← Back to context

Comment by cheschire

15 hours ago

But if an attacker gets your fake birthday and uses that to successfully reset credentials on another site that uses the same fake birthday?

At some point it becomes your birthday of record as far as the internet is concerned. Doesn’t matter what the actual record says.

The purpose of the fake birthday is not to protect random website credentials. It's to prevent someone with that data from walking into my bank and impersonating me. I started giving a fake birthday after being shocked by how little info some organizations needed to authenticate me.

If an attacker can do that, they could also do that with my real birthday had I used that. My birthday isn't a secret against anyone who wants to look hard enough. Therefore this method doesn't provide any kind of security against attackers gated only on knowing my registered birthday. I never claimed that it did.