I signed up for an airline rewards account, and encountered something I had noticed before. I could not guarantee that I would be able to reliably respond to any of the offered security questions.
For example:
What is your favorite pizza topping?
I dunno. I’d probably say green peppers and onions, but my wife likes neither, so we generally get mushroom. And depending on the pizza, I might like sausage, veggie, or just plain cheese…
I had similar difficulty with all of the suggested questions.
Once questions get beyond Mother’s maiden surname, or name of first pet, or such, I have a hard time coming up with an answer I will reliably provide.
Even the name of my grade school. Would I answer Jones? Peter Jones? Or Peter A Jones?
Or favorite car. 69-72 Cutlass, but will I provide the year? Just Cutlass? …
How do you deal with “security” questions like this, without simply choosing obvious things anyone remotely familiar with you would know? Are most people able to remember their responses and repeat them accurately?
For things like car and high school, I get tripped up sometimes, for those same reasons. Most fact type questions, I just try to answer exactly the same on every site, even if it’s not the answer. So if the question is ‘what city…’, I’ll just use the same city for everything, or close to it. However, lately I’ve seen ones that I don’t even know the answer to, things like ‘Paternal grandmother’s middle name’ or ‘Who sat next to you in 3rd grade?’. Sorry, I don’t know those and if they’re the only ones I’m offered, it likely means I’ll have to call in when I eventually get myself locked out of the account.
I have some stock answers to security questions I use if I can’t make my own custom question and I decided on some rules early on that I stick to like no abbreviations, no punctuation and no capital letters.
Agreed. It’s bad enough that the idea of "your favorite _____ " is someone silly to me. Favorite color? Really? It’s just a color, and I’m not a pre-teen girl trying to match everything in purple. Or worse, I used to try to use the color Red because I knew I’d consistently remember it. Except a lot of the safety questions now say that 3 characters for an answer is too short. That’s so stupid. Don’t tell me to pick a favorite, and then not allow an answer.
My pet peeves of safety answers in no particular order…
Not allowing my valid answer. i.e. ‘Red’ not being allowed because it’s too short of an answer.
Ambiguous questions. ‘Favorite’ type questions allow a lot of ambiguity. Also things like “Childhood best friend first name.” Well I was a kid, depending upon how old I was, I had different best friends.
Questions that could correctly be singular or plural. i.e. School Mascot. (Indian or Indians? Tiger or Tigers?)
Vague Questions. Similar to Ambiguous questions I suppose; but the ones where a specific answer isn’t defined by the question. This is touched upon by Stickler but things like “Street where you grew up?” Is the answer 123 Main St., Main? Main Street? or some other variation.
My favorites are the one where I supply the question and answer. Or where I provide a phrase that will remind me what my password is.
They are frequently ambiguous, but I ran into something a few years ago I could not have foreseen: I had no answers at all for the options I was given. I remember that the first question was “What is your favorite sports team?” I do not follow team sports (national or college) at all and have never done so. The rest of the questions also had NO answers that wouldn’t be totally made up on the spot. I can’t remember all the options, but I was supposed to pick two of them.
I need to do something like this. For “what was your first car?” I never remember if I answered “VW”, “Volkswagen”, “Bug”, “Beetle”, etc. I used mother’s maiden name once and it turns out I wasn’t certain of the correct spelling.
I get up on First ___ sometimes; for example was my first car my parents car that I got to drive on a somewhat regular basis or the first one that I bought & what mood was I in when I filled this question out 5 or 10 years ago; pendantic or glib?
Also the ones with no logical answer, like Middle name of your oldest nephew. I don’t have any nephews, so [del]do[/del] did I put “I don’t have one” or “none” or “doesn’t exist”?
Have you ever heard you make the answer to every security question either “Fuck you” or “I can’t tell you that”. Makes for some fun calls when customer service asks you your security question answers.
They should let the end user create their own security question as well as its answer. I can damn well create security questions that I would absolutely positively answer the same way 35 years from now, but no one else is going to come up with the answer to.
But no, they hardly ever let us create our own questions. They’d rather ask horrible questions like these that either don’t have answers or don’t have obvious single answers:
For a long time I answered all security questions with the exact same answer, completey ignoring what the question was:
What street was your house on when you were growing up?
answer: I hate security questions*
… but then eventually I ran into sites that had additional requirements (“You can’t use the same answer you used in a previous question”) (“Your answer must contain at least six words”) (“Answer must be numerical”)
Hate them, hate them, hate them.
Oh, yeah! Thanks! That was one of the questions for which I had no answer. I think the question was, “What is your oldest sibling’s middle name?” Of course, many people don’t HAVE any siblings, but I’ve got three. Unfortunately, none of them (including me) have middle names.
I hate those things. I always go digging for the rare unambiguous/applicable question, like “what’s your mother’s first name.” You know, the ones any stranger could google for.
At least once I just picked random questions and filled in them all with something like “fuck this shit”.
I had to change my security settings on GMail this week, and Google told me that security questions were no longer considered a Best Practice.
I’ve hated them for all the reasons listed upthread, but what about the folly of having a question that is only aimed at one person in a couple? My wife and I have joint accounts on several sites. Questions like, “Where did you meet your spouse?” apply to both of us. However, “Who was your best friend in high school?” throws us for a loop. Do they mean her best friend or mine?
I’ll be glad to see security questions flushed for something more secure.
I run into this all the time. Name of your favorite teacher? Name of your first pet? Etc.
And the ambiguity. Street name of your childhood home? Which one? Do I include the “SW” part? The “st”/“ave” part? Do I spell those out? Use capitals? Etc. No one with any brains would for one second pick that as a question.
These are ridiculous and horrible.
We had a major problem a few years ago when Mrs. FtG mistyped an answer to one of the questions. Got locked out of the account, couldn’t answer the security question. Had to call someone, a lot of nonsense followed. The person on the phone realized the mistake but couldn’t explicitly tell us the answer so there was some hinting and such.
It’s all security theater.
Worse, despite the NIST two years ago declaring two-factoring authentication to be easily beaten more and more companies are insisting on it. That’s some fine security work there Lou.
Whatever I’m in the mood for. Which might be a legitimate answer to a “security question” (assuming it allows me an answer that long), but only if you remember the precise wording and spelling. Because “security question answers” are teeth-grittingly literal.
It was a Malibu. Or was it a Chevelle? It was both, and I can’t remember which one I chose.
More than a few sites I have to access have a limited “multitude”, and most of them had the same huge fault: they don’t have a definitive answer.
“Works for me” is not a meaningful defense of a fundamentally defective security tool.
I treat security questions as just an additional backup password and use my password safe to generate a unique pronounceable password for them, then enter the security question and password in the safe.
It’s slightly tedious, but it’s much better than the other two options, which are
Reducing security by providing a way into my account without my password that is easy to find out. The street I grew up on or my teachers names are not hard to discover.
Something I’m not going to remember anyway, because tastes change. My favorite movie/song/pizza topping isn’t going to be the same in five years.
I went with pronounceable because occasionally you have to say them over the phone, and at one point I did have to spell out something like HWiwfnjwekhfus72 to a very confused front-line support person who probably thought we had a really weird dog growing up.
What’s real sweet is that we have some shared accounts for support sites and vendors at work, so if the person that setup the account didn’t document their answers; we’re kind of screwed. I think one answer was George Washington-- for Favorite Teacher. Fortunately is was documented or we would have had a heck of a time retrieving our license keys since the person that setup the account is long gone.
I don’t even know my mother’s maiden surname. It’s ambiguous. She was born to a young couple who may or may not have been married, so I’m not sure if her birth certificate has her mother’s maiden name or her father’s name as her surname. When she was eight, her mother showed up with a new husband, and they told her it was a secret that this man wasn’t her father, so her school records showed his name as her surname. When she eventually married my father, that man’s name was listed as her last name, even though she’d never been adopted and, I believe, never went through any formal process to change her name. So, for me, the question has at least one and more accurately two types of ambiguity.
Besides, that’s not a very secure piece of personal information. You know all those ads for family tree software, and all the DNA testing ads? Most of their intended customers would be able to dig up this piece of information for a random stranger.
Somebody on another message board recommended using the same answer for every question:
Q: Favorite pizza topping? A: Waffles
Q: First car? A: Waffles
Q: Mother’s maiden name? A: Waffles
Q: Favorite teacher? A: Waffles
That’s so stupid. Don’t tell me to pick a favorite, and then not allow an answer.