Comment by cheschire
15 hours ago
But if an attacker gets your fake birthday and uses that to successfully reset credentials on another site that uses the same fake birthday?
At some point it becomes your birthday of record as far as the internet is concerned. Doesn’t matter what the actual record says.
The purpose of the fake birthday is not to protect random website credentials. It's to prevent someone with that data from walking into my bank and impersonating me. I started giving a fake birthday after being shocked by how little info some organizations needed to authenticate me.
“My voice is my passport. Verify me.”
No service should use date of birth for password resets.
If an attacker can do that, they could also do that with my real birthday had I used that. My birthday isn't a secret against anyone who wants to look hard enough. Therefore this method doesn't provide any kind of security against attackers gated only on knowing my registered birthday. I never claimed that it did.