Comments on: Inane security questions

By: Dave

Dave — Fri, 14 Mar 2008 13:47:49 +0000

Nationwide’s online banking has the same thing — 5 extra “security questions” including my favorite colour (and it is supposed to be mixed alpha and numeric characters).

Is it any surprise people end up writing their credentials down?

By: Barry Rueger

Barry Rueger — Wed, 27 Feb 2008 18:42:23 +0000

My bank in Canada launched the same madness. For most questions I had no easy answer. See:
http://www.community-media.com/wordpress/?p=516

Subsequent to that I have realized that if the secondary security question (which appears maybe once in twenty or thirty log ins) baffles me, I need only go back to the initial log in page and refresh it. Voila! I log in without the second question.

By: Clive Robinson

Clive Robinson — Wed, 20 Feb 2008 20:31:08 +0000

Richard,

The problem you highlight is exactly why passwords are a bad idea.

It does not mater a jot if you can not remember the password or the answer to a check question, the problem and its cause are the same. That is you are denied access to a service due to the common problem of a less than perfect memory…

The solution to the problem is unfortunatly quite unpalatable, in that access should be by something you are in terms of an inveriant physical property.

This is usualy equated by the uninitiated with some biometric, however there are as you know significant problems with all biometrics not least that they all can change with time or be lost (a retina scan is of little use if you develop chateracts for instance).

Finding a real solution to the problem might be “the better mouse trap” that will give you fame (but not fortune).

By: Sebastien Lahtinen

Sebastien Lahtinen — Wed, 20 Feb 2008 20:16:32 +0000

This is a real problem with the inability of designers to understand the lack of security.. General questions like favourite colour are not uncommon.

I guess in today’s world friends or heroes can be handles or online names so could contain numeric and non alphabet characters.. What is more worrying is when you can’t opt out of having silly security questions

By: Richard Clayton

Richard Clayton — Wed, 20 Feb 2008 17:16:29 +0000

It’s clear, from the comments here and elsewhere that some people think these are wonderful questions.

Perhaps the reason that I don’t is that I lived in three different parts of the UK (and for two years in the US) when I was growing up, so that my childhood is split into four rather distinct sections — and so there are four possible answers to some of the questions (plus I have two grandfathers). Hence they are rubbish questions for me because if I’ve forgotten my password then I’ve certainly forgotten which grandfather (or which part of my childhood) I answered these questions with.

Clearly it’s desirable that someone else cannot answer the questions and steal my account (and thereby get to fill in details for a Pensions Regulator questionnaire — shock horror) but equally the questions should have some chance of being answered consistently by me!

By: Andy

Andy — Wed, 20 Feb 2008 17:06:10 +0000

Even if an attacker bought all the appropriate databases and collected every single detail about you, childhood information in all likelihood, will be unavailable. Also, childhood information, is so old that it is very difficult for an attacker to obtain. This is where I see the value in using childhood-based data.

By: DF

DF — Tue, 19 Feb 2008 16:19:15 +0000

I wonder — Because no one enforces the truthfulness of the answers, why not answer all the questions with the same answer? But an answer you can remember that’s suitably long. After all, it ’s just another password.

By: Dustin J. Mitchell

Dustin J. Mitchell — Tue, 19 Feb 2008 01:11:19 +0000

My bank made me set up a similar set of questions. The web form used type=”password” for all of the responses. They were also all matters of public record (mother’s maiden name, birthplace, etc.). Lke you, I assumed they were just text matches and inserted respectably cryptic passwords. On my next call to the bank, to my surprise I was asked for my mother’s birthplace. I found myself reading out a password which was consequently no longer useable anywhere else.

You can be sure they got an earful from me. The bank has top-notch customer service and apparently listened to me and all othe other complainants, as it has since mended its ways.

By: Richard Clayton

Richard Clayton — Tue, 19 Feb 2008 01:01:20 +0000

My objection to the questions is that childhood isn’t a single short period. So whilst you are 12 then maybe you will be able to give an answer that will remain constant when you forget your password a few weeks later. Is it reasonable to expect pension trustees (who only have to submit these returns every couple of years) to remember which phase of their childhood (5? 10? 17 and a half?) they were thinking of when they named a friend or hero? It’s a bit like being asked for your dog’s name… at 12 that’s a sensible question, at 62 there will be a number of possible responses.

I also linked to Bruce Schneier’s comments on these sorts of security questions — they’re spot on as well!

By: djm

djm — Mon, 18 Feb 2008 23:55:33 +0000

With the exception of the “main childhood phone number”, it is not at all clear to me why these questions are “clearly unsuitable”? Memories of childhood and family are among the most enduring and are often the last thing to go in cases of dementia.