Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.

As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.



As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.


>requires the attacker to know you do this

Nah, "well, it kinda looks like random characters" is information a support rep will give you.

Welcome to social engineering and info escalation.


If the support rep is just giving away enough info to figure this out, there is nothing you can do to protect yourself against the company's policies.


Yes, which is why social engineering is going to get a whole lot worse before it gets better.


As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.

The random character thing isn't great for this use, it seems, as a result.


If support reps give enough information away over the phone to let someone guess a security question, there is nothing you can do to protect yourself from them.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: