jack: (Default)
[personal profile] jack
Recently, someone was ranting again about how most "security questions" still suck.

Seriously, banks can spend millions sending out dongles to all their customers, and disabling "right click", but can't afford five minutes to brainstorm "are these questions ambiguous, insecure, and counter-productive"?

I've seen some reasonable guides for "how to do it right" online. But if you were doing it, how would you do it?

Would you have security questions at all? Is something else better?

If you did, what questions would you use?

What are the salient features? I'd say an ideal question would have: doesn't change (eg. no "what is your favourite" if it might change over time); not ambiguous (eg. don't have to guess the capitalisation); not easily googleable; not easily social-engineered; not personal or offensive[1]; not necessarily known by close relatives[2].

Other than making sure our mothers maiden names[3] and first pets names are at least 8 characters long and include both a number and a letter...

[1] This one didn't even occur to me until I saw how you can screw it up.
[2] This may be impossible, but you can at least try.
[3] For instance, is an example of a question which works great with 20th century gender roles...

Date: 2013-11-01 02:08 pm (UTC)
sunflowerinrain: Singing at the National Railway Museum (Default)
From: [personal profile] sunflowerinrain
Not much idea of how to do it better, but those lists of questions are Wrong. At least people should be able to devise their own question, even if it makes the database more unwieldy.

I recoil in despair at "Favourite $anything" because I don't have a singular favourite in any category, so if those question/answers are enforced I put in the first word that occurs and then I have to write it down because it has no meaning for me (a lot of time is then wasted in re-setting passwords). Often a whole drop-down list of six questions contains no relevant choice because it was put together by someone totally unlike me.

Mother's maiden name is easily visible online for anyone born between 1915 and five years ago: daft choice for security. One's date of birth is also not secret. I once spent time in a financial cellcentre where the ID check consisted of name, address, date of birth... as if those data weren't publically available for anyone who isn't hiding in a legally-dubious way!