by Jay Johansen | Jul 29, 2009
Since the earliest days of computers, users have been urged to avoid passwords that are easy for a hacker to guess. Don't use your spouse's name or your birth place or the model car you drive. A hacker who knows you or who makes some effort to research your life could find out these things about you and get into your account. Don't use your favorite color or fast food place. There are a fairly limited number of likely possibilities so a hacker could just guess. Indeed, hackers have ways to try many thousands of words against your password, so users are advised to not use any ordinary English word or words from other common languages, as a hacker could run through all the words from a dictionary.
Thus, users are encouraged to create passwords that are meaningless combinations of letters, digits, and special characters. A string like "qR49$A:w".
The catch to this is that human beings have a hard time remembering such passwords. The help desk folk then get endless calls from people who forgot their password. Of course if you freely give out passwords over the phone to anyone who claims to be an authorized user, this rather defeats the purpose of passwords.
So online services came up with a brilliant solution: Security questions. When you create your password, you are also asked to provide answers to some questions about your life that you should readily know the answer to, like your spouse's name, your birth place, the model car you drive, or your favorite color or fast food place. Then if you forget your password, you just have to be able to answer one of these security questions, and you can get in to your account.
Umm, isn't the flaw here obvious? Knowing the answer to a "security question" is as good as knowing your password. If your spouse's name or your favorite color is a bad choice for a password, why is it a good choice for a security question? Indeed, the security questions are far less secure then just using one of these answers for your password. Sure, a hacker might know my wife's name or my birth place or dozens of other tidbits of personal information about me. But if I were to use one of these for a password, even if he guessed that I might have used some personal information for my password, how would he know which one? He could try my wife's name, my first girlfriend's name, the name of the girl in the next cube that I wish would be my girlfriend, names of all my relatives and friends, the town where I was born, the town where I went to college, the town where I got my first job, etc, etc. He could spend many hours trying all these things and still not hit on the one I actually thought to use. But with security questions, they tell him right out which piece of personal information they are using. If the hacker sees that the question is "Where did you go to high school?", even if he knows nothing about me except the company that I work for and that he is trying to hack into, he could guess that I might have gone to school in the city where that company has its headquarters, or in some nearby city. If it doesn't work for my account, there are surely others in the company who did grow up here, and sooner or later he'll get in.
Advising people not to use personal information for a password, but then instructing them to use personal information for security questions to get in when they forget their password, is rather like encouraging people to lock their doors to keep out thieves, but to be sure to leave all the windows open in case they lose the door key. How stupid do you think hackers are?
Afterthought: Using "favorite color" for a security question is clearly sexist. It makes the accounts of men much more vulnerable than those of women. Men, after all, only know the names of maybe a dozen colors: black, white, red, green, blue, yellow, maybe a few more. But if you ask a woman to name her favorite color, she's likely to say "turquoise" or "sea foam" or "aquamarine" or any of thousands of colors that men cannot tell apart. It's much easier to guess a man's favorite color than a woman's favorite color.
© 2009 by Jay Johansen