Skip to content

Subjective Security Questions

Tue 13th March 2012

I have just been signing up to the HR web system at my new job so that I can access my payslips. The stories of it being difficult to get a password or remember it have been vastly blown out of proportion by my colleagues. However, in the account setup, it reminded me of the folly of subjective security questions.

The account signup asked me to tell it my favourite animal and favourite colour, so it could use them as security questions. For colour, this is fine. I’ve had a favourite colour since I was a child. Of course, it’s not secure, because my family and close friends probably know it.

Favourite animal, however, had me stumped. What is my favourite animal? I don’t really know. It’s not that I don’t like animals, I just don’t love them enough to have made the strong emotional commitment to choosing a favourite one.

This brings me to a dilemma, that I have faced before with subjective security questions: what do I put so that I can answer it in several years time. I imagine most people just write anything in this box, and then write blog posts ranting about how they can’t log into the system next time they get locked out, but I know from experience that this will happen and want to avoid that by making the right choice now.

The problem is that the subjective security question has moved from being a binary right-or-wrong answer that is known personally only to me (as a good security question should be), and become something I have made up some heuristic for deciding in the heat of the moment, and I will then forget both the answer and heuristic for picking the answer moments after setting the answer.

I might choose to adapt the question to be not my favourite animal, but my first pet. But I might also adapt it to be which animal is most loved by the Internet. Or I might adapt it to the first animal that pop’s into my head, but how will I remember which of these I chose, or what the answer is in the future?

Of course, given the question is subjective, my answer might change based on my mood or opinion. What if a new animal is discovered and is more awesome than all the other existing animals? What if I see a rotting carcass of my current favourite animal, and am put off it for life? This subjectivity has bitten me before, when I had a security question that was “what is your favourite video game?” At the time I came to use the security question to unlock my account, my favourite games were Gran Turismo 5 and LittleBigPlanet, but they weren’t even released when I set the security answer!

I guess this is an appeal to all those lazy programmers and analysts who are told that their systems need to beef up security, and sloppily implement a “what is your favourite ……?” security question. Please don’t. Pick something that is factual about me, that only I know (or at the worst, my family and close friends), and is hard to find out. Off the top of my head:

  • date of birth
  • shoe size
  • driving license number
  • national insurance number
  • most serious medical condition I have

Of course some of these are still ambiguous, but give me the opportunity to choose a different question. That will only take you another hour to code. Please just do it for the sake of everyone’s sanity. Please!

Advertisements

From → Rant, Security

8 Comments
  1. Apple “security question”: “Which of the cars you’ve owned has been your favourite?”

    What if by the time I have to answer this question, I have bought several new cars, one of which is my new favourite? How am I meant to remember when I answered this question and how I felt at the time?

  2. Oh, FFS, how is “what is your grandfather’s first name” a reasonable security question, HSBC? Which grandfather?

  3. adam1warren permalink

    The trick is to lie. My ‘favourite animal’ is not my favourite (that would be cat or dog for many people – unless you misinterpret the question and choose lamb or crispy duck instead – yum…) but instead a random unusual animal that is easy to remember (e.g. anteater or velociraptor). Similarly ‘my favourite colour’ is not one of the six easy options (I bet green, blue, red, pink, gold and yellow would get about 90% of the population) but a random memorable word (e.g. foobar or eggwhisk).
    All we need to do is to get all these web services to agree on a limited set of these daft questions so I don’t need to invent and remember more than a handful. Go on, ask any two!

  4. Not quite a subjective security question, but my new hatred is easily deducible security questions. Today I found on EA Origins “In what city of town was your first job?”. Given that it’s quite advantageous to have a public CV (if you want to be headhunted), or at least a profile on Linked In, this information is clearly publicly available.

    And “What is the name of the first school you attended?” is not massively public, but is know by a whole load of people that I haven’t know for 20 years but may still be in contact with over social media (so they might be able to guess my username etc).

  5. Found another on the Southampton City Council site:
    “In what city or town does your nearest sibling live?”

    What if they move?! Shame, because the rest are pretty objective and unlikely to change.

  6. An example of very objective security questions:

  7. Found a new category on TopCashBack; a temporally (potentially) sensitive question:
    “City or town that you meet your spouse/partner?”
    “First name of your best man or maid of honour?”

    What if you get divorced and later remarried? What prompt is there to remind you of which spouse/partner and which best man/maid of honour it was when you first answered this question?

Trackbacks & Pingbacks

  1. Why is it so difficult to change your iSolutions password? « Rikki Rants

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: