Wednesday, August 18, 2010

Truly secure security questions

Organizations from financial services companies to e-commerce web sites have implemented "security questions" in the log on process. The idea is that, in addition to a username and password, your answering these questions correctly, helps authenticate you to a system.

The idea is good: Provide an answer to a question that only you could know is the correct answer.

But many of the questions are weak, either because they're answerable from publicly available information (mother's maiden name; what if that is her name?), or there's a special format to entering them (case-sensitivity is often a problem).

In addition, security questions seem to be bundled by particular vendors, so a user might get the same questions from organization to organization. This could be an advantage for the user, but also for the cracker, acting like single sign-on. For opinion-based or favorites questions, there's a memorability problem: How did I answer this question last time? Did I answer it the same way on all the sites I've chosen it on? The answers to questions of "favorites" change over time. What's your favorite color? This is a question that, if answered incorrectly, can have dire consequences.

Which leads to a classic workaround: Choose the most outlandish question in the list and answer it with a passphrase. Have to answer multiple security questions? Answer them all with the same passphrase. This subverts the purpose of the questions, but makes it easier for the user as she crosses the hurdles to making an investment, making a purchase, or getting lab results from her health care provider.

And so, I offer some of the most ridiculous *real* security questions, followed by some that some friends brainstormed during a rant about this so-called security mechanism.

Garry Scoville writes regularly about security questions and related topics at He's an authority on what makes a less weak question (asserting all the time that there are no good security questions). His list of examples is excellent.

Real, ridiculous security questions
Among the real security questions used in real systems are some of these gems, which I've borrowed from

What is the name of the High School you graduated from? (What if you didn't graduate?)
What is your pet's name? (What if you don't have pets?)
How many bones have you broken? (In my own body or someone else's?)
On which wrist do you wear your watch? (The third one)
What is the color of your eyes? (Seriously? It says that on my driver's license)
What is your favorite teacher's nickname? (Mine for her? Or hers for her?)
What is the name of your hometown? (You think I might have moved once in my life?)
What is the color of your father’s eyes? (He has eyes?)
What is the color of your mother’s eyes? (The ones in the front of her head or the back?)
What is your favorite color? (Blue! No - green! Ahhhhh!)
What was your hair color as a child? (Either black or white because that's what color the photos are.)
What is your work address? (I work at home. Hmmm.)
What is the street name your work or office is located on? (Why don't I just tell the hacker what room the PC is in?)
What is your address, phone number? (And, by the way, the list of passwords is stored in the top right drawer.)

Questions I wish they'd ask

What was your first boyfriend's favorite car brand?
What color was your first grade teacher's house?
How long did your first pet live?
When will global warming end?
Why did your girlfriend say that about your mother?
Why am I soft in the middle?
How can you live in the city?
How dare you?
What is the point of these questions?

What's your favorite security question?