Good security questions are not as easy to make as you might think. Many of them are terrible. Asking for your mother’s maiden name or the last 4 digits of your social security number doesn’t help at all. If someone else is impersonating you it is easy for them to find this information.
A good security question should be something that
1) Bad guys don’t know (and can’t easily find out)
2) I know
The second issue sounds obvious, but it’s a very real issue. “What is your mother’s maiden name?” can be stymied by the complexities of modern life. I have at least 3 maiden names to pick from, due to the divorces and re-marriages of my parents. Some days I can’t remember which one I picked originally.
Emigrant Direct went above and beyond the call for failing on the second issue. Look at the security questions they have.
How many of these could you answer unambiguously, and be confident that the next time you went to log in, you would give the same answer? The only one I know for sure is my Grandmother’s first name. And that’s only because one grandmother wasn’t really part of my life and the other one is awesome. (By the way, happy 101st birthday Grandma!)
- What is my favorite sports team? It’s the Celtics! No, wait, it’s the Patriots. I honestly don’t have just one answer. And do I write it as “Celtics”, “Boston Celtics”, or “The Boston Celtics”? It’s a good thing I hate baseball!
- How about a childhood friend. Um.. .which one? A couple of you are reading this blog right now. Let’s see, I probably meant Chris W. No… maybe Andrew B? No? Michael W? I hope it’s not Michael, I’ve been spelling his name wrong for forty years. Did I use both names, or just a first name? This one is impossible!
- Who’s my favorite president? I don’t know. Clinton? Lincoln? LBJ? I read Theodore Roosevelt’s biography lately, he’s awfully incredible. Would I have used first names?
- Obviously I attended more than one school as a child.
They have five mandatory questions, and not one of them is a good question! All five of them allow for ambiguity. Going zero for five is something special. That takes effort!
Emigrant does redeem themselves a little. Besides the five mandatory questions shown, you can also make a set of questions yourself. (They then ask you any two of the combined set.) These are great. For example I used, “What’s my nickname for my college roommate?” I will never forget that as long as I live, and hardly anyone else on the planet knows it. I can ask a trivia question about The Who, one that’s hard to get even via Google. Or, how old was I when I _____? Or, what did I want to name my first child? Or, what was the first name of the kid who almost drowned me at camp in the 70s? All these questions are ones that I know the answer to instantly and anyone else would have a very hard time guessing. That makes for an ideal security question. (For most people you can also use the name of their first pet. That doesn’t work for me. “Muttrox” is kind of public…)
So Emigrant Direct, I award a D. You allow free-form questions, which is excellent. But your mandatory questions are so awful that I’ve had to get my password reset both times I needed to answer these questions.
OK, I snorted.
Also, I saw a bit of advice that suggested that the answer to every security question be something like:
“dumb security question j$H//_(n grandmother”
no joke I have thought about coming up with a business that dealt with just this issue. I think the entire concept of Q&A for sites is completely flawed. I’d like to see some sort of multi-factor authentication (http://aws.amazon.com/mfa/) that would have linked to it a single password. This password portion could be controlled/changed at the MFA’s site only, and you could even define a list of permitted IPs. Web applications could simply drop a function call into a web page, let the external app provide an OK/FAIL response, and continue from there. This would also get the individual websites out of the password management/resetting business. By the way, the fart post was still better.