Especially when it comes to those “security verification” questions on e-commerce and banking websites.
While the concept of security questions is easy to grasp, the questions themselves are deeply weird and unanswerable. According to goodsecurityquestions.com, a how-to site operated by a Web usability expert, the best ones have four qualities: The answers are simple, memorable, can’t be guessed easily, and don’t change over time. Many questions we’re all familiar with fail to match those specs. There are the ones that are too easy—I’m guaranteed to know my pet’s name, but it’s also elementary for a hacker to score that information. On the other side are the questions you can’t answer or won’t remember how you answered—your first-grade teacher’s last name, your favorite rock band.
Whereas it’s easy to think of lousy questions, it’s pretty much impossible to think of even one great one. Securitywise, though, a question is strong if it’s unique: If every financial institution asked for your pet’s name, phishers could focus all of their energy on sussing out that data. Gaffan says that RSA gives banks 150 questions to choose from, with the understanding that not every question will work for everyone. The problem isn’t a failure of imagination on the part of the question-conjurers. It’s the impossibility of coming up with a question that’s easy to answer but hard to guess. After throwing in the caveat that “there is no one perfect question,” the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn’t have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling’s birthday month? I’m guessing it would take a hacker two tries to get to February.
Alas, it seems the whole Secret Question tool is just going to continue to be used. It’s easy to implement and it’s a lot cheaper for sites to use than most of the alternatives. Since it’s the sites making the decision what security to use, guess what they’re going to select.
If you really want your questions to be limited, have no spouse, children, or siblings. Plus the street I lived on and the phone number are still used by my family so I don’t want to use those as answers. How hard would it be to track those down?
How about “Name you favorite Superhero? or Choose your favorite Star Trek movie or series.” That makes at least as much sense.
I saw one site that asked you to write your own security question. That seems like a guaranteed way to get bad ones.
On another site, the security question was something I remembered, but I didn’t remember the exact way I answered it. It was an address, and I didn’t remember if I put the number before or after the street. I also didn’t remember if I used # or not. There were other variations too, and in the end, I couldn’t get into the account at all because I could not figure out the particular variation of the answer that I had used when I set up the account. So I’d say another quality of a good security question is that the answer has only one way it can be expressed.