Work has decided to outsource some parts of HR to a random website, which, if it means I never have to faff about with emailing spreadsheets to claim holidays, is a very good thing. On signing up to said website, though, I was asked to pick a random security question and an answer. And all of the questions were bad. Here’s what I could pick from:
- What is my favourite pet’s name?
- What is my Mother’s maiden name?
- What is my favourite movie?
- What secondary school did I go to?
- What is my ultimate dream car?
- What is my favourite food?
Straight off we have to eliminate mother’s maiden name as amazingly insecure. Never mind that it’s a matter of public record if you care enough (hell, some people have their mother’s maiden name as their middle name), it’s a question that everyone uses. Now, I’ve heard of people who decide on a different maiden name each time, but that’s an explicit acknowledgement of how bad such a question is.
What secondary school you went to is also problematic because, in this age of social networks, this sort of thing is also very easy to find out. (A better choice is to name your primary school, because nobody lists that on their CV, and by the time you reach your 20s you’ve almost certainly lost track with everyone in your primary school.) Nonetheless, that’s the one I picked because all the others are even more problematic: while the bad guys might not be able to work them, chances are that in a year or two, neither will you.
Favourite pet? Favourite movie? Are you sure these won’t ever change? In an age of regular improvements in material sciences, propulsion techniques and design, can you be sure that your ultimate dream car will continue to be your ultimate dream car for the rest of your life? (If it’s not the DeLorean DMC-12 or Porsche 911, then you will change your mind.)
(“Name of first pet” is an improvement over “Favourite pet’s name”, but not by much, because it’s part of your porn star name.)
And, hell, how many people have a clear stand-out favourite food? That they’ll reliably remember and re-type?
Bear in mind, this is something you’re going to think about briefly when filling in a form, then not think about for ages - until suddenly you need to log in to a site, you’ve forgotten your password, it’s asking you for a security question and if you get this wrong more than a handful of times, you’re locked out forever. Your answer has to be intensely memorable, and yet private, and there has to be only one for you to type it.
Years ago I was in the pub with a few fellow IT geeks, and this topic came up, and someone mentioned the question “Where did you lose your virginity?” - on the grounds that presumably only two people know the answer in the vast majority of cases. Upon subsequent discussion, the flaw in this approach was revealed: too many people would have very similar answers, e.g. “my parents’ bedroom” etc.
Cahoot gets this right. It has a number of security questions, which are unequivocal. A memorable year can only be 4 digits (or, if you’ve decided it’s a date BC, or a geological date, or a Star Trek star date or something equally unusual, you presumably remember how it is that you’d type it). A memorable place can similarly only be spelled one way (again, if it could arguably be either Florence or Firenze, you presumably remember which spelling is most memorable to you). Best of all, by saying “memorable”, it gives you latitude in deciding what it is that you want to remember, which makes the answer more personal and therefore more difficult to crack.