The Banality of the Security Question
I don’t normally consider “slice of life” content for this blog, because it’s supposed to be about fun and interesting stuff. Life is consistently both much of the time, but not in a way that I would expect yon reader of obscure blog about video games to enjoy reading about.
However, I had an experience today with a security question and answer that I initially enjoyed. Soon afterward, I was shocked and dismayed.
I found myself unable to log into a website, having forgotten my username (and my password, though I was not as sure of that). Said website did not allow me to rediscover my username – although there was the feature, it asked me to call a toll-free number to do so.
Being a dutiful customer, I obliged. I had the following exchange when I got to a representative.
Me: I seem to have misplaced my username. Could you help me recover it?
Rep: Sure thing. We just have to verify against your security question. Let me look it up.
Rep: “What is the *mumble*”
Me: Sorry, could you repeat that?
Rep: “What is the favorite haunt of the most respectable brother?”
What the hell kind of question is that? I probably got it from a novel or something. “Most respectable brother” is a hint – that implies there are multiple, so it was probably the Amber series (which appropriately begins with Nine Princes in Amber). So, then, it was a matter of which was most respectable. That’s probably Eric, from a governmental perspective, which meant…
Me: Uh, “Amber”?
Rep: I’m sorry, that’s not what I have here. Let’s verify something else.
Damn! Okay, so “most respectable” was probably Benedict, who avoided involvement in politics. When Corwin finally tracked him down, he mentioned that he had been in…
Me: Ah, I just thought of it. It’s “Avalon”. [the question was actually different, but less specific in context]
Rep: That’s it!
We continued on our merry way, and my newly-relearned account was set up with its new password. As the conversation ended,
Rep: By the way, you have a great security question.
Don’t I, though?
This was, unfortunately, the end of Act III of my little tragedy.
When I logged into my account, I was faced with the reason I couldn’t look up my username online: They changed security question policies.
So now I was faced with a dozen or so options, all of them the same bland stuff:
- What is your [extended family member]’s middle/maiden name?
- What was the name of your first pet?
- What street did you grow up on?
- Where did you go for [elementary/junior/high] school?
The worst part was that I had to pick multiple. By the time I had narrowed down the questions which weren’t blindingly obvious from just about any social networking site, or alumni information one could find by googling, and so on, I had picked the best questions. They were still awful.
The worst part is, they had found the perfect solution for me. I now recall (since I have a little more context) gleefully picking a question that was so obscure that only I (or perhaps immediate family, if they did some research) could answer. In fact, it was difficult enough that I couldn’t on the first attempt, because it constrained the subject matter to a specific interpretation. And the company changed it (possibly because people had picked expletive-filled questions so that representatives would have to say them).
However, from my point of view, the point of a security question is security. I’m a weird guy (if you can’t tell from the site), so I could answer a question like this on-the-fly. But, more importantly, nobody else could.
And it’s not like only I could create a question like this. A more sociable person might ask a question about where they met a good friend. A Lord of the Rings buff could ask who survived a victorious single combat with a Balrog (hint: not actually Gandalf, since he didn’t survive). A statistician might ask “What is the simplest explanation for the answer to the Monty Hall problem?” (Assuming they could reliably come up with “You have more information.”). My siblings could probably ask “What is your grandmother’s favorite expression?” (to which there are multiple colorful, correct, and secure responses).
Asking what your first pet’s name is may be a good question – from the perspective that most people (in the US) probably have an answer. But it’s not secure, since there is a heavy skew towards certain names (Bowser, Spot, Fluffykins McGee). And asking which highschool you went to is just asking for some facebook stalking. Even googling might get you that information.
We’ve seen the system as implemented elsewhere fail multiple times – most notably when Sarah Palin’s home email address was hijacked because the answer to her secret question was public knowledge.
So my request to anyone making an authentication system that includes security questions – let me write my own. Please? I have so much fun with it. It’s like writing trivia tailored to myself.
sonic.penguin Said,
June 2, 2012 @ 4:29 pm
Been there, hate the questions they ask for that kind of stuff now, but hey, niahak.org isnt that obscure 😛