logoalt Hacker News

cheschiretoday at 9:04 AM2 repliesview on HN

But if an attacker gets your fake birthday and uses that to successfully reset credentials on another site that uses the same fake birthday?

At some point it becomes your birthday of record as far as the internet is concerned. Doesn’t matter what the actual record says.


Replies

rlpbtoday at 10:35 AM

If an attacker can do that, they could also do that with my real birthday had I used that. My birthday isn't a secret against anyone who wants to look hard enough. Therefore this method doesn't provide any kind of security against attackers gated only on knowing my registered birthday. I never claimed that it did.

dannywtoday at 10:00 AM

No service should use date of birth for password resets.