Stupid security questions

It was bad enough in phone-banking days when banks and credit card companies asked for one's mother's maiden name as a so-called security measure, but why re-embrace such easily-guessed queries nowadays -- where a simple genealogical search can find most people's family members in an instant, and Facebook is likely to reveal many of the other "secrets" the online gatekeepers are relying upon?

The BBC has an article today on yet another study demonstrating this obvious security hole, the focus in this case on webmail:

A study has shown how easy it is to guess the answer to common questions, such as someone's mother's maiden name.

It found attackers will be able to break into 1 in 80 accounts if they get three chances to guess answers. . .

In the case of many e-mail providers, they can be used to overwrite an existing password without knowing what it is. . .

One study by researchers from Microsoft and Carnegie Mellon looked at how easy it was for friends and family members to guess answers to security questions. They found that 17% of the answers could be guessed by those who knew a target.

A good strong password should be all you need. The problem is in providing a convenient backdoor for those who forget their passwords. What ticks me off is that this backdoor has been so generally adopted, and with no opt-out option. So instead of having to store one strong password (securely, mind you -- using the absolutely free Password Safe, and keeping encrypted backups), I effectively have to manage four: one for each inane "secret" -- first pet, favorite teacher, school mascot -- each of which is necessarily a long, random string of letters (and numbers and characters, where accepted).

Posted by David on March 8, 2010 10:52 AM