your security questions might not be that secure

I've whinged about the security questions that my bank asks me: mother's maiden name, pet's name, city of birth, etc. Some of my colleagues here at Microsoft (along with some folks from CMU) have written a paper about how easy it is to guess the correct answers to these security questions, and are presenting that paper at the IEEE Symposium on Security and Privacy this week. Technology Review has an article about their paper: Are Your "Secret Questions" Too Easily Answered?.

The findings from this paper are somewhat unsurprising, although the actual numbers did surprise me. Here's one quote from the Technology Review article:

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions "What is your favorite town?" and "What is your favorite sports team?" were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

57% of the correct answers, all without knowing me! Even worse, there's the likelihood that I'm going to forget my own answers. Here's another quote from the Technology Review article:

Even for the most memorable questions--Yahoo's, as it turned out--the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.

Bruce Schneier, who I'm willing to call a computer security god, says that he simply types in a random answer to these questions and, should he forget his password, calls the company for a reset instead of relying on this service. I wish that this were sufficient. My bank occasionally asks me the answers to my questions if it thinks that I'm logging in from somewhere else or if it thinks I'm engaging in out-of-the-ordinary behaviour. Given that I have three computers at work and four at home, my bank often thinks that I'm logging in from somewhere else and I'm stuck answering the questions.

Comments

  • Anonymous
    May 18, 2009
    The comment has been removed