I recently signed up for a credit card. When I enrolled in their online account access, they required me to choose a security question. Not only did they give me some choice questions, they gave me example answers. These are just embarassing. This is supposed to PROTECT me? Not only is most of this stuff readily available on Facebook, if I were the kind of person who posted such things, but these are totally trivial things to guess.
| Question | Example Answer |
|---|---|
| In what city were you born? | springfield |
| What is your father's middle name? | joseph |
| What is your pet's name | spot |
| What is your mother's middle name? | mary |
| What is the middle name of your youngest sibling? | james |
| What was your high school mascot? | bear |
| In what city was your father born? | middletown |
| What sports team to you love to see lose? | bruins |
| What is the last name of your childhood best friend? | woods |
| What is your favorite magazine | economist |
The other thing that is ridiculous is the answers they give. They are the most common, least difficult to guess answers you could imagine.
What is the point?
Some people mistakenly believe that they offer a secondary line of security. Here’s a set of possible reasons they use them:
- Because only you will know the answer [ Nationwide Insurance (USA) | State Farm Insurance (USA) ]
- It’s a line of defense if someone steals your password [ oDesk ]
- To grant you access if you forget your password [ The Hartford ]
- “If someone has your user name and password, they likely won’t know the answer to your security question.” (Are you kidding!?) [ Vanguard ]
How many things are wrong?
- All these things can be guessed easily. Most common high school mascots are good guesses. It doesn’t matter if someone doesn’t know it. If you know, for example, that someone went to a town that only had 3 high schools you have a really good chance of getting anything related to them. If you knew they grew up in Hawaii, for example, there are only 52 secondary schools in that state. Your guess is hardly random.
- Many of these things can be found easily online. Some mothers’ middle names from a google search: 1, 2 (would be fun to look up the user profiles and see what else we could find) in a quick google search. Need a high school (1, 2, 3), home town (1, 2, 3), or favorite magazine (1, 2, 3)? Check resumes / CVs online.
- And let’s be clear: if they have your name and password, they can change your security question. And frequently they can read the answer to it after they log in as you.
In the advent of social media, broad and open sharing, and Google, security questions are just not appropriate.
What Do I Do?
I use random strings as my answers. I have a PasswordWallet that I use to generate random, strong passwords and store them. I don’t know most of my passwords. I have to look them up always. That’s mildly inconvenient to say the least. Sometimes I get on the phone with my bank and they ask “what is your mother’s maiden name?” and I say “hang on while I look that up” Ok, it’s XWAQJFF”.
The password wallet file has to be accessible everywhere, because if I can’t get to it, then I’m stuck. As a result, I have it:
- on my iPhone
- on my iPad
- on Dropbox
- on my laptop
- on my desktop
- on a web page that is encrypted
If I can get to any of those things, I can get my passwords. In 6 years of living this way, I have never been totally stuck.