Why Security Questions Aren’t So Secure
Forgot Your Password? No Problem, Just Answer These Security Questions to Reset it…
One of my biggest gripes with the digital age is the use of ‘security questions’ to obtain account information when you’ve forgotten a password or allowed one to expire. Security questions seem to come in 2 different formats; there are ones that ask for factual information like, ‘What was street number of the house you grew up in?’ and there are ones that are based on a preference like, ‘What is your favorite food?’. Regardless of which format they use, they’re all security hazards and here’s why…
Problem #1: The questions are all the same
Recently I was online and wanted to post a comment to a blog but the site required me to sign up and create a username/password. During the creation they asked me to give initial answers to some security questions. As I was answering them, I realized that I’ve answered these questions before on other sites and what if (paranoia sets in) this is actually a phishing site that was set up just to farm the answers to security questions and then use those to gain access to peoples’ accounts? Every site asks you the same or similar questions! There at least a dozen websites or accounts out there that know what my mother’s maiden name is, my favorite food, and the color of my first car. The reality is that since sites all ask similar questions, you find yourself basically giving out the same answers to everyone. This information all can be bundled up as the foundation for a horrible experience in identity theft.
Problem #2: Fact-based questions are inherently insecure
What was the color of your first car? Red? Blue? I bet you’re not the only person in the world who knows the answer to that question. How about the name of your first pet? My first pet was a turtle named turt-turt and that’s hardly Top Secret information. Fact-based questions are… well… fact-based. The answers can be either deduced or googled in some cases. I grew up on a road called Silver Avenue and there’s public census data that can be used to find that information so how does it really qualify as a ‘security’ question?
Problem #3: Preference-based questions are a nightmare
Most of my friends could guess what my favorite food is, or what my favorite animal or dream car is. I however don’t think most of my friends should have access to my online accounts – so why use information they know?
Not only are security questions not secure, they’re also a pain in the rear
What happens when your favorite food is pizza but then one day you discover sushi and it becomes your new favorite food? What if there’s a 6 or 7 year gap after that happens and you’re stuck trying to answer your favorite food security question and can’t figure out why it won’t take sushi? It’s happened to me more than once. Favorites and preferences change over time and if you don’t remember which one you used you could find yourself unable to access your accounts.
Depending on the site, they’re also sometimes case-sensitive. I don’t always remember if I capitalized Baltimore as the city I grew up in 4 years ago when I signed up for that online account with whoever.
So What Do You Do Now?
Here are a couple rules I use for security questions to help alleviate some of these issues:
- Use an alternative authentication method if a site allows you to such as dual-factor authentication or reset a password via email.
- Always pick the weirdest ones to answer and try to use one that’s unique that other sites don’t ask.
- Either capitalize the first letter of your answer always, or never, but don’t mix the two.
- Never forget that everyone knows your mother’s maiden name.