A Rant on Password Challenge Questions, If I May

Fact: I select passwords that have a chasm separating them from my personal life. I use a system that only I know (not even my wife knows it), and I adhere to good password practices.

Fact: Personal data is researchable.

Ergo: Answers to personal questions are less secure than my passwords that they “protect.”

My bank doesn’t understand this crucial security notion:

Forcing me to use a system that is less secure than the one that I use now is a security flaw.

Incidentally, they also enforce passwords with a minimum number of a certain type of character, which is also less secure.

Security concerns aside, this is also an inconvenience. Passwords that I choose are cryptic, but I can commit them to memory. Security questions on the other hand, have “natural” answers. How forgiving will the verification be? If it’s lax, then it’s even less secure. If it’s strict, it’s a phenomenal inconvenience to me, because I might type the answer with a capital (or without), or use a numeral or abbreviation, etc. You get the idea. Now I’m stuck going to the branch just for fat-fingering something.

Security measures that are insecure and inconvenient aren’t worth it. Now, if someone could just convince the TSA of that…

[Update: An xkcd about the same topic the very day after I posted this:

Weird.]

About these ads

6 responses to “A Rant on Password Challenge Questions, If I May

  1. Huh? You answer those questions honestly? I always give nonsensical (but easy to remember) answers to online security questions. For example:

    Q: What is your mother’s maiden name?
    A: Riemann Hypothesis

    Q: What was the name of your first pet?
    A: Take off every “zig”!

    These are not real examples, of course. [But I have to admit to really enjoying Grandma Hypothesis's home-made apple pie. Mmm-mmm!]

  2. See, answers like that would require me to write them down. Which would mean that I would lose it or it risks being seen.

  3. Or you can use a tool such as mkpasswd that is available on *nix computers. It asks you for a pass-phrase and spews out a random password, seeded with your pass-phrase. For example:

    > mkpasswd platypuss
    sxJmHIJqgw6/6

    • I’ve used those before. There’s one for Windows that I use called KeePass that works pretty well, but I tried it out with some “less critical” accounts and I found it to be cumbersome.

      Obviously, I could use such a program exclusively for these password challenges, but I’m afraid that the same thing might happen to it that would happen to a piece of paper. I.e., I’d just lose it. I’ve lost files before that I don’t reference very often (e.g., I have no idea where my tax files for 2004 are).

      The core problem here is that instead of just one password to access the same account, I have two, only one of which is needed for access. In and of itself, that is less security.

      Add to that the problem of never using one of them, so that the risk of loss or compromise becomes higher. So the net result is that I am both compromised and have no gain in convenience. It’s a bad solution.

    • I’d like to add that “bad solution” refers to the requirement of password challenge questions, not your suggestion.

  4. I also think that such question/answers challenges are petty useless; I was suggessting that instead of answering ‘riemann hypothesis’ to the question about your cat’s name, that you’d use the hash of the answer as given by mkpass, if you REALLY do not want to divulge even that tiny bit of information about yourself. Only math enthusiasts would name their cat Riemann ;) Knowing that is still divulging more than zero bits of information about you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s