It seems like many places are now setting up or making people use ‘security questions’. These are questions (and answers) that can be used to verify your identity in the event that your password is forgotten or are otherwise locked out of your access. Sometimes they will be all electronic, sometimes they will be asked of you over the phone.

I actually don’t mind the idea of ‘security questions’ so much as the horribly stupid way they are implemented at most places. Here’s a short list of things that I have seen wrong with security question implementations:

  • Forcing you to choose from a standard list of questions people could easily find out: Usually these are things like “Your high school mascott” or “Your mothers maiden name”. Do you think someone who wants to impersonate you and gain access won’t be able to google where you went to school? Or look up your mother’s maiden name?
  • Forcing you to choose from a standard list of questions people could easily guess about you: These are often things like “What is your favorate color?” If the person seeking your access knows you at all, they could quite possibly quess here and get it.
  • Additionally if the questions are standardized, an attacker can try and fail on some account they don’t care about, then since they know what the questions are, they can gather that info for targeting specific users later.

So, how can you do things better? Make the answers and questions something the end user selects. They don’t have to make sense to the questioner, just to you. Free form even allows you to just make both question and answer a random jumble (provided you can remember it or keep it stored safely). The idea is that it should be something only you can answer, and stock questions make it much easier for others to guess or find out your answers.