This is probably worth its own thread, but this has been my pet peeve for years. 99.9999% of the time I am the only person looking at the screen when entering a password. And if somebody’s looking over my shoulder, I’m not going to type in a password.
Now, at least, most sites allow you to click on the ‘eyeball’ to reveal what you’ve typed before you hit enter.
They are, indeed. I did a little googling last night on “companies phasing out security questions,” and I found articles from five to ten years ago, all of which said, “Security questions are a joke, they’re terrible, they’re a pain in the backside, and the industry needs to move on from them now.”
So, it’s not like experts in identity management have just come around to this realization. It’s just lousy user experience (UX) practices that refuse to go away. And, a company that has kept security questions as part of their identity management practices likely doesn’t particularly care about making things easier for customers to use and more secure.
Also there’s the matter of large legacy systems. Which should not be an obstacle but can still be a PITA to migrate from.
One of my online sites used to have a system of verifying a preselected graphic before entering the password, and gave up on it probably on the realization there would be a kajillion people that chose the same graphic.
I have been lucky with my few sites that still use security questions in that the set of questions has been straightforward enough that I can give an answer that will not confuse me. Helps that I actually know the names and birthplaces of all my parents and grandparents.
Oh and as for the questions that ask about a city or town location… For their purpose “Burlington” is good enough, I need not add “Vermont” or “United States” or any of their abbreviations.
I suspect that most systems don’t care if the user enters one word, multiple words, cities + states, etc.; it’s likely more an issue that a question like, “In what city were you married” can have multiple, correct answers (city only, city + state, etc.), and if the user can’t remember exactly how they answered the question when they set up their account, it’s not much better than a question for which the user can’t remember their answer at all.
I literally can’t remember the last time I needed to answer all three security questions. Just getting one has become rare. Verification codes predominate.
I think the industry has indeed moved on. The ones which haven’t are probably still using the legacy systems that they developed at the beginning and don’t want to have to switch out of them.
You can’t make up your own questions but you can make up your own answers with a password generator. Nobody said the answers had to be correct.
“Were did you meet your spouse?”
ABCDEFGHI1234!@#$
Obviously this will only work on a computer or smartphone (since you can just copy and paste and not have to memorize something random).
actually, most systems in my experience will not permit copy and paste. You must type in your answer letter by letter.
How are people managing 2-factor authentication when you’re out of the US?
Those of you whose reactions is “just pick an answer, it doesn’t have to be literal answer to the question, what’s so hard about that?” – I don’t know if I’m impaired or you’re blessed with a rare cognitive skill or we just aren’t communicating.
Question A says “What was your favorite musical group in high school?” Truth is, yeesh I didn’t have a favorite, I didn’t even have one favorite each for rock, classical, and folk. And does Joan Baez count as a “group”? How about Neil Young? So yeah I can “just pick an answer”. Fine: Pink Floyd.
If this were the only web site for which these damn security questions exist, that would work.
But multiply this situation by 100 different companies/organizations and their infernal security questions. Banks, medical offices, places I order fresh produce from for godsake, uber, my own website’s hosting company, my school, the DMV, Costco, the people I order firewood from…
They don’t all ask the same security questions. Worse, they often ask similar but not quite identical questions. “What was your favorite ROCK group when you were a TEENAGER?” Oh my. I didn’t discover Pink Floyd until high school. I was really into Jim Croce back before that, but is that a ‘group’? Yeesh.
After awhile, this is a lot of semi-accurate answers to have committed to memory.
The security folks in IT think this makes everything more secure. It doesn’t – now we’re writing all this mess down somewhere so we can keep track of it.
If we could make up our own questions, it would be a lot more secure. They could bloody well find the storage space for questions as well as answers. It’s not like we’re uploading a 400 MB mp4 of our eyeball reacting to three different lights. The purpose behind all this charade is to make it a lot more secure. Let’s stick with that. What they’re doing now doesn’t work well for us and we defeat the purpose by writing down the answers somewhere, probably in an unencrypted Word file.
“Security Questions” are simply a bad idea that ought to be purged with fire, for the reasons already mentioned. I can’t think of any case where you aren’t better off supplying a non sequitur answer to any site that still insists on using them (and storing the answer in whatever password management system you use as a backup password, which is effectively what it is).
Security questions are bad, but making up your own questions is definitely not the answer. The vast majority of the public knows pretty much nothing about security, so you’re going to get a pile of questions with easy-to-guess answers like “How old were you when you started college?”, “What day of the week were you born?”, “How many living grandparents do you have?”, etc. Then the first company that does this is going to find themselves in the news – “Major security breach at XYZ Corp!” Even if you and 95% of everyone else are smart enough not to do this, it only takes a handful of breached accounts to generate a slew of bad publicity, maybe even enough to put the company out of business.
That’s a problem, but not insurmountable.
You make inventing your own questions an option, and you provide warnings that questions whose answers are very limited (such a day of the week, or a common age to begin college) are not good choices.
Some of the questions currently being asked, of course, have a limited number of answers, too: the color of your first car, for example. A hacker could get into hundreds of people’s systems by guessing “Blue” and “Black” and “White” and “Gray” until the cut-off point arrives. That’s not exactly fool-proof security, is it?
I see. Just like warning people not to choose weak passwords results in everyone choosing strong passwords?
One could include such a warning, but unless you had a way to actually prevent people from creating that sort of question (which would probably be difficult to do in the sort of freeform question + answer that you’re envisioning), I suspect that most users would still wind up creating questions and answers which are highly easy for them to remember (and, thus, also probably highly obvious in many cases). You gave some examples earlier which are really obscure (but you feel would be very easy for you to remember), but I would expect most people wouldn’t choose something like that.
Exactly. You can strive to educate people but there’s nothing to be done about self-destructive idiots. I suppose you could program the system to reject days of the week, numbers from 1-20, and a few other dumb choices. You can tell people not to choose 12345 as a password, but it wouldn’t be any harder to make that impossible than it would to make other answers unacceptable.
Very true, and the issue, when it comes to easily-guessed answers to obvious security questions, is that it not only opens up the clueless/naive user to having their accounts hacked, but it also opens up the service provider (the owner of the website) to fraud and malicious attacks.
And remember these are also people that no matter what the security questions (IT made or self-made) are still respond to “emails from HR” and willingly answer their mother’s maiden name, first pet’s name, street they grew up on, first model of car, etc.
Car colors are pretty easily guessed. You give me 100 accounts with that question, and I’ll guess “Blue”–how many times do you think I’ll be right? I’d say I’ve hacked 20 accounts.
To be clear, I’m not disagreeing with you on this – too many “stock” security questions are weak, because they either (a) have a small number of obvious answers, and/or (b) are easily compromised by social engineering.
The point was that “make your own security question” is going to lead many users to create their own questions and answers which are every bit as weak.
And, as I’ve noted several times already, the real answer to this issue is for service providers to stop using security questions as a method for identity verification.
Our office manager chose his favorite scent as his password. Of course, he saved the misspelling, “lavader”