Secret Security Questions Are a Joke

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

Use the First Girlfriend question

[danbuter]

Jokes on them! I've never had a girlfriend!

Mother's maiden name

[AnalogDiehard]

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.

Re:Simple solution

[Qzukk]

I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.

When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.

I never managed to recover my password.

Re:Simple solution

[Sqr(twg)]

Or go to passwordmaker.org [passwordmaker.org], and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.

Re:Simple solution

[uniquename72]

And as long as you always answer 42, or 416 what is the problem with that?

This is pretty much what I do. I have a password that changes based on the question, but isn't actually the answer to the question.