Your Security Sucks
Posted on January 30, 2009
Filed Under computers | 3 Comments
I’ve grown beyond tired and frustrated with what counts for security questions in web sites lately. There are two huge problems and practically every site has one or both problems with those second chance questions they want you to answer. In order to demonstrate, I have two sets of allowed questions from two sites I actually use that I will paste below. The names will not be used, to protect the guilty.
Problem #1: The questions you are using as my secret token are in fact matters of public record. Here’s something for you web developers picking secret questions – if you know my age, you have basically a 50/50 chance of guessing the year I graduated high school. Also the town I was born in, my mother’s maiden name and many of these sorts of things don’t really stand up to life in a post-Google world. I’ve stopped talking about the town I was born in for exactly this reason. It’s ridiculous that it’s my responsibility to keep secret things that aren’t really secret because you are too lazy or incomptentent to think your password reclamation procedures through very well.
Problem #2: The questions you are using as a static fact are transitory and may be answered differently over time. An example of this was when I tried to reclaim a password from a site I knew I once used, and was faced with the question “What is the best book you ever read?” I tried 10 different ones that were plausible (less than 10, but with some alternate spellings) and I never hit it. My final analysis was that I didn’t care enough about the site to bother with it and I’ve never been back. My favorite sports figure, my favorite anything – these are not fixed points. If I come back in two years, will I remember this answer? If not then why are you asking me this? See point #1 for the laziness/incompetence issue breakdown.
Here is the hall of shame for “secret questions” from the last two sites that bugged me. I kid you not, I’m going to begin aborting the signup process when I see such things. If you can’t do this in a way that makes any sense, then perhaps you can’t be trusted with anything.
Site #1:
- What is the last name of your favorite athlete? [Transitory]
- What is the last name of your best friend from high school? [Known by all your high school friends]
- What is the last name of the maid of honor at your wedding? [Known by everyone at your wedding]
- What is your oldest child’s nickname? [Known by everyone that knows your child]
- What is the last name of your favorite author? [Transitory]
- What is your dream job? [Transitory]
- What is your favorite charity? [Transitory]
- What was the first name of your first girlfriend/boyfriend?
- What school did you attend for sixth grade? [There was only one grade school in my town, so knowing where I lived at age 11 tells you this]
- What is your spouse’s nickname?
- What is the last name of your favorite historical figure? [Transitory]
Site #2
- What was your favorite childhood pet’s name?
- What was the name of your first school? [See above]
- What is your all-time favorite past-time? [WTF]
- What is your all-time favorite sports team? [Transitory]
- What is your father’s middle name? [Public record, might even be commonly used]
- What was your high school mascot? [Seriously? If you know I'm from Norton Kansas, game over]
- Where did you first meet your spouse? [I've told this story to many people]
- What was your best friend’s name when you were a child? [Web developers have only had one best friend across their entire childhoods?]
- What was the name of your favorite food as a child? [You have got to be f'ing with me here]
- In what town did you spend most of your youth? [Public record]
- What was the name of your high school? [This again?]
- What year did you graduate high school? [For gods sake, I'm 41. Do the math, bozo]
Comments
There is a posted comment policy for this blog. Please respect the rules.
3 Responses to “Your Security Sucks”
On FriendFeed, this post was liked by 4 people and commented on 9 times hide-
This has been brewing in me for a long time. I have had these security questions in Google Docs for months now. Today was just the day I was grumpy enough to let it out.
-
+1, Dave. I agree. I just lie, horribly, on all of them (to the point where the answer doesn't even make sense, or is random), and then put my answers into my password safe. I'm hosed if I lose that thing, but it's safer than their system, and my passphrase for the pw safe is...long.
-
What snapped me was that I'm just sick of having to be coy about my hometown. It's just plain ridiculous. The point about non-static answers came out of a discussion last week with Garrick and J. Wynia on here.
-
All genealogy buffs who fill out those shared family tree sites? Their mother's maiden names are all googlable. All people who knew you as a kid, particularly in a small town, can answer all the questions about names of schools. There was only one where I went to 6th grade.
-
Yeah, your non-static answer thing is a particularly good point. I haven't had the issue in a long while, since I've been doing the "lie" thing for years and years, but that's totally true. Guess what, security folks? My favorite movie CHANGES. Often just based on my mood!
-
At the bare minimum, there's no reason nowadays that they shouldn't at least let you create your own questions/challenge phrases. I mean, are they trying to save 250 bytes in a db table or something? *sigh*
-
I have a similar scheme to you and when given the opportunity to use my own questions, I put in "Why?" which reinforces to me that I'm using my own scheme.
-
LOL...about a year ago, I started using "Melon?", which is just a personal in-joke. Same reasoning, though. But the idea of telling my future self a joke through a "forgotten password" challenge in a year or two just tickles my funnybone. (Note to Lee: no, I don't use the other half of the joke as the answer, so stop trying to steal my identity! *grin*)
-
I updated this post with commentary on most of the individual questions, just to highlight the range of stupidity across them. This is just two sites. If you took all day to make a survey across very common, widely used sites you'd see this over and over, egregious in so many ways.
Leave a Reply
Thank you! I have been on about that for years — ever since a phone phisher called me about a “problem with my bank account.” My general practice now, actually borrowed from a Lore Sjoberg joke (http://www.wired.com/culture/lifestyle/commentary/alttext/2008/02/alttext_0220), is to just use those questions as “secondary password” fields and provide the same nonsensical answer to all of them.
Worse than companies that have no concept of security, however, are those that have no concept of what to do when they have a breach. This week mhttp://blogs.zdnet.com/gadgetreviews/?p=897), and TWICE now I’ve gotten a notice from Monster only AFTER the 11:00 o’clock news called them out on it. Infuriating when you think how much useful social engineering ammo is on a typical resume.
The elementary school name is usually a public record. My elementary school has changed names since I attended, so it’s no longer a dead giveaway.
Do what I do: lie! Why people think they have to answer right? If answer something that only you know… your nephew’s name for all questions or your favorite show, whatever. I doubt someone will guess that. I mean… the idea of those questions are just to check if you is you. They all could be “Write down something that only you know.”
Q: What is the last name of your best friend from high school?
A: Star Trek
Q: What is your dream job?
A: Star Trek
Q: What is your spouse’s nickname?
A: Star Trek
Q: What year did you graduate high school?
A: Star Trek