Rant Alert – The Problem with Security Questions

You are Warned

Mel the Rooster is Mean.

Websites have this ridiculous idea that making you provide answers to “security questions” actually provides security. Well, guess what? It doesn’t. Studies have amply demonstrated that most security question answers can be quickly guessed or found via information readily available via Google.

There’s another problem with them. Most of them are insanely stupid, vague or incapable of actually being answered in a way I’ll remember.

I have run across security “answers’ that are case sensitive and character sensitive.

Potato chips
Potato Chips
potato chips
potato chips.

Are all different answers. How the hell am I suppose to remember if I put in punctuation? Or where I might have used upper and lower case? It’s not a password where I get why I’m expected to remember upper and lower case as well as special characters.

And those family-related questions?

I don’t know where my parents met. My mother refuses to talk about much of her past. My father almost never does. Plus, they disagree on a LOT of their past history. I’ve also heard conflicting information about birth cities. I DON’T FUCKING KNOW!!!

Here’s some more questions:
Who was my favorite teacher? Well, actually, I can think of several. A year later, when someone insists on me answering that question, will I remember which favorite teacher I picked? No. I guarantee, out of the sea of security questions I’ve been forced to answer, I won’t remember what I told corporation X.

Who was my least favorite teacher? OH MY GOD. I have stricken them from my memory. Besides, least favorite teacher when? In elementary school? High School? College? Graduate School? Least favorite in what context? What if I answer that question and then later I remember a teacher I hated more? Fast forward one year. My brain is full of information that I use in my daily living. I have a vague recollection of being forced to provide such an answer but I remember even more the teacher I hated more. Which one did I say? Do I even remember the name of the second least favorite teacher? Plus, now the right answer is a LIE.

Then there’s this multi-answer scenario. I am not making this up.
1. What was your first car?

OK. I can answer that.

2. Of all the cars you have owned, which was your least favorite?

My least favorite was my first car. It was a piece of junk.

Your answers cannot be the same.

Great. So do I make up an answer? And if I do, how do I remember my made-up answer?

Then there’s questions like these:

What was your favorite job?

What?? Number one, I haven’t yet had my favorite job. I have had jobs that paid the bills and that I didn’t hate. But for each and every job, I always wanted to be doing something else, like being at home living off my lottery winnings. Plus, there’s no job that I loved everything about.  I’ve had jobs where I loved my co-workers but hated the work. Or hated my boss. Or jobs where I liked doing X and despised Y. I can’t answer a question like that, and if I just get frustrated and pick one, it won’t be a “true” answer and two years later I won’t remember what I put.

I have literally been on the phone with people being asked security answers I gave 5 years ago and I have NO idea what answer I gave. I cannot remember the PRECISE phrase, or whether I used my mother’s middle name or just her middle initial or none at all.

Security questions are stupid and they don’t even work.

Thank you for allowing me to get that off my chest. I feel better now.


Tags: ,

4 Responses to “Rant Alert – The Problem with Security Questions”

  1. Lorelie says:

    My favorite was one website that insisted I *must* answer where my mother was born. But when I said “New York City” it told me “Answer too common.” Fuck off, that’s where she was born!

  2. Oh, Lorelie! That’s priceless. How are we supposed to keep track of where we had to made up shit?

  3. T.K. Marnell says:

    Having security questions is better than letting any old kid just hit the “Reset Password” button to an account without any safeguards whatsoever. Then all they would need to do is get access to your primary email account to click the confirmation links, and then have a blast getting into your back accounts, credit cards, other emails, etc. (I didn’t come up with this on theory, either; I learned it by example. A disgruntled ex of a girl I knew had some laughs locking her out of social networking sites and paying her bills with her checking account “for her” to cause a panic.)

    The problem isn’t the concept of security questions, but the common stock of the questions asked. My SO gets really riled up about it too, when he sees a drop-down list of really insecure “security” questions like “What year did you graduate from high school?” or “What was the name of your best man at your wedding?” Ideally, people would not be asked to enter where they were born, which basically everyone who sees their Facebook profiles knows, but would be prompted to craft their own security questions. Unfortunately, most users would either ignore it or fuss about the work involved.

    • The obverse of easy “security” questions is ones that are more obscure. But that means they’re not going to be easy for the user to recall either. Particularly when that user undoubtedly has 20 other websites with a similar scheme. Security questions are not secure. As Bruce Schneier says, authenticate the transaction, not the user. That’s better security, but it’s more expensive. Until banks and the like are actually penalized for their poor security, they have no incentive to implement security that’s known to work.