Forty Useless yet Creepy Security Questions
Inspired by the passionate critiques I read at Authentical, here’s mine. Today, a horrific experience establishing an online account with a State of California website. Although creating a new account is almost an automatic activity at this point, I had to try 5 times to create both a username (which had to have letters and a number, and be between 8 and 12 characters) and a password (which had to have letters both capital and lowercase and a number, etc.) that would work. I’m not sure how that ended up being hard for me, but it did.
But the hysterical part was the security questions. This site required me to set up answers to four security questions. My use case for the security questions is for those situations where I can’t remember which particular configuration of password I used and I need to get a reminder or reset it. Isn’t that everyone‘s case? So we need the reminders to be unambiguous. Fact-y type things like the standby Mother’s Maiden Name, or first pet’s name, etc. are pretty common. Obviously, if they are unambiguous, they can be broken. Somewhere someone can find out your first pet’s name. It won’t change. It’s objective.
These questions are much more personal and I suppose thus are less easily divined by an intruder. But the answers are far from immutable. I had absolutely no confidence I could come up with four questions that I would answer the same way 100% of the time. Even if I could fake out my future password-forgetting self by agreeing with him that I would say the Rolling Stones are my favorite band despite regardless of any wavering in my fandom, I couldn’t successfully negotiate the dialog. What was my dream job as a kid? Well, at one point it was stuntman, then actor, then writer, and I think even director (let’s leave the armchair shrink out of this for now, shall we?). If I put stuntman now, what will I remember when I forget my password?
The Four Questions
Taking those sets of questions away from the context of the registration process, I find them quite creepy, evoking some intimacy that doesn’t exist between me and the government website, or those Facebook memes cum virii where your friends exhort you to answer a random set of personal questions and then get other people to do the same.
Note: there are some wonderful satirical examples of bad security questions on Twitter under #BankSecurityQuestionsIdLikeToSee.