it's a random word not related to the question" would clear phone screen human layer of verification a good percentage of the time.
I can confirm that "I'm not going to be able to tell you the secret answer" was accepted by Blizzard when they locked my account and made me apply to have it unlocked.
I'm still bitter about that. I put garbage in the answer to the secret question because I planned not to forget my password. I didn't forget my password, but Blizzard nevertheless locked me out of my account, for the crime of using a payment card that was listed on my account, but wasn't listed as my "preferred" payment option.
Yes, you should just make up a fake personal profile, and base your answers on that. True answers and human-bypassable answers are all bad, whereas fake answers open you up to a world full of entropy.
One solution would be to randomly generate security answers with human readable words. Diceware does this. You can use a dice, or you can use an open source tool like this one:
It's also built into 1Password. And before that, I just used what I think was literally a one- or two-line Perl script that just grabbed four words from /var/dict. Why yes, my mother's maiden name was indeed pathetic xylophone tootsie wasp, how did you know?
The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.
These are supposed to be the very last line of defense for security, including if lose your password manager. As an exaggerated analogy, imagine that being unable to answer these questions meant your house, car, and life savings are taken from you. That is how important these answers are, except you're "only" losing one online account at a time.
Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere. The reason behind why security questions exist is a good one, but they don't offer enough security when used as intended (memorable, non-random data). The problem is there is currently no better alternative, short of requiring you to tie your legal identity to every account, and having to show up in person with photo ID to regain control of an account you've lost access to.
Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.
Hum... I'd say that the entire point of security question is that incompetent people can appease non-technical bosses by claiming that they follow best practices.
Where they stand at the security line is irrelevant, because their mere existence on a place is already a symptom of a deep level of incompetence and an almost sure prediction of a compromised system. Besides, security is usually chain-like (compromise one node and it's broken), not army-like (compromise one node and you'll have to fight the next).
Besides, most people do not have a favorite color, do not remember the name of their 3rd grade teacher, and have severe doubts about what counts as their "first" pet. Yes, they are intended into solving a real problem, but nothing about them survives any amount of questioning.
The problem is that anything which you remember that well is likely to be discoverable by other people. For instance, if someone's mother is dead there's a good chance that her obituary will be online and list the names of her children and her maiden name. Likewise, you could find the name of a person's elementary school via looking at their posts on Facebook in many cases - or if not their posts, then their siblings or their friends. So these kinds of questions are hardly a great proof of identity if it can be found online with a bit of searching.
That might have been the theory of security questions early on. But by now I'm sure I've filled out security questions dozens of times. Whatever the intent, from my perspective as a user, they're in the "speed bump" category of security.
For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.
> For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.
This is a great idea. Not only can the police verify that a given photo ID matches the person in front of them, they can also verify that the ID is valid and unaltered by verifying that the details on the ID match the details in the DMV's database, eliminating fake IDs from being an issue. This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name -- but it would dramatically increase the risk and makes ID theft much harder to scale.
A federal effort to standardize an identity verification service across federal and local offices nationwide would be helpful. The service should be available to any entity (not only banks or financial entities) who wishes to verify the identity of a counterparty. The process and fee should be standardized nationwide, with the fee being break-even and paid by the entity requesting the verification.
Post offices are a good candidate to offer such a service, but would need some work to set up (unlike police agencies, I presume post offices don't have access to DMV databases).
The idea sounds nice in theory, but the only reason any administration would implement this would be to remove anonymity from the internet. Your ability to recover accounts would just be a side effect of the system designed to allow the government to track everything you do.
> This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name
This is much more common than you might think. I believe in Illinois there was some sort of ongoing problem with people at the DMV selling licenses to truckers who didn't actually pass their tests[0]. I'm sure any criminal with a wad of cash could get them to make a fake ID.
This is true, but I think there's an important distinction.
Driving a truck is generally legal. Stealing somebody's life savings generally isn't.
This matters because once an underqualified truck driver is on the road, they're going to be hard to distinguish from a normal truck driver. You have to issue a lot of licenses before the pattern of fake licenses becomes obvious enough to trigger an investigation.
Granting fake licenses for serious theft, though, is another matter. Every single one of those will trigger a police investigation. It's much higher risk, meaning it'd be very hard to sustain an ongoing business in fake licenses for theft.
> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.
With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.
> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.
2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.
> These are supposed to be the very last line of defense for security, including if lose your password manager.
Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.
> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.
And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.
The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.
In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.
I do exactly this. About 4-5 characters in the support person interrupts me with "yeah, whatever".
The entire security question situation makes me incredibly pessimistic that we will ever get good security. The idea of security questions is so mind numbingly stupid to me yet it's widely used. One would have thought that after the Sarah Palin hack years ago everyone would have realised that but it seems like nobody did. The support agent didn't see my security question and go "oh that's clever". That's despite him being a person who deals with these all day they should realise the overwhelming stupidity.
In a sane world companies who tell their users to use special characters etc. in their passwords and rotate them but then encourage them to mess it all up by storing information from their Facebook page ad a replacement for the password should have to pay massive fines. Yet hardly anybody is even seeing a problem with this.
This situation to me is so demotivating because it makes me think that whatever security mechanism we come up with well meaning people will undermine it.
Four to five characters is probably enough for their threat model though?
The only way I can think of that somebody could steal only the first few characters of your security answer is by looking over your shoulder at a very unfortunate time. That seems unlikely, and most of the questions they use are predictable from the first few characters when answered genuinely anyway (surnames, car names, streets and towns).
It's not about what you say, it's about what an attacker can get away with saying. And they can almost certainly get away with "I just mash the keyboard."
Ah, I see what you mean. Perhaps instead of grabbing a handful of characters from /dev/urandom, you generate a passphrase (a few random dictionary words)?
Been doing this for several years and prefer this method. I also try to reduce the number of times I use a particular security question. However, I don't think the problem comes from what questions you use or what answers you provide. It becomes like others have pointed out, a problem of what a hacker can get away with answering when asked by a phone representative. Although, I do think this approach provides a little more security than just answering the "what city were you born in" question with the correct answer on every site.
I would definitely be weary of using the same answer in multiple places. Even more so than with passwords. These stupid answers clearly get stored unhashed (how else would they be verified via phone?). Do if the system gets compromised the attacker now has your security question response for multiple targets.
Other than being pronounceable I see the exact same requirements for security questions as for passwords. If anything they need to be stronger.
I like the appeal (and the book) but I recall, when researching diceware, reading that this is a terrible idea in practice since the entropy is lowered dramatically by using natural language that's already in the public record. Even if they can't put every printed phrase into a lookup table, the probability of certain words following others wrecks the entropy.
Indeed, but for the attack discussed here (someone calls support and pretends they're you) you don't need that much entropy, as you can't test different phrases quickly.
You just need a larger number of random words to reach the same entropy as random passwords. It's not like your random password is made up from secret alphabets!
You seem to be misunderstanding how diceware works. You randomly generate numbers by throwing dice. Every five rolls indexes exactly one "diceware" word. So even if an attacker knew we were using diceware, each word contains
log2(6^5) = log2(7776) ≈ 12.9 bits
of entropy. If you want 128 bits of etropy in your security question field, then just randomly generate 10 diceware words. This is comparable to choosing 20 random printable ascii characters or so.
Since we pick the words by literally throwing dice, English grammar has nothing to do with it.
Median novel has some 65k words. Take all (consecutive) quotes of 2 to 24 words, and you have some 1.5m phrases. Take the top 666k books (apparently there've been about 130m titles been published in total, about 5m in the Amazon Kindle store), and you're at about 1e12 phrases, or 40 bits of entropy, or worse than a password with 7 random letters/digits/symbols.
You could probably improve on it considerably by selecting fewer books, and only taking quotes starting at some punctuation mark.
For a naturally throttled attack like here (on the phone) that's fine, but for an offline attack (where the attacker has access to the password hash) that can be cracked within days.
Necronomicon quote? Nice. This has me thinking about what I can do to make my security answers to security questions untethered from PII. A book quote is a really good idea.
I'm guessing that having every book loaded into a password cracking database, subdivided and indexed by each leading phrase word, is still computationally infeasible for non-government actors.
If I walk into a library, pick a floor, aisle, shelf, book, and page at random (just walk, don't think about it), and use a phrase that is a minimum of 12 words long -- is that more random than what I presume happened here, where someone knew that their target liked that style of poetry and was able to concentrate their search on that genre? ( a "crib" in Bletchley Park terms)
The comments about English grammar are correct - classes of words (nouns, verbs, adverbs, etc) do fall in certain positional order and frequency analysis becomes important. A brute-force attacker would have to work through four types of passwords - the commonly used passwords like "12345" and "letmein", language-based phrases (like my not-great idea), language-based phrases with letter substitution (leet-speak, etc), and then truly random letter sequences.
What's happening is that people collect endless phrases and alter them with a ton of standard manipulation schemes, compute the corresponding private and public keys & addresses for all the variations, create a lookup table for the addresses and private keys, and as soon as they see a known keypair in use then they use the corresponding private key to swipe the funds.
See my comment above - unless I'm mistaken, taking all 2 to 24 word quotes from the most popular 1 million novels gives you about 40 bits of entropy (less than a password of length 7), and can easily be stored on one hard drive. In other words, feasible even for some script kiddie in mom's basement.
No need to have every book loaded, only the top 50000~ read by people who would use that method of passphrase generation should work fine (and be feasible for almost everyone). Cryptonomicon would probably be in that list.
Nope. If a phrase from literature is “memorable”, it’s guessable.
The logic of passwords is simple, once you realize that all humans are terrible random number generators.
When you allow any part of your password to be chosen by a human, i.e. yourself, you have to assume that the human-chosen part is known to an attacker. The solution is to generate passwords with enough random bits to satisfy current demands. And by “generate” I of course mean to allow a real number generator (either a computer, or dice, or anything really random; i.e. something a casino would accept) to choose the password for you. Without any restrictions except a desire to minimize length, you get the classic unmemorable 0vT2GVlncZ4pZ0Ps-style passwords. If you add the restriction “must be a sequence of english words”, you get xkcd-style “correct horse battery staple” passwords. Both are fine, since they contain enough randomness not generated by a human.
But if you yourself choose, either old-style “Tr0ub4dor&3” or passphrase “now is the time for all good men”-style, you have utterly lost, since nothing has been randomly chosen, and “What one man can invent, another can discover.”.
Note: this also applies if you run a password generator and choose a generated one that you like. Since you have introduced choice, you have tainted the process, and your password now follows an unknown number of intuitive rules (for instance, there was a story here on HN some time ago about how people prefer the letters in their own name over other letters of the alphabet), and these rules can be exploited by an attacker.
> this also applies if you run a password generator and choose a generated one that you like.
I'm sure there's some math that could be applied here to determine how much a user selecting from one of n generated passwords. Human intuition in cases like this can often be wrong as human psychology hasn't evolved to solve problems like this, so please correct me if I'm wrong, but mine tells me that a user choosing a password from whole cloth has much less entropy when the user is taken into account than a user choosing a password from a small set of those generated with high entropy.
While the latter is less than leaving it up to be chosen purely at random, I think it's much closer to pure random than it is than from the one that's created by the human. It's likely not your intent, but your note comes across as not acknowledging this. Am I reading it wrong? Or are my intuitions wrong? If one were to choose between (a) human generated or (b) human chosen from a set of non-human generated, how much stronger do you think (b) is than (a), and how much weaker is (b) compared to (c) randomly chosen from non-human generated?
That’s easy to calculate. If you generate, say 4 password of 32 bits of randomness each, and you pick one of them, you must assume that the 32-bit password you chose has 30 bits of randomness, since your choice between 4 options has 2 bits of information in it.
Detecting the randomness of a user-generated password is like detecting randomness in general; it can’t be done¹. Is a number like 392872956 random, or is it derived by using some obscure but guessable procedure? You can’t know just by looking at the number. Even if a user thinks they are choosing randomly, subconscious biases are very powerful. The same principle applies to word and character based passwords, so the only safe course is to assume that anything chosen by a user directly is not random at all.
Sure. So is there nothing to my intuition above? If you were to have users choose between (a) and (b) above, is (b) generally safer than (a)? Much safer? Only marginally so? When using a password manager that presents 10 passwords, should I always choose the first one to remove my choice from the equation? Are those few bits I've removed that important, given that the entire set is random?
I'm not trying to catch you out here. I'm trying to see how far my intuition works in this case and how to read you note in the context of the rest of what you've said.
A user-chosen password have exactly 0 bits of guaranteed randomness. A randomly generated password has X bits of randomness, and a list of Y passwords of X bits each, where the user is allowed to choose exactly one of the passwords, has exactly X−(log2(Y)) bits.
So, to answer your questions: Your intuition is correct – since user-chosen passwords do not contain any guaranteed randomness, generated passwords are better. How much better depends on the values of X and Y in the formula above. The value of X can only strictly speaking be said to depend on the generating algorithm for the passwords, and not any specific value like length or presence of special characters, etc. Yes, I try to always force myself to choose the first one of generated passwords if many are available. The importance of doing that, i.e. preserving those bits, depends of the size of X; a large value of X might stand to lose log2(Y) bits without any real downside.
The default pwgen(1) password algorithm appears to generate a display of 8 columns by 20 lines of passwords, each 8 characters long, like so:
All the characters in each password are lower case letters a through z, except one, which is always a digit, and one other, which is an upper case character, A through Z.
These assumptions give us all the information we need to calculate the actual number of guaranteed random bits in a password chosen from this output. There are 7 letters in a password, each a-z, which gives 26⁷ combinations. Then one of the 7 characters is made upper case, which multiplies the number of possible passwords by 7. Then a random digit (0-9) is inserted in a random place (1-8), which multiplies it again with 10 and 8, respectively. The resulting number is
26⁷×7×10×8 = 4497813698560
Now, 4497813698560 possible passwords is equal to log2(4497813698560) bits; i.e. 42.03236104393261 bits.
The number of password choices is 8×20; i.e. 160 different passwords. Our formula above thus gives us
log2(26⁷×7×10×8)−log2(8×20) = 34.71043294904525 bits of randomness if the default options for pwgen(1) is used, and one of the displayed passwords is chosen by a user.
Now, whether 34.7 bits or 42 bits is to be considered high or low is not my area of expertise, and I am given to understand that this changes rapidly over time as computing technology advances.
You’re right. Looking at the source code (https://github.com/tytso/pwgen/blob/master/pw_phonemes.c#L59), the algorithm seems to be rather complicated, so I can’t say what the exact number of bits is. But we could certainly calculate an upper bound:
7 letters a-z which are either upper or lower case, plus an unknown digit at an unknown location, gives:
(26+26)⁷×10×8 = 82245736202240 possible passwords, giving log2(82245736202240) = 46.225006121875005 bits. Subtracting the bits for the 8×20 choices of passwords gives
log2((26+26)⁷×10×8)−log2(8×20) = 38.90307802698764 bits as an upper bound of the security of a password chosen by a user from the default output of pwgen(1). This is a bit more than the 34.7 bits I first thought it was, but not much more. And this is an upper bound; since I can see that the source code does not choose each character completely randomly and does, as you say, seem to prefer lower case letters, the correct number of bits is guaranteed to be lower than 38.9.
I have no idea who is downvoting you; this is perfectly correct. In fact, one of the (minor) plot points in the quoted book is a cyphertext getting broken because the person generating one time pad keys looks at the letters!
Most likely from a "helpful" CS agent offering up the hint above. "It's really weird" or "I've never seen that one before" or just an odd chuckle. Anything an attacker could use to gain an advantage will be used to compromise you eventually.
But the attacker kind of has to know the answer is gibberish from the bat, otherwise they'd either guess or pretend to not remember a real answer, which is noticeably different from saying something like "oh, that's 30 random characters but I don't have the note with me right now".
Here is how it would go... attacker gives a real answer, support says no that isn't it. Attacker goes, "oh, sometimes I give fake answers for the question... is it a really long string of characters?"
Or they could go through a few things like that, always giving the excuse that they give false answers until they stumble on the right one.
One trick is to use pronounceable passwords as answers to security questions, like a sequence of words (“Mother’s maiden name?” “correct horse battery staple”) or arbitrary syllables that make it sound as if you’re having a mini-stroke (“Where were you born?” “prisencolinensinainciusol, oll raigth”).
I try to leave them unset where I can (probably doesn't help over the phone; I'm thinking more of online accounts), such as on eBay which keeps prompting me to set security questions but going back to the homepage lets me avoid doing so.
For sites that force you to set them (and where I care - otherwise they just get random nonsense), and for my bank, I have a set of plausible but false answers I use. Not bulletproof of course, but definitely not googleable and avoids the "I just set it to something random" attack.
