“Secret” Questions: Not. Secret. At. All.

By  |  Monday, July 20, 2009 at 7:10 pm

I still have Twitter’s document leak on my mind, and am therefore hypersensitive at the moment to the “forgot your password?” features that Web services offer and their potential for abuse by people who want to steal your information (or even your money). I just signed up for a Barnes & Noble account, which I’m bringing up here not because it’s a bad example but because it’s perfectly typical.

B&N asked me to choose a question that nobody else could answer:

Barnes and Noble questions

And then it gave me eight questions to choose from:

Barnes and Noble

I don’t see a single question here that nobody else on earth can answer. Some are the very definition of public information, like the names of parents and pets. Others are profoundly guessable, even by perfect strangers. (If you know what metropolitan area someone lives in, doesn’t that give you a gigantic head start in figuring out what his or her favorite team might be?)

As for me: Lots of people know what city I was born in, what my mother’s middle name is, and what sports team I root for. If you’ve got access to my Facebook profile you can make excellent stabs at figuring out my favorite author and movie. My favorite car is pretty obvious, too–it’s the one parked in my driveway, and I’ve mentioned it repeatedly on Twitter and in other online venues.

Oh, and my father doesn’t have a middle name and I don’t own any pets at the moment, so those questions are out.

When you think about it, there’s almost no such thing as information that’s A) known only to one person and B) virtually impossible for anyone else to guess. There are terrible implementations of secret-question security and less terrible implementations, but they’re all based on a fundamentally flawed idea.

It’s true that like many services, Barnes & Noble only asks you the security question after you’ve clicked on a link it sends you via e-mail. So an intruder would have to both have access to your e-mail and know or be able to guess the answer to your security question to get access to your account. In other words, the security question is an added level of protection, not a primary means of defense–but I still don’t like the Web-wide pretension that nobody knows my mother’s name except me.

Conclusions?

1) If Web sites insist on using secret questions–and I’m sure they’re not going anywhere–they should at least stop pretending there’s anything secret about them;

2) Letting us choose our own secret questions and answers is much better than forcing us to use one supplied by the company;

3) Providing bizarre made-up answers remains the best way to keep secret questions secret. Which is why I just decided that my favorite team is the Atascadero Wombats…

 
11 Comments


Read more: 

10 Comments For This Post

  1. Dave Barnes Says:
    July 20th, 2009 at 8:29 pm

    Harry,

    You whiner.

    What is your favorite film?

    The answer will determine your place in the cosmos.

    Think before you answer.

    Saying The Big Lebowski would be the WRONG answer.

    ,dave

    P.S. Mine is Lawrence of Arabia.

  2. Harry McCracken Says:
    July 20th, 2009 at 8:34 pm

    Me, whine? Actually, I didn’t even bring up the biggest problem with asking me what my favorite film is–it varies. On given days, I might tell you it’s Pinocchio, The Wrong Box, Real Life, or Willy Wonka and the Chocolate Factory…

    –Harry

  3. Harry (not McCracken) Says:
    July 20th, 2009 at 9:11 pm

    I concur with Harry’s recommendation that the user be permitted to choose his/her own security question and answer. My personal choice would be: “Who is your favorite classical music composer?” Only a few people who know me well would know that answer.

  4. Dave Barnes Says:
    July 20th, 2009 at 9:19 pm

    @Harry not,

    http://en.wikipedia.org/wiki/Arnold_Schoenberg

    ,dave

  5. Marc Says:
    July 21st, 2009 at 1:04 am

    I always have my own secondary word(s) I use no matter what the question is.
    Can be quite funny, when you’re on the phone and someone says “Can you confirm what your first school was called?” and you answer “yes, it’s yellowmustang123”

  6. Kip W Says:
    July 21st, 2009 at 6:19 am

    Nonsensical answers are the only way to wombat.

  7. Kip W Says:
    July 21st, 2009 at 6:20 am

    Toaster! I meant toaster.

    (Yeah, you have to keep your nonsense straight. How is that different from the rest of my life?)

  8. Peter Says:
    July 21st, 2009 at 8:35 am

    Just signed up at a site that asked me to write my own “secret question” and then give an answer to the question you just asked. that seems a little more secure but still…

  9. JDoors Says:
    July 21st, 2009 at 8:38 am

    I’ve been pleasantly surprised by forms that ask me to make up my own question. Excellent. Making up an answer kind of defeats the purpose — when you eventually DO need to identify yourself, there’s no way you’ll remember your answer.

    I prefer to make it a habit of changing the question a bit; not the name of your pet, for example, but a pet you had as a child. If you always use that altered answer you’re more likely to remember it when (and if) the time comes to use it. I may be able to discover any current answers you might use, but very few people would know not just the altered information, but also guess that’s what you used.

    Of course now you all know my trick, so I’m screwed …

  10. CogitoErgoCogitoSum Says:
    March 4th, 2010 at 7:21 pm

    Check out my relevant post at WordPress.com

    My Banks Notion of Security
    […]I interrupted the teller on the phone. “Where the hell are you getting these questions?” I said. Apparently, these questions are randomly drawn from a pool of information that Chase collects on people.[…]

1 Trackbacks For This Post

  1. Web Media Daily – July 21, 2009 Says:
    July 21st, 2009 at 4:49 am

    […] “Secret” Questions: Not. Secret. At. All.…   Technologizer […]