The Problem With Security Questions

GeekMom Technology
Image: Screenshot

Ah the security question. The bastion of internet safety, the protector of our identities, guardian against credit card theft. Or the baffler of addle minded internet shopping junkies like me? My mother has no middle name. I have not had a nickname in 12 years. My first pet is debatable, do I count the cat I barely remember, or was it the fish that I do remember. Which did I choose that day? Sometimes I am left with questions that are nonsensical to my life. The first time one of the sites I use at work asked for my nickname, it took me twenty minutes to figure out what I might have told them when I set the account up three weeks prior. No I didn’t write it down, doesn’t that defeat the purpose of a security question?

So here are my suggested security questions for the powers that be:

  • Apple or PC?
  • Han Solo or Indiana Jones?
  • Princess Leia or Seven-of-Nine?
  • Star Trek or Star Wars?
  • What is your handle on your MMORPG of choice?
  • Choose your ship: Serenity or Moya?
  • Wesley Crusher – yes or no?
  • Magic the Gathering or AD and D?

These are things I can remember! Join with me in my crusade for questions that always have an answer, and always the right one for you.

Liked it? Take a second to support GeekMom and GeekDad on Patreon!
Become a patron at Patreon!

9 thoughts on “The Problem With Security Questions

  1. Thank you! I just had to answer THREE of these for an Important Financial Site & I was like “uh, I didn’t have a favorite teacher, I don’t know my grandmother’s name, I don’t have a favorite sport…geez, these questions suck!” Not to mention that a lot of “security” questions could be spoofed by a quick google check…ugh.

  2. My especial favorite that I’ve seen recently was “what was the name of your first grade teacher?”

    Are you kidding me? I suffer from so much information overload most days I can barely remember my own name let alone the name of some woman from an unspecified number of years ago.

  3. Allowing you to pick your own security questions would be an improvement. My guess is it wouldn’t be any less secure than the current way of doing things.

    For me, I’ve created a list of *wrong* answers to those kinds of questions. That way even people who know me couldn’t figure out the answer (much less some random criminal that’s been googling me). I’ve selected the answers such that I’ll remember them, and I use them consistently. If I get paranoid at some time in the future, I can change my answers.

    I’ve set up lists for my kids, too, so when the time comes that they have to answer what my middle name is (I don’t have one), or where they were born (easily figured out these days), or what their pet’s name was, they can provide a “secure” answer.

    1. Well, I agree that creating your own questions would probably be about as secure– but it *would* mean more work/code for the site, larger database to track, etc.

      I’ll have to ask my youngest sister (who is an MBA student) about this. It seems like an issue that would be limited by management-side concerns than technical-side ones. I mean, I think most of us who are tech-minded would think the extra complexity was worth it, but I’m not so sure management would.

  4. Most of these nonsense security questions, which actually make things less secure, not more (because the answers are generally publicly available), are what Bruce Schneier refers to as “wish it was two factor” authentication. An ATM card is an example of actual two-factor authentication. In order to use it to get money, you need the card (a physical item) and a PIN (something you remember) at the same time.

    My wife and I do something similar to what Karl does. For certain common questions, we pick a favorite wrong answer out of literature. For example, for “what was the name of your first pet”, we might say “K-9”. We can remember it, and it is hard(er) to guess based on going through my trash.

  5. I like all your sample questions, except the Wesley Crusher one, which made me waffle. It’s a “No” to Wesley Crusher, but a big “Yes!” to Wil Wheaton, so I’m not sure I’d remember which way I swayed in my initial answer. 🙂

  6. I despise the security questions. I recently stared at a list of maybe 8 options and honestly couldn’t find a single one I had an answer to! I never had a pet; I actually didn’t go to first grade and don’t remember most of my elementary school teacher’s names; I have many nicknames; etc. I can usually get away with a couple, but this list was obviously made to be more obscure than most, so the trusty parent’s middle name was absent.

    I LOVE the idea of using fake answers, though. That, I could totally do!

  7. I never worried too much about security questions prior to my divorce. I used the honest and simple answers to the questions like “where were you born?” or a parent’s middle name as often as possible. Stealing my identity won’t yield enough to be worth it to most strangers. I do, sad to say, worry about my ex decided to mess with my various email and social networking accounts. Looking at the average list of questions, anyone who knows me well should know the answers. I’ve gone the fake answer route and tied it up in a theme I won’t forget.

    The questions you suggest are wonderful, but I’d hope everyone knows I’d pick Star Trek over Star Wars and Indiana Jones over Han Solo. Too much of my identity is wrapped up in those answers. Serenity or Moya might be safer, at least for my worries, since Firefly and FarScape are both new to me in the last year except I’d have a heck of a time choosing between a sweet little cargo ship and an amazing living ship with DRDs (if I ever get a Rumba, I’m mounting antenna on it).

Comments are closed.