Or just the fact that I never put in a proper answer for those and get asked them so infrequently I need to have text file with my answers of "FooBar1234abcdâ or whatever bit of silliness I picked as I never remember what all strangeness I would have done to a regular answer.
Bruce Schneier wrote about this ten years ago:
https://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
For accounts that are not vital and that donât have any sensitive contents (ie: banking or personal info) I donât really care much about the security questions, plus the passwords for those are different than for my sensitive accounts, which is different from my email pass as well. For the sensitive accounts i usually answer the security questions with semi-unrelated things, if the question is what street did you grow up in i answer with my hometown.
Can I just point out that itâs very disturbing that Google was able to do this study? It strongly implies that when they save security questions, they donât salt and hash them like they (almost certainly) do with passwords. Saving the plain-text answers to security questions is an incredible security hazard.
I suppose that they could have a thing where when the security question arrives from the user, it salts and hashes it for their account management database but also sends the plain-text security question to another database used for this study, and disassociated each security question from the user-name. That would be better, but still not great.
Once upon a time when I worked on a non-Google e-mail system, security questions and their responses (actual answer and last 10 attempted responses) were visible to account support people, as was the password and the last two or three historical passwords. That was a long time ago, so maybe things are different now, but at the time they were vital to untangle things like hostile takeovers of accounts.
Alternatively they bruteforced them. (:
I use algorithmical answers to passwords and these âsecretâ security questions. This way I only need to remember a couple of formulas and I have unique passwords and security questions for every site.
This isnât perfectly secure of course: if I was targeted by a human (instead of a computer) who was able to get a couple of my passwords, they would probably be able to reverse engineer the algorithm I used, which would then probably allow them to access some of my other services. But my assumption is that if a human targets you personally, then even the most secure methods involving passwords are void.
My pet peeve about security questions (the ones you canât write yourself) is how much they assume about your life. Not everyone has pets; not everyone wants to remember the name of their first romantic partner.
I find these types of security questions to be particularly annoying for business accounts. If we have an online account with a office supply company or courier or whatever sometimes weâre forced to use these kinds of personal identifier questions for password security. The problem comes when someone is absent or there is turnover; no one can remember the motherâs maiden name of someone who hasnât worked at the company in six months or the favourite food of someone who is sick on the day when an order has to happen.
Mothers maiden name and city of birth arenât exactly immune from a little online search.
The security question is supposed to be a password thatâs validated by a human, not a hashing algorithm. Youâre not expected to remember the case or other technicalities, just to demonstrate knowledge of the correct answer. It doesnât matter if you wrote âLincoln High Schoolâ initially, âlincoln highâ should be a valid answer.
Admittedly, thatâs not how secret questions are always used, sometimes theyâre evaluated in the exact same way as your actual password. So then you just have two passwords, and one of them is pretty easy to guess.
I had an âoh, duhâ moment recently when someone pointed out that those silly games where you figure out your porn star name (First pet, motherâs maiden name) totally give this stuff away.
More times than I can count â and several times recently â Iâve been trying to head off some imminent crisis, and needed to log in to something-or-other and needed to get someone elsesâs password to do so â and then found out the password is a shared password everyone knows, usually âthe same one we use for everythingâ, or written down in an easy-to-find place. And naturally, such passwords are generally very weak. Itâs a recurring experience that every rule I can think of about password handling is routinely violated â and that every business and every household Iâve encountered since computer networking became commonplace depends on this. More than once, Iâve needed a password and had no access to my password vault, and found myself thinking, âIf Iâd actually followed the rules, Iâd be totally screwed right now.â
In fact, another episode of this came up as I was typing that last paragraph.
Iâd go so far as to suggest that with rare exceptions, if a password is strong, unique, never shared, and stored securely, itâs probably not a password that really has any importance.
Given that itâs a routine experience that peopleâs personal and employed lives depend upon ignoring or bypassing rules about passwords, why even bother pointing out that security questions are insecure?
I especially hate the subjective questions - favourite pet, favourite food, best friend in grade school, etc. Really? How is one a)supposed to choose, and b)be able to remember?
I had my high school on a set of accounts long ago as one of the answers and I had not capitalized for one account and had capitalized for the second. I kept using the wrong one and getting sent back to the beginning of the verification. On another secret question I could not remember how I had spelled the answer to a particular question but it was handled by humans ⌠so no worries⌠No: âCould you tell us the 5th letter of your secret question?â fortunately it was a human who could understand reality and got the computer to serve up another verification.
Yes yes yes! It drives me nuts that I have to choose from a specific list of security questions that may or may not fit my life. Usually they do not, and as a result, I wind up picking the most guessable ones.
It seems to me that a better system would be to require the user to enter a challenge question AND a challenge answer. That of course would have the weakness of allowing stupid questions (âwhat is two plus two?â), but at least it would allow secure ones as well.
I do the same, entering these made-up answers in 1Password alongside passwords etc. My dadâs middle name is different on every site I use, and always more unusual than âJohnâ (which is not his middle name, incidentally). I expect that given enough breakins into enough sites, my truly personal information would be exposed over time, so itâs better not to use it in the first place.
People think your answers to these questions have to be literally true? Or even conceivably true? Not just âsomething youâll rememberâ? (e.g., âFavorite color: 23 skidoo!â, âMotherâs maiden name: Nabiscoâ)
Yeah, okay. Who am I to judge?
That kind of thing is how Sarah Palinâs Yahoo email was hacked, wasnât it?
