(Back to index)

Password security questions

There are many websites, forums and other similar resources with a user login and password access. In order to make it "safer" to recover or reset a password, some of these sites offer a "security question".

A security question is something like "what's your mother's maiden name?", and if you give the correct answer, you get your password (or you get to reset it).

Some sites allow you to write the security question yourself. However, many such sites just give you a choice from a set of predefined questions.

What amazes me is how the h*** do they think these questions are in any way "secure"? It doesn't take too much of researching and a bit of phone calling for even a complete stranger to figure out what's the maiden name of my mother or the name of a childhood pet.

And even if the "security" question is secure against strangers, they seldom are secure against your own friends. Even though they are your friends, you might still not want them to log into your accounts somewhere to play a prank on you or whatever. Almost any of these pre-made "security" questions are of the kind that your friends will most probably know them. Your favorite music band? Your favorite food? The city where you started school? All of these personal questions are of the kind of info that is easily shared among friends, and thus it makes these "security" questions completely unsecure.

Of course you could obfuscate your answer, or deliberately put a completely wrong answer. However, this more or less defeats the whole purpose of the "security" question in the first place: You may well forget how you obfuscated your answer, or what was your wrong answer you chose.

Besides, on a more basic level: What's the point in having a password at all, given that there's a "security" question? The question completely defeats the existence of the password. There's little difference to simply giving your login name and the answer to your "security" question directly. The password itself is obsolete and doesn't add anything to the security.

Basically the answer to the "security" question is the same thing as having a laughably easy, non-obfuscated password (such as a pet name or a date of birth), which is something people are always told not to use.

If the site is of the kind that sends you the password if you give them the correct answer, this implies another security hole: It means that the site stores your password in a format that is retrievable. In the worst case scenario it stores it in plaintext. After this it's up to the site not having any security holes which can be exploited to retrieve the file where these passwords are stored. (If the passwords were stored with a one-way encryption, then the danger as a consecuence of the file being divulged would be lessened.)

What is worse: Some of these sites don't give you the option of skipping giving a "security" question/answer pair. You must give them or else your account is not created. This is a completely braindead idea. The "security" question only weakens the security of the site.

Even if the site offers you to write your own security question, it may still be hard to come up with something that, a) you will remember the answer to, and b) your friends won't have any idea whatsoever, especially if you share everything with your friends, which is not rare. (If there's something you don't share with your friends, it means that it's so personal that you will most probably not want to submit it to some random website either.)

The whole "security" question is a completely braindead idea, and should be banned. (If for nothing else, because it obsoletes the whole idea of having a password.)

(Back to index)