The scourge of security questions

An infuriating security question: "Your favourite shape"

Is there anything more annoying than those security questions you need to login to certain websites? I cannot understand how they are supposed to make websites more secure.

I understand that passwords can be cracked and the security question is a safety net. But let’s face it. All the advice on passwords is that they are not to be real words. You should insert numerals, use mixed case, special characters; the works. If a password like that can be brute forced, a “security” answer made up of dictionary words, and based on known facts about your life, will be a piece of cake.

Facts like my mother’s maiden name, my hometown or my first primary school are not exactly secret. They can be easily answered by anyone with the slightest knowledge about me.

As far as I am concerned, it is the security equivalent of sticking a Magic Eye puzzle in your porch just in case someone manages to break down your door.

Worse still, a bad security question can lock you out of a website for good. I have seen a security question that was actually impossible for me to answer because it was asking about a life situation that simply did not apply to me. It was offensive as well as being shockingly unusable. I decided not to register for that particular website after all.

What am I supposed to do in that situation? Maybe I could just make an answer up. But how could I remember it? The only way is to write it down. Then it will only get lost in an obscure drawer, or maybe some criminal hacker’s pocket.

Then there are those questions on topics that you simply don’t care about. One certain website that I tried to login to recently left me stumped. It’s the sort of website I might only login to once every few years. So my answers to questions like these really could be anyone’s guess:

What was the surname of your favourite teacher?
I’m not sure I had a favourite teacher. Certainly, the person that immediately sprung to mind was not who I would call my ‘favourite’. And who was my favourite teacher five years ago might not now be the person I remember fondly now. My favourite teacher back when I was still a school pupil is probably totally different to the person I consider the best one now. As it is, I have absolutely no idea how I answered this question.
What is your most memorable place, but not where you were born or live?
What on earth? What is a ‘memorable place’? Not only do I struggle to have any interest in such a question whatsoever, but I cannot even tell what sort of place it might be. Could it be Edinburgh? The local park? Behind the bike sheds? No idea.
What is your favourite musical instrument?
To play or to listen to? It depends on so many things. It could be piano, marimba, vibraphone, Omnichord… It could be anything, depending on my age or mood.

When you add in the fact that answers are case-sensitive, and that you don’t get repeat attempts at the same question, it soon became clear that I wasn’t going to get access to this website. There is no way for my password to be reset.

Apparently my only recourse is to use the electric telephone. But unless they subject me to a similar barrage of obscure questions, I don’t see what advantage this offers from a security perspective. I can picture it now.

“You are Duncan Stephen?”

“Yes! Yes I am!”

“And you have changed address?”

“Yup!”

“OK! No problem at all! On the basis of this phone call we will now send your new password through the post!”

2 comments