Inane security questions

I am the trustee of a small pensions scheme, which means that every few years I have to fill in a form for The Pensions Regulator. This year the form-filling is required to be done online.

In order to register for the online system I need to supply an email address and a password (“at least 8 characters long and contain at least 1 numeric or non-alphabetic character”). So far so good.

If I forget this password, I will be required to answer two security questions, which I get to choose from a little shortlist. They’ve eschewed “mother’s maiden name”, but the system designer seems to have copied them from Bebo or Disney’s Mickey Mouse Club:

  • Name of your favourite entertainer?
  • Your main childhood phone number?
  • Your favourite place to visit as a child?
  • Name of your favourite teacher?
  • Your grandfather’s occupation?
  • Your best childhood friend?
  • Name your childhood hero?

Since most pension fund trustees, the people who have to provide good answers to these questions, will be in their 50’s and 60’s, these questions are quite clearly unsuitable.

I’ve gone with the last two… each of which turn out to be different from the password, but the answers, weirdly enough, are also at least 8 characters long and contain at least one numeric or non-alphabetic character!

10 thoughts on “Inane security questions

  1. With the exception of the “main childhood phone number”, it is not at all clear to me why these questions are “clearly unsuitable”? Memories of childhood and family are among the most enduring and are often the last thing to go in cases of dementia.

  2. My objection to the questions is that childhood isn’t a single short period. So whilst you are 12 then maybe you will be able to give an answer that will remain constant when you forget your password a few weeks later. Is it reasonable to expect pension trustees (who only have to submit these returns every couple of years) to remember which phase of their childhood (5? 10? 17 and a half?) they were thinking of when they named a friend or hero? It’s a bit like being asked for your dog’s name… at 12 that’s a sensible question, at 62 there will be a number of possible responses.

    I also linked to Bruce Schneier’s comments on these sorts of security questions — they’re spot on as well!

  3. My bank made me set up a similar set of questions. The web form used type=”password” for all of the responses. They were also all matters of public record (mother’s maiden name, birthplace, etc.). Lke you, I assumed they were just text matches and inserted respectably cryptic passwords. On my next call to the bank, to my surprise I was asked for my mother’s birthplace. I found myself reading out a password which was consequently no longer useable anywhere else.

    You can be sure they got an earful from me. The bank has top-notch customer service and apparently listened to me and all othe other complainants, as it has since mended its ways.

  4. I wonder — Because no one enforces the truthfulness of the answers, why not answer all the questions with the same answer? But an answer you can remember that’s suitably long. After all, it ‘s just another password.

  5. Even if an attacker bought all the appropriate databases and collected every single detail about you, childhood information in all likelihood, will be unavailable. Also, childhood information, is so old that it is very difficult for an attacker to obtain. This is where I see the value in using childhood-based data.

  6. It’s clear, from the comments here and elsewhere that some people think these are wonderful questions.

    Perhaps the reason that I don’t is that I lived in three different parts of the UK (and for two years in the US) when I was growing up, so that my childhood is split into four rather distinct sections — and so there are four possible answers to some of the questions (plus I have two grandfathers). Hence they are rubbish questions for me because if I’ve forgotten my password then I’ve certainly forgotten which grandfather (or which part of my childhood) I answered these questions with.

    Clearly it’s desirable that someone else cannot answer the questions and steal my account (and thereby get to fill in details for a Pensions Regulator questionnaire — shock horror) but equally the questions should have some chance of being answered consistently by me!

  7. This is a real problem with the inability of designers to understand the lack of security.. General questions like favourite colour are not uncommon.

    I guess in today’s world friends or heroes can be handles or online names so could contain numeric and non alphabet characters.. What is more worrying is when you can’t opt out of having silly security questions

  8. Richard,

    The problem you highlight is exactly why passwords are a bad idea.

    It does not mater a jot if you can not remember the password or the answer to a check question, the problem and its cause are the same. That is you are denied access to a service due to the common problem of a less than perfect memory…

    The solution to the problem is unfortunatly quite unpalatable, in that access should be by something you are in terms of an inveriant physical property.

    This is usualy equated by the uninitiated with some biometric, however there are as you know significant problems with all biometrics not least that they all can change with time or be lost (a retina scan is of little use if you develop chateracts for instance).

    Finding a real solution to the problem might be “the better mouse trap” that will give you fame (but not fortune).

  9. My bank in Canada launched the same madness. For most questions I had no easy answer. See:

    Subsequent to that I have realized that if the secondary security question (which appears maybe once in twenty or thirty log ins) baffles me, I need only go back to the initial log in page and refresh it. Voila! I log in without the second question.

  10. Nationwide’s online banking has the same thing — 5 extra “security questions” including my favorite colour (and it is supposed to be mixed alpha and numeric characters).

    Is it any surprise people end up writing their credentials down?

Leave a Reply

Your email address will not be published. Required fields are marked *