This post is over a year old, its content may be outdated.

Matt Wilcox

Web Development

Notes Sep 23rd 2014

The insecurity of security questions

Most security questions are at best obstructive, at worst terribly insecure.

How many websites have you used where as part of making an account you must set some 'Security Questions', either as a form of additional security over a password, or to be used as part of a password reset procedure?

They are almost always horrendously implemented, in such a poor way as to become obstructive, and at worst security problems in themselves.

Bad Security Questions

One's that don't apply

Needless to say, if the question doesn't apply then it's not answerable. "First Car" is useless if I don't drive. Good websites won't force me to answer a question that doesn't apply. Bad one's just expect it to apply and I have to make garbage up to carry on. No one remembers garbage answers.

One's that are unanswerable

"Name of first pet". Sounds easy, but if your stupid data rules force a 4 letter answer, then I can't answer that question because the actual answer isn't one you'll let me have.

One's that are subjective and changeable

"Your least favourite car"; yep, well, this could change. Assuming I had a least favourite car. Maybe I didn't, and maybe the one I bought after setting the account up was a real heap of crap and I can't remember what car was the worst at the time I made the account.

Common questions

Anything that's "common" as a question to other such services. If one account is breached and that answer is available, all your accounts are breached. "Favourite Colour" will be the same no matter where I'm using the question.

Easy to Google questions

Mother's Maiden Name; yeah, that's the same everywhere, it's a common question, and it's usually pretty easy to find out. This isn't a secure question.

What websites should do

Don't offer a pre-set group of questions to answer, no matter how varied a selection, they're likely to be forgettable or inapplicable much of the time: Allow the user to write the questions, as well as the answers. Don't enforce any limits or filters on what a 'valid answer' might be.

You could even ditch the concept and instead give them one half of a key-pair, tell them to write it down in a secure place, and present it matched to the first half on future log-ins. It's a different option, but likely to be less miserable to use than badly done security questions.

What users can do

Assuming you're dealing with one of these crappy scenario's; Use a password manager such as 1Password, and don't answer the questions truthfully. Make some stuff up every time, and store those made-up answers in the password manager. Don't re-use the made-up answers on other websites. Sure, you won't be able to remember the answers, but they'll at least be secure.