Security Questions. Are You Kidding!?

I recently signed up for a credit card. When I enrolled in their online account access, they required me to choose a security question. Not only did they give me some choice questions, they gave me example answers. These are just embarassing. This is supposed to PROTECT me? Not only is most of this stuff readily available on Facebook, if I were the kind of person who posted such things, but these are totally trivial things to guess.

Question Example Answer
In what city were you born?springfield
What is your father's middle name?joseph
What is your pet's namespot
What is your mother's middle name?mary
What is the middle name of your youngest sibling?james
What was your high school mascot?bear
In what city was your father born?middletown
What sports team to you love to see lose?bruins
What is the last name of your childhood best friend?woods
What is your favorite magazineeconomist

The other thing that is ridiculous is the answers they give. They are the most common, least difficult to guess answers you could imagine.

What is the point?

Some people mistakenly believe that they offer a secondary line of security. Here’s a set of possible reasons they use them:

How many things are wrong?

  • All these things can be guessed easily. Most common high school mascots are good guesses. It doesn’t matter if someone doesn’t know it. If you know, for example, that someone went to a town that only had 3 high schools you have a really good chance of getting anything related to them. If you knew they grew up in Hawaii, for example, there are only 52 secondary schools in that state. Your guess is hardly random.
  • Many of these things can be found easily online. Some mothers’ middle names from a google search: 1, 2 (would be fun to look up the user profiles and see what else we could find) in a quick google search. Need a high school (1, 2, 3), home town (1, 2, 3), or favorite magazine (1, 2, 3)? Check resumes / CVs online.
  • And let’s be clear: if they have your name and password, they can change your security question. And frequently they can read the answer to it after they log in as you.

In the advent of social media, broad and open sharing, and Google, security questions are just not appropriate.

What Do I Do?

I use random strings as my answers. I have a PasswordWallet that I use to generate random, strong passwords and store them. I don’t know most of my passwords. I have to look them up always. That’s mildly inconvenient to say the least. Sometimes I get on the phone with my bank and they ask “what is your mother’s maiden name?” and I say “hang on while I look that up” Ok, it’s XWAQJFF”.

The password wallet file has to be accessible everywhere, because if I can’t get to it, then I’m stuck. As a result, I have it:

If I can get to any of those things, I can get my passwords. In 6 years of living this way, I have never been totally stuck.