Tag Archives: rant

A Rant on Password Challenge Questions, If I May

Fact: I select passwords that have a chasm separating them from my personal life. I use a system that only I know (not even my wife knows it), and I adhere to good password practices.

Fact: Personal data is researchable.

Ergo: Answers to personal questions are less secure than my passwords that they “protect.”

My bank doesn’t understand this crucial security notion:

Forcing me to use a system that is less secure than the one that I use now is a security flaw.

Incidentally, they also enforce passwords with a minimum number of a certain type of character, which is also less secure.

Security concerns aside, this is also an inconvenience. Passwords that I choose are cryptic, but I can commit them to memory. Security questions on the other hand, have “natural” answers. How forgiving will the verification be? If it’s lax, then it’s even less secure. If it’s strict, it’s a phenomenal inconvenience to me, because I might type the answer with a capital (or without), or use a numeral or abbreviation, etc. You get the idea. Now I’m stuck going to the branch just for fat-fingering something.

Security measures that are insecure and inconvenient aren’t worth it. Now, if someone could just convince the TSA of that…

[Update: An xkcd about the same topic the very day after I posted this: