Why can't I make up my own security questions (and answers, of course)?

Seems to me that almost every time I have to answer somebody’s security questions, no unambiguous answer applies (or the question is flawed because there are only a few possible answers). As an example of ambiguity, I can’t choose the one that asks “What street did you grow up on?” either because I lived in seven houses between the age of 3 and 13, or because I grew up on 98th street, which might be spelled the way I just did or spelled out in words (with or without a hyphen) or I might spell out “street” or abbreviate (or capitalize it) or omit it altogether. My grade school, likewise, could be named in a variety of ways, all equally plausible.

But if they let me invent my own question, I could come up with some that are both unambiguous and impossible to guess. I’d choose, say, “what is Arthur’s middle name?” There is only one Arthur I know (and I know him well–he was my best friend growing up) and I know how he spelled his middle name. “What was grandma’s name for you?” likewise. “What was the number of the bus that took you to middle school?” “What was your sixth-grade teacher’s first name?” “Which country was your paternal grandfather born in?” “Which bridge did your dad like to walk to on Saturday?”–I have dozens of questions, and so do you, that I can spell only one way, but which anyone else couldn’t possibly get on fewer than 20 tries.

So why am I stuck with the same standard security questions on every website? Is it a failure of imagination on the IT people’s part? Is there some technical problem in letting people make up their own questions? is it because most people would make up questions that are too easy to guess?

Someone suggested to me that that last question is probably it. "Ya let people make up their own questions and they’ll make up questions that are easy to remember but easier to guess. How many Beatles were there? Who was President before Trump? Like that.

So what I’d do is give people a choice: Use our dumbass questions, OR make up your own (and warn them that it’s easy to guess “Four” and “Obama” to those questions, so come up with something more personal to you.)

How come they do not provide this option?

They ask the questions they do so that you have easy access to their answers. They don’t care if you lived on twenty-seven streets as long as you think of Main St. when asked the question. If you don’t want to answer the question truthfully you can give a memorable lie, like Pennsylvania Avenue. Or Blue. Blue works as a perfect answer for any possible question. (It is not an answer I ever use, of course.)

The point is that the answers for the questions sit in an accessible database at their end. Letting you make up your own questions mean they have to store your questions along with your answers, a nuisance at best. They have enough problems with people forgetting the answers to straightforward stock questions without them forgetting their own made-up questions as well.

The flaw with imaginary answers is that you probably won’t remember them after a couple of years, rendering them useless. One friend suggested that I use "FUCK YOU’ and “DROP DEAD” and “GO TO HELL” as my all-purpose answers but that’s the same problem all over again, I won’t remember which one I used for “What was your childhood street?” and which one for “What was the name of your first pet?”

And why do I care if they hold onto “What was Arthur’s middle name?” securely? They can publish it for all I care–the whole idea is no one but me knows who Arthur is.

My answers to all of those questions was “they sure as fuck are” which is the appropriate answer to the question “Are security questions annoying as all fuck?”

Problem is, at some point I hit a website that asked me three questions and would NOT let the three answers be the same, which ruined my strategy.

I have a few sites that allow me to set my own questions. You have to make sure your spouse or other emergency person knows your idiosyncratic questions and answers.

You can always set your own non sequitur answers to the set questions. For example:

  • What year did you get married?
  • Richmond, Virginia

One of my clients is a company that provides identity management tools for websites, and my understanding is that security questions are gradually being phased out as an identification tool, for a couple of reasons.

One is that they’re a hassle to manage, on the service provider’s side, mostly because a large number of users can’t remember what they provided as answers to their security question (which they had often done years ago) – when a user can’t remember the answer to a security question, it typically forces a password and/or username reset, which is a non-zero cost for the provider, and also can be a frustrating user experience (which can lead to lost users/lost revenue).

The other is that the information that’s commonly used in security questions (mother’s maiden name, favorite band, etc.) is often something that hackers can suss out via social engineering – those fun “quizzes” on Facebook that ask about your first job, the name of your first pet, etc., are sometimes a way to farm possible answers to common security questions.

Well, yes. That’s the source of frustration–the answers are impossible to remember after a number of years for most questions, given that you’ve got to punctuate them, spell them, capitalize them, perfectly precisely. Questions like “What’s your favorite food?” are changeable, especially if you’re going back a few years. but even if the answer is instantly clear, and always has been, you’ve got to remember if you spelled it "mac’n’cheese’ or “Macaroni and Cheese” or any number of variants on that. If not, you’re as out of luck as if you’d forgotten the dish entirely.

It may be asking too much to let people design their own questions and answers, though, because it takes a certain amount of playful intelligence to devise questions that have unambiguous but memorable answers.

Those Facebook quizzes crack me up. It’s been obvious for years that they are designed to capture security information, but people seem to love them because “At last! Here’s a question I know the answer to!! And I can share my idiotic memories that mean nothing to anyone but me with the entire world, thus demonstrating how brilliant I am!!” I’ll bet if you asked “What is your social security number” or “what is the number on the lower left-hand corner of your checks?” you’d get a few takers.

I wish.

I’m trying to do something on line, and i messed up the password, so i asked them to reset it, and THAT’S when they asked the stupid security questions. Where was i born? Well, i know where i was born, but did i capitalize it? Did i spell it out? Did i include the state?

Anyway, now i need to wait until Monday and call someone. Yes, I’m frustrated. And yes, it will cost them money.

What gets me is that this problem, endemic to the whole concept of security questions as they’re universally designed, first popped up 20 or 30 years ago. They’ve certainly been pissing me off for decades. Intelligent folks like you and me have been pointing out the flaws, yet the system just keeps chugging on. If I did my job this poorly, I would have been fired and the job done well by someone who knew what he was doing literally decades ago. (That btw was why I put this Great Debates originally–I’d really like to hear from people in IT who’d be able to defend the security set-up. Oh, well, we can piss and moan about it, too.)

Well, no. The problem here, again, is that you’d need to remember what you wrote years after you wrote it. AND you’d have to remember that you wrote “Richmond, Virginia”–did you use that comma or not? Did you abbreviate “Virginia” as “VA”? Did you just write “Richmond”? Or just “Virginia”? What are the odds against your even remembering that you didn’t write another non-sequitur answer?

There are some questions where the answers never change and they are easy for me to know:
-Where did you meet your spouse
-what color was your first car

For the rest I have a couple of set answers to certain kinds of questions:
-any pet question gets the name of my all time favorite cat

-if there are stupid name questions and few other options (like your 2nd grade teacher’s name … that was almost 60 yrs ago, ffs!) I also use that cat name.

-if it’s a “Where …” type question that I don’t have a real, single, and obvious answer to, I use the name of my favorite place in the world, a place that is my heart’s home though not my real home.

I know someone who just uses the last word in whatever the question is for the answer.

Fortunately these days these stupid security things seem to have dropped the case requirement, which makes it a bit easier. anne=Anne and Broadway = broadway, no memory required.

I believe the IT answer is that two factor authentication is better.

Let me take your examples to show why those are difficult questions for me:

  1. I met my spouse in a place that has several names: it was a little tiny town in upstate NY that had its own post office, but little else, and everybody who visited us got told to go to the slightly bigger town (that had its own exit on the Thruway) and to keep going an extra 1/4 mile and turn onto a dirt road. There is ZERO chance that my ex-spouse even remembers the name of the town, and probably not the name of the slightly larger town, either. I’d guess that most of the people who I lived with there 50 years ago don’t remember it either.

  2. Was my first car the car I inherited (but never drove) when my parents died? It stayed registered in my dad’s name, and I sold it pretty quickly, but maybe that was my first car. If it was, I don’t know what color it was. Purple? Violet? Maroon? Dark Red? Some other name made up by the manufacturer? Or maybe my first car was the one my wife owned (and I drove) when we got married. Again, not registered in my name (I don’t think we bothered to change the registration) but maybe it was legally mine anyway. Or do you mean the first car I bought with my own money?

BTW, I remember my second-grade teacher’s name perfectly. But do I answer that with “Miss” before the name or just the last name? You didnt specify so maybe you want her first name too?

This foiled my perfectly memorable answers on some long-abandoned account.

I always hated “What is/was your favorite…?” Honestly, I don’t know that I ever had a favorite movie or book or teacher that stayed my favorite. And, yeah, I could just set a personal standard where book = Cat in the Hat and movie = Gone With the Wind and teacher = Aristotle, or some such.

A few of my accounts authenticate by texting me a code that I have to input. Short of someone stealing my phone, how can that be compromised? FWIW, I don’t access such account info on my phone anyway - it’s all done on my PC, so even if someone stole my phone, it’s pretty remote that they know the company, the account type, my userID, and my password…

Of course, people will continue to use 12345 as their password, because stupid.

JFC, then don’t use those.

Where did you meet your spouse? New York

First car color? Pick a car that you liked and remember.

You are making this WAY harder than it needs to be, and I don’t want anything.

I also have a string of numbers I use that has meaning to me. It isn’t quite 12345, It’s about 15 digits, and I can rattle it off without really thinking about it. I use it for sites that don’t mean anything (no personal info) but that insist you log in.

The number of totally unambiguous, easily memorable, answers is staggering, the more I think about this.

What is cousin Melvin’s last name? what’s the last name of almost anyone I’ve ever met with an unusual first name, for that matter? What did all three authors you wrote your final paper on in college like to drink? What were the last four digits of your childhood telephone number? which building did you attend most of your college classes in? for which ailment were you hospitalized in 2004?

“Like and remember” isn’t so easy. I liked several cars, and remember them all. Sure, I can remember which one I picked for a few days afterwards, maybe a few months if I’m lucky? But years later, when I’m going to need the correct answer? Not much chance.