Your Security Sucks

I’ve grown beyond tired and frustrated with what counts for security questions in web sites lately. There are two huge problems and practically every site has one or both problems with those second chance questions they want you to answer. In order to demonstrate, I have two sets of allowed questions from two sites I actually use that I will paste below. The names will not be used, to protect the guilty.

Problem #1: The questions you are using as my secret token are in fact matters of public record. Here’s something for you web developers picking secret questions – if you know my age, you have basically a 50/50 chance of guessing the year I graduated high school. Also the town I was born in, my mother’s maiden name and many of these sorts of things don’t really stand up to life in a post-Google world. I’ve stopped talking about the town I was born in for exactly this reason. It’s ridiculous that it’s my responsibility to keep secret things that aren’t really secret because you are too lazy or incomptentent to think your password reclamation procedures through very well.

Problem #2: The questions you are using as a static fact are transitory and may be answered differently over time. An example of this was when I tried to reclaim a password from a site I knew I once used, and was faced with the question “What is the best book you ever read?” I tried 10 different ones that were plausible (less than 10, but with some alternate spellings) and I never hit it. My final analysis was that I didn’t care enough about the site to bother with it and I’ve never been back. My favorite sports figure, my favorite anything – these are not fixed points. If I come back in two years, will I remember this answer? If not then why are you asking me this? See point #1 for the laziness/incompetence issue breakdown.

Here is the hall of shame for “secret questions” from the last two sites that bugged me. I kid you not, I’m going to begin aborting the signup process when I see such things. If you can’t do this in a way that makes any sense, then perhaps you can’t be trusted with anything.

Site #1:

  • What is the last name of your favorite athlete? [Transitory]
  • What is the last name of your best friend from high school? [Known by all your high school friends]
  • What is the last name of the maid of honor at your wedding? [Known by everyone at your wedding]
  • What is your oldest child’s nickname? [Known by everyone that knows your child]
  • What is the last name of your favorite author? [Transitory]
  • What is your dream job? [Transitory]
  • What is your favorite charity? [Transitory]
  • What was the first name of your first girlfriend/boyfriend?
  • What school did you attend for sixth grade? [There was only one grade school in my town, so knowing where I lived at age 11 tells you this]
  • What is your spouse’s nickname?
  • What is the last name of your favorite historical figure? [Transitory]

Site #2

  • What was your favorite childhood pet’s name?
  • What was the name of your first school? [See above]
  • What is your all-time favorite past-time? [WTF]
  • What is your all-time favorite sports team? [Transitory]
  • What is your father’s middle name? [Public record, might even be commonly used]
  • What was your high school mascot? [Seriously? If you know I’m from Norton Kansas, game over]
  • Where did you first meet your spouse? [I’ve told this story to many people]
  • What was your best friend’s name when you were a child? [Web developers have only had one best friend across their entire childhoods?]
  • What was the name of your favorite food as a child? [You have got to be f’ing with me here]
  • In what town did you spend most of your youth? [Public record]
  • What was the name of your high school? [This again?]
  • What year did you graduate high school? [For gods sake, I’m 41. Do the math, bozo]