Tinotopia Feed
Tino on Flickr
The other day, I was attempting to sign up for some service or other using a form that demanded a ’security question’ and answer. Insecurity question would be a better term, actually, particularly as this thing gave a choice of only three questions.
The ’security question’ is used to help you retrieve or reset your password if (when) you forget it. It’s a bad idea all around, really, but if you have to do this, the least bad way is to allow the user to specify the question and the answer. When the user is trying to retrieve a forgotten password, you then display the ‘question’ string, and check to see whether what you get back is the ‘answer’ string.
If you think about it for about a millisecond, you’ll note that this is nothing but another password for the user’s account. Let’s say that my username is ‘tino’ and my password is ‘p455w0rd123′; the logic of the login is ‘This person knows that the password ‘p455w0rd123′ is associated with the username ‘tino’, so this must be Tino. He can do what he wants.’
There are conceptual weaknesses in this — primarily that most people use the same password (which they never change) for everything — but on the whole it works well enough.
The ’security question’ allows for the same kind of user identification, but it does it in an intentionally broken way. The password ‘p455w0rd123′ is arbitrary; that is, it has nothing to do with anything except that it’s easier for a human to remember than is ‘f88a2e6abe98bbef81ddb3f86c410f93′.
The ’security question’ is a password, but one that’s inherently and deliberately not arbitrary. The common canned questions ask for:
- Your mother’s maiden name
- The street you lived on as a child
- The name of your childhood pet
- Your favorite sports team
These are spectacularly bad. #1 can be defeated with a simple public records search; #2 and #3 are 100% vulnerable to anyone who knew you well as a child (or anyone who can ask questions of any of those people). #4 is particularly ridiculous, given that people trumpet their sports affiliations with hats, T-shirts, license-plate frames, etc., etc.; and in any case it’s extremely likely that your favorite sports team is one that plays in the city in which you live, or in the city where you grew up, or for your alma mater.
Even some of the ‘good’ questions proposed at GoodSecurityQuestions.com are ridiculous. These, for instance, are all useless against anyone who knows you well enough:
- What was your childhood nickname?
- What is the name of your favorite childhood friend?
- What street did you live on in third grade?
- What school did you attend for sixth grade?
- What is the first name of the boy or girl that you first kissed?
- What was the last name of your third grade teacher?
- What was the name of your elementary / primary school?
- In what city or town was your first job?
Most of the rest of them are similarly bad, vulnerable to public-records searches or simple guessing. The whole thing is a bad idea, as has been scientifically proven.
But what did I find that was even more ridiculous? I found a security question system that insisted on a minimum length for your answer, confusing the minimum-length requirements for random passwords with the specific piece of information that’s required by ’security’ questions. If you grew up on a street with a name less than six letters long, or if your mother’s maiden name was Smith, or if your childhood pet was Fido, or if you were born in Miami: you have to enter some longer variation (’Elm Street’, ‘Mary Smith’, ‘Fido The Cockroach Slayer’, ‘Miami, Florida’) and then remember how you’d padded out the answer in the future when you needed to supply the answer.
I didn’t bother to complete the registration.