Warning, I am about to rant.
For all that developers want us to take ownership for our password security, there is a very common part of the password creation process that can make passwords even more insecure. And that is the security question. You know, those questions you’re often asked to answer just in case you forget your password and need to reset it.
Security questions for passwords make me extremely grumpy, and here’s why: security questions are the WORST and LEAST SECURE way to deal with the problem of forgetting a password. Why do I say that? Read on.
When creating a password for a website, sometimes you will be asked not only to create a username and password, but also to answer one or more security questions. The answers you are asked to provide are often your mother’s maiden name, the first street you lived on, your childhood best friend, or something like that. Something easy for you to remember.
The idea is that if you forget your password, you can conveniently answer a couple of questions to prove your identity and reset the password to something new. The problem, however, is that the answers to these questions are often so easy to figure out that they completely invalidate any security provided by the password in the first place.
And if the idea of someone coming up with your answers to security questions seems far fetched, think again. Someone following you through social media and Google searches can likely build up a decent profile of you and your personal history. Take the example of your mother’s maiden name. This is probably the most common security question around. And who could figure that out, right? Well, if you haven’t restricted access to your posts on Facebook (which you should), how hard is it for someone to search your friend list and figure out that your Uncle Harold’s last name IS THE SAME AS YOUR MOTHER’S MAIDEN NAME?!?
And if you don’t use Facebook, great, but you still get the point.
The solution to this problem is to treat each security question as another password. Use the same best practices for keeping them safe. That means, don’t use common language answers, but, rather, combinations of letters, numbers, symbols, and cases.
Your answers to security questions will (and should) be impossible to remember, which COMPLETELY DEFEATS the purpose of having them in the first place. And that is why they make me so grumpy.
The good news is that many developers have figured out that using security questions to verify passwords is a terrible practice. That’s why you’re more likely to be asked to click a link in an email now to verify your identity, rather than answer a question. However, there are still some institutions that hold onto this arcane practice, like banks. And since many banks have ATMs that use an operating system that Microsoft stopped issuing security updates for years ago, it’s not a big surprise.
Have fun, and be safe!
Rob Parker, aka the Grumpy Designer