Your Security Sucks

I’ve grown beyond tired and frustrated with what counts for security questions in web sites lately. There are two huge problems and practically every site has one or both problems with those second chance questions they want you to answer. In order to demonstrate, I have two sets of allowed questions from two sites I actually use that I will paste below. The names will not be used, to protect the guilty.

Problem #1: The questions you are using as my secret token are in fact matters of public record. Here’s something for you web developers picking secret questions – if you know my age, you have basically a 50/50 chance of guessing the year I graduated high school. Also the town I was born in, my mother’s maiden name and many of these sorts of things don’t really stand up to life in a post-Google world. I’ve stopped talking about the town I was born in for exactly this reason. It’s ridiculous that it’s my responsibility to keep secret things that aren’t really secret because you are too lazy or incomptentent to think your password reclamation procedures through very well.

Problem #2: The questions you are using as a static fact are transitory and may be answered differently over time. An example of this was when I tried to reclaim a password from a site I knew I once used, and was faced with the question “What is the best book you ever read?” I tried 10 different ones that were plausible (less than 10, but with some alternate spellings) and I never hit it. My final analysis was that I didn’t care enough about the site to bother with it and I’ve never been back. My favorite sports figure, my favorite anything – these are not fixed points. If I come back in two years, will I remember this answer? If not then why are you asking me this? See point #1 for the laziness/incompetence issue breakdown.

Here is the hall of shame for “secret questions” from the last two sites that bugged me. I kid you not, I’m going to begin aborting the signup process when I see such things. If you can’t do this in a way that makes any sense, then perhaps you can’t be trusted with anything.

Site #1:

  • What is the last name of your favorite athlete? [Transitory]
  • What is the last name of your best friend from high school? [Known by all your high school friends]
  • What is the last name of the maid of honor at your wedding? [Known by everyone at your wedding]
  • What is your oldest child’s nickname? [Known by everyone that knows your child]
  • What is the last name of your favorite author? [Transitory]
  • What is your dream job? [Transitory]
  • What is your favorite charity? [Transitory]
  • What was the first name of your first girlfriend/boyfriend?
  • What school did you attend for sixth grade? [There was only one grade school in my town, so knowing where I lived at age 11 tells you this]
  • What is your spouse’s nickname?
  • What is the last name of your favorite historical figure? [Transitory]

Site #2

  • What was your favorite childhood pet’s name?
  • What was the name of your first school? [See above]
  • What is your all-time favorite past-time? [WTF]
  • What is your all-time favorite sports team? [Transitory]
  • What is your father’s middle name? [Public record, might even be commonly used]
  • What was your high school mascot? [Seriously? If you know I’m from Norton Kansas, game over]
  • Where did you first meet your spouse? [I’ve told this story to many people]
  • What was your best friend’s name when you were a child? [Web developers have only had one best friend across their entire childhoods?]
  • What was the name of your favorite food as a child? [You have got to be f’ing with me here]
  • In what town did you spend most of your youth? [Public record]
  • What was the name of your high school? [This again?]
  • What year did you graduate high school? [For gods sake, I’m 41. Do the math, bozo]

3 Replies to “Your Security Sucks”

  1. Thank you! I have been on about that for years — ever since a phone phisher called me about a “problem with my bank account.” My general practice now, actually borrowed from a Lore Sjoberg joke (http://www.wired.com/culture/lifestyle/commentary/alttext/2008/02/alttext_0220), is to just use those questions as “secondary password” fields and provide the same nonsensical answer to all of them.

    Worse than companies that have no concept of security, however, are those that have no concept of what to do when they have a breach. This week mhttp://blogs.zdnet.com/gadgetreviews/?p=897), and TWICE now I’ve gotten a notice from Monster only AFTER the 11:00 o’clock news called them out on it. Infuriating when you think how much useful social engineering ammo is on a typical resume.

  2. Do what I do: lie! Why people think they have to answer right? If answer something that only you know… your nephew’s name for all questions or your favorite show, whatever. I doubt someone will guess that. I mean… the idea of those questions are just to check if you is you. They all could be “Write down something that only you know.”

    Q: What is the last name of your best friend from high school?
    A: Star Trek

    Q: What is your dream job?
    A: Star Trek

    Q: What is your spouse’s nickname?
    A: Star Trek

    Q: What year did you graduate high school?
    A: Star Trek

Comments are closed.