Security questions are the dumbest thing the internet has ever invented


At one point of the evolution of the World Wide Web, somebody came up with this fantastic idea. This person must have thought that the problem of securing your online identity was just solved in a very elegant form: security questions, which only the person who owns the account is able to answer. But there's a problem. Even if security questions worked at one point in time (which I also doubt), they simply don't work anymore, so you might as well lose them. Luckily, most services already did that, and Facebook tried to innovate this feature with "recognizing friends" alternative, but I somehow still manage to find them. And fail using them.

True story

A few years ago I had to set up the security questions with my online broker because of their new online privacy policy. Since financial services are a bit delicate, they are trying to provide as much security as possible. One of the questions I had to answer was "What is the last name of your favorite athlete". Since I wouldn't take risks, I did something silly with the answer, but forgot what that silly was. I tried to remember on few occasions, but failed miserably every time. In the end, because of the recent Apple and Facebook stock exchange frenzy, I had to make a phone call to the States and reset my security questions. A waste of time and money.

Why u no work?

But why don't security questions work? Firstly, nobody's sure how they work with the specific service. Will somebody be able to reset my password by answering them right? Or will I be required to answer them after I login to the system with my username and password? Or will they be used just in case I need to prove my identity on the telephone? Who knows… (and don't bother explaining)

Than the next problem happens. When I'm asked to answer the security questions such as "Your first girlfriend's name", "Mother's maiden name", "Favorite holiday spot" or "Your pet's name", I can think of plenty of people who might know such things, and don't know what these monsters could do with the answers (see above). Sure, these are mostly people I trust, but lately, quite a few answers to questions like this can be found elsewhere, e.g. on Facebook. How can I be sure my mother has the correct privacy settings? Or that my pet won't appear tagged on someone else's picture? Is that a risk I'm willing to take?

Time to drop

Bottom line: I tend to be creative or lie when I'm answering security questions, and I'm sure I'm not the only one who does it. Lies and creativity are easily forgotten, so I end up not knowing the right answer when the time comes. Face it, you can not make a generic query that only I will be able to answer, and that's where the story ends. So please, stop using security questions, they don't work! Think of something else.

DISCLAIMER: Please note I'm not trying to persuade anybody to lower their security standards, but the fact is, people are emailing passwords to each other.

A few more things you might find interesting:

written 2.5.2012 21:05 CET on chronolog
2613 views   •   Like   •