I hate these questions. Except for some questions, like "Mother's Maiden Name", there are a lot of them where I won't answer _exactly_ the same way every time you ask me... Where did I got to college? There are three conceptually equivalent answers (abbreviation with periods, abbreviation without periods, full name) that I might be inclined to respond. Even something as simple as the name of a dog or a make of car often has multiple answers.
Put even more simply: what good is having the best password security on earth if having a 'secret word' that's not subject to the same strict security requirements will still open up an account. I always find it horribly ironic when you're told over and over again, "don't use easy to guess things like birthdays, child or pet names, or your mother's maiden name as a password because it's easy to guess" only to have the next question be, "What is your mother's maiden name?"<p>The whole concept has always been silly; glad to read a well-rationed argument against it. But honestly, why should we even need such an argument?
I think Secret Questions are even worse that described in the post. It creates a situation where one hacked web site can reveal critical personal information, such as mom's maiden name, that can be used across a range of sites and offline id theft vectors.<p>I also deeply resent random ecommerce sites asking for personal information like the name of my dog or high school. My answer is always a random variation of "none of your damn business." This has caused me some problems when I do need to reset my password, but contacting support resolves it.
A seemingly good question I ran into was "Enter the last 5 digits of your driver's license." I always have my driver's license with me, which sounds good. The problem is NJ driver's license numbers are actually encoding of your data. The last 5 digits are your birth month and year (MMYY) plus a digit that maps to your sex (0 or 1 for a female, 5 or 6 for a male). My Facebook profile contains the answer to the security question.
Are there <i>any</i> positives for security questions?? Well, I suppose secret questions are good for preventing brute force account recovery. You can't expect to beat security questions in a timely way with an automated attack. You would usually have to rely on manual search or social engineering, as pointed out by the article. But the real question is, why even allow account recovery via a publicly accessible web form in the first place?<p>So, I definitely agree with the article, there has to be a change. You sure can beat security questions (at least in their current state), but it's probably <i>much</i> harder to get around something like email or SMS verification.<p>Chase.com and cardmemberservices.com are good examples of SMS/email account verification done right, which I've used with great success, but both of these sites already had my personal phone number, so SMS verification just makes sense for them.<p>I suppose SMS verification is probably the closest thing we've got to real user verification at the moment, am I silly to consider this the ideal venue for account recovery?<p>The big issue, then, is it's definitely harder to get a user's phone number than to get their mother's maiden name, but skipping all that extra input and having a simple account recovery email should do the trick, shouldn't it? Most of the times you're already collecting user emails.<p>Well, the biggest issue with email is that an email account can also be compromised. Perhaps getting big email companies like Gmail to remove security questions from their apps in lieu of SMS verification is the next step, while everyone else just relies on email-based account recovery (unless SMS is an option). If email security was more rock-solid, then email verification is all we need, right?
I'm working for a client right now that's requiring us to collect no less than three "shared secrets" from users who are signing up to buy a product. I can't imagine they'd have less than a 90% dropoff at that point in the sale process.<p>Oh, they're also requiring that we encrypt the answers in the database. With encryption keys stored on the same server. But that's a separate (and arguably sillier) issue.
I also do not understand the usefulness of "secret" questions ... mostly the correct answer would be far too easy, so every one with access to my website, Twitter or Facebook pages would be able to answer it (or trick it out of me or someone who knows me).<p>So now there are a lot of accounts with some very strange answers to their secret questions - answers so far out that I would have to write them down along with the complex password... which makes them completely redundant.
I recall being asked by PayPal what the last four digits of the last credit (debit?) card I used was, when I needed my password.<p>Problem was that the card had been ditched months ago, so there was no way I was going to remember that. I eventually remembered the password, but I wonder how I would have gained access to my account otherwise.<p>Some people are too creative with password "security" for their own good.
Bad implementations of a feature do not make the feature bad as well. If you as a site owner allow for example a password reset based on just answering the secret question, guess what: bad implementation. If you don't inform the users what the secret question can be used for, guess what: bad implementation. If your users choose to use a question that has an answer that can be found easy its the same as having a user use for password the word 'password'. I can go on and on about how you can get something like this wrong.<p>Lets say that my computer gets keyloged and the attacker gets the account/password of site X and my email info aswell. Now the attacker wants to take over both of the accounts. Lets see how things will go if no secret question is involved: At best site X for a password change will require a e-mail confirmation, probably by just providing the old password the attacker will be able to change it. On top of that the site that hosts my e-mail can't be linked to something else, because of that i guess by simply providing my old password the attacker will get over my e-mail too.<p>HOWEVER if the sites require a secret question/answer verification the attacker wont be able to take over my accounts. And i am able to change both the password and get full control of the accounts.<p>Secret question/answer feature should be treated as a MASTER password. You have your casual password which allows you to identify yourself to the system etc but if you want to change some critical information of the account you will have to provide you master password.<p>If both the site and the user make good use of the feature there is nothing wrong with it.
I fully agree with the article and I am also one of the people that give bogus (but consistent) answers to these questions. So for example for 'what is your first pet' I fill in something like 'the last unicorn' or another phrase that has never left my brain.<p>The article also reminds me of another anecdote.Many years ago in the last millennium I checked out this German teenage forum (bravo.de) because well, I was a German teenager. Anyway, on that forum you could not only give the answer to the security question. They even allowed you to specify the question you want.<p>That feature amused me a lot and I checked out other people's self-made security questions. Being a teenager forum in the later 90s this is what happened. A very substantial number of forum users had the security question 'what is my favorite Backstreet boy' or a variation thereof. And, well, pretty much everybody loved Nick Carter. Nobody liked the others. In just one our I was able to log on to many, many accounts just with the phrase 'Nick'.
I agree with the point that secret questions suck, but the entire idea that any sort of second password as high-security is flawed. Daily WTF did a great write-up (<a href="http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx" rel="nofollow">http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx</a>) on how real two-factor authentication requires two distinct forms - one based on what you know, and one based on what you have. Historically the "what you have" has been one of those RSA tokens but now Google is doing some two-factor using phones and it's easy to do this using text messaging as well (as someone mentioned). With this availibility of cheap RSA devices and cell phones, I see no reason why institutions such as banks - where I really care about the security of my data - can't implement the same measures that Blizzard does for World of Warcraft.
I use 1Password to generate a 50-character random "answer" for these nonsense security questions. Then I store the question and the answer in a note tied to the 1Password record.<p>If they really wanted to get clever, 1Password should offer an option to perform this task automatically when you're filling out a registration form.
I have a 'Secure Note' in my OS X Keychain which contains answers to every Secret Question. The answers are 12 digit random passwords (generated by Keychain) containing letters, numbers, and symbols.
Facebook is quite clever about this. To verify your identity under some circumstances, Facebook shows you pictures of your friends and asks you to identify them. It is up to you to figure out the best way to authenticate your users.