I share David Weinberger’s irritation with dumb security questions, albeit for slightly different reasons. My irritation stems from the fact that they are often culturally insensitive, require brilliant memories, and assume that favorites don’t change. Maybe I’m not normal, but I have no foggy clue who my 1st grade teacher is, I couldn’t name a single sports team, and my favorite movie changes depending on who I’m talking to let alone how I’m feeling that day. (Today, I think that The Matrix will do.) David gripes about the fact that people’s favorite tastes are quite common; my problem is that we know damn well that people are dreadful at this, but that it works quite nicely as a way of marking identity on online dating sites. Which reminds me. Why are security questions the same as the information that you put on your public MySpace page? Dumb dumb dumb.
So you know that people write down their dumb answers and then lose them and then they’re screwed. I’ve decided to approach this from a different angle. I’ve instituted a consistent tactic for answering stupid security questions. It’s an algorithmic approach. The basic structure is:
[Snarky Bad Attitude Phrase] + [Core Noun Phrase] + [Unique Word]
Although these are not my actual phrases, let’s map them for example:
- Snarky Bad Attitude Phrase = StupidQuestion
- Unique Word = Booyah
Thus, when I’m asked the following question: What is your favorite sports team?
My answer would be: StupidQuestion SportsTeam Booyah
And when they ask: What was the first car you owned?
I’d respond: StupidQuestion Car Booyah
It’s easy to remember a snarky bad attitude phrase and a unique word that you use consistently. And then to make sure you’re answering the right question (cuz they do have scripts that check that you’re not answering all questions the same way), you just have to be able to pick out the noun phrase each time.
Of course, the fact that I have to do this just pisses me off to no end. And I still can’t figure out why they can’t ask me to write my own question, store that in cleartext, encrypt my answer, and then offer me back my cleartext question rather than a stupid list of 8 questions that boggle my mind and remind me of how heterogeneous the world is. I realize that it’s the difference between a byte and a string, but when we’re talking about security, is that really a big deal? Grumble grumble grumble.
I’m totally with you and David on this. First, because of the extra management layer I have to supply to track the stupid question, and my unrelated (similar algorithm to yours) answer. But beyond that, it’s just bad security. If I forget/lose my password, then fsck me, I accept that. The security question only lowers the barriers of entry for others into my account, like banks asking mother’s maiden name (which, thankfully, has been going away).
If anyone wants to hack into my accounts, my Mother’s Maiden Name, my first pet, my favourite teacher and my place of birth are usually “ohfuckoff”.
Which was embarrassing the time I had to phone my credit union…
Great idea. As far as preferences go for answering questions about my “favourites”, I agree that they aren’t static (which is why I have a hard time with personality type indicator tests too). My preferences are complicated/determined by context. Favourite colour for what? A bedroom wall? A winter coat? And who is the coat for? me? my niece? Until now I’ve settled with a set list called “these are a few of my favourite things” but now I can switch to “StupidQuestion BrownCoat Oooweee”. Security questions will become an entertainment. Thanks 😉
I generally use the same password for low-security needs sites, so if it’s one of those, my secret hint is usually “the usual” which is good enough. For other kinds of things, I have a stock set of keyed responses. For instance but not for real, anything about color is “pink”, anything about schools is “East High Warriors”, anything about family names is “Joe”… and so on.
Well, in Europe, maiden names are known, people don’t have favorite sports team and webmasters know that the people who want to hurt you, know about your first-grade teacher’s name better then you do because it’s your *parents* trying to hack into your account — so I’ve always seen personalized questions as an option.
The most common among my friends? “What is your favorite beer?” (Now that I think of it, *that* would be culturally offensive in a country where the only brand is Budweiser Camel P., and drinking alcohol is a cardinal sin.) Best part? You can even remember it when you are drunk (Bad, bad idea to change your password when drunk.)
the Royal Bank (RBC Centura) lets you create your own security questions.
this leads to a side thought that Canadian banking websites are far more flexible and useful than US ones. Bank of America seems to be catching up. and e-banks, of course. but i think having national banks meant they already had the computer infrastructure, it was just a matter of letting customers use it instead of tellers.
My bank had a list of about 10 of these and I had to pick 3. I was unable to answer 3, so I made up answers in order to get into the system and then sent them a semi-friendly message about how I was not able to answer 3 of their questions. They then upped the number of questions until I was able to find 3 that I could answer. Of course, those 3 are also all public domain knowledge if you access my family history. So the point was entirely defeated. But at least I didn’t have to resort to such tactics.
In defense of my bank, they say that this is a direct result of federal legislation that requires such “two factor” (note: not really two-factor) authentication.
This has bothered me for a long time. I hate insecure security.
Not wanting to lower the barrier with socially reverse engineerable “security question” answers, for years now I have responded to every “security question” with “decline security question obsknt983rcmaonhbokoesuritiueo3oeukaxntoxbj98oeoimnt” (or other keys as I randomly strike). I do not store my answers. My attitude is that my password should be the hard part and stay that way.
One time I did have to verify my identity on the phone, though, and the guy asked me my “security question” answer. I said, “Um, probably decline security password followed by some obscenely long string of characters.” He said, “Yeah… that’s it. So, let me also ask you your address,” etc.
Of course some day some organisation will let you by orally without you naming my random string of characters or having to answer any other questions, at which time I’ll be fscked. Hopefully said org will still send a notice to my email/snail mail previously on file telling me that my account got pwned and if it wasn’t me I should speak up.
Of course this password stuff is utterly untenable going into the future where normal masses will have to interact with thousands of systems. Honestly, those of us discussing this today are on the leading edge of these developments. Now I don’t want any government-issued ID card, but how are we going to keep freedom paramount while obtaining actual security?
danah, your snarky bad attitude phrases are much politer than mine. Then again, I use them for systems I hardly every interact with, then store them in plain text on my hard drive 😎
Which is exactly what most people will end up doing. I only do it for systems I don’t really care about (which seem to be the exact ones that make me change passwords every five minutes), but as Christian says this is just the thin end of the wedge. Of course, we could all have private GPG keys that only need one password for multiple accounts, but I’ve yet to see any online service providers embrace that concept.
I keep my passwords in a well backed up database, and when I have to choose a security question, I include it in the notes section of the database, and choose another randomly generated password for the answer. There is a reason I keep multiple backups of this file.
The comedian Eugene Mirman does a bit on this. For sites that allow you to pick your own question, his is always, “What are you wearing right now?”
His answer is always, “I don’t think that’s an appropriate question.” It’s most fun when the same question is used for call centers.
If you have a good password manager, for example Roboform or KeePass, you can just generate a new random key phrase for those answers. I long for the day when I can reduce the number of password to maintain by using a single sign-on such as OpenID.
I do security for a financial institution, which of course will remain nameless.
I get older folks who have not only forgotten the answers but swear fervently that they wouldn’t have submitted the questions that they were asked.
My concern of course is that obvious answers defeat the purpose of the questions so I suggest they use the same answer for the random questions that they select.
Then I tell them that I pick the name of my first grade teacher, since I am over 50 most people wouldn’t be able to find the answer and anyway she married that farmboy and broke my heart. “I’ll never forget her though…”
This normally illicits a chuckle … until the guy said “you know, these days that age difference wouldn’t have stopped her.” ouch.
Most surefire, easy-to-remember solution: the last word of the question is your answer.
What is my favorite color? Color.
In what city were you born? Born.
Works everytime and has saved me time and frustration.
As for security…
But you could just as easily use the third word of the question as your answer, etc, etc.
Having just implemented a password-reset system using this sort of question/answer model, I can give you a very simply reason why most sites don’t allow users to pick their own questions: just as most answers are “weak” from a security POV, most questions people pick for themselves are similarly weak, and do little to protect an account. By forcing people to think a bit more, the actual outcome tends to be that both the question and answer field are filled with drivel, making it far too easy for potential attackers to access the account.
Personally, I think that simple Q&A systems are a pretty poor security measure, anyway. Anything sufficiently memorable for you is probably also discoverable to someone else, unless it’s so sensitive that the Q&A database becomes just as appealing a target for phishing and cracking attempts as the data it’s supposed to protect.
In our company we’ve been using a password reset system from scriptlogic – desktop authority password self service for some months or so.
Initially we turned on the ability for users to specify their own questions in addition to the included ones from our helpdesk team. But got rid of such questions because of their security weakness.
Now we use a set of several “strong questions” limiting the answers to things like minimum answer length or preventing users from specifying the same answer for different questions.
Every time we change password requirements and password management settings it recognizes user profiles which is not compliant with the new requirments.
Such users are required to change and update their questions and answers profile to stay compliant with the new settings.
I use random strings for the questions and use Keypass to store them.
It is more of a pain but more secure
Q. What is the city you were born in?
A. ;N=##qm?9>}SMjYEk[|`YYQqs1U]L`uu,^}$|*2″o%pP>|pa/eKo$<n&v/&<"
I use GRC.com to generate the passwords or keepass. Really I like to use something different like GRC being IF keepass could be hacked “unlikely” but that is what I do.
https://www.grc.com/passwords.htm
@Mark I, It must be really fun to call your bank! Can you sense the sound of disgust on the phone when you have to spew out that many alphanumeric characters to validate your credentials?
I know these are old, but I just stumbled across this post when writing my own rant about security questions. Good stuff here.
@Nick
Net result: people write the stuff down on paper.
@Lennon
The nature of questions is they limit the possible domain of answers and will therefore *always* be easier to crack than a good password. They also tend to be a lot easier to socially hack.
Those password reset systems, btw, simply become a much easier way to break into an account. At that point your strong password is meaningless, just as Christian pointed out above.
@Mark
My bank just implemented a new (harder) set of questions. Their page specifically says not to use “special” characters. Nice.