Security questions, my number one most hated thing online. I can see the logic behind these questions, the web site verifies personal information with your answers in case you misplace your password, username, etc. So what is my problem with these very nosy fields? Well first off who would want to tell random-shopping-place.net her maiden name, or his favorite pets name? I’ll admit most of the information is not worth much to most people, but I recently logged onto a site where they wanted five different security questions. Questions to choose from ranged from favorite band to favorite elementary school teacher. One question guys, that is my limit.
Ignoring the personal information and the question addicts, what else do I have against these questions? Well first rewind a bit and think about why they use these questions. Typically these questions are used to restore account access after you have been compromised or forget your information. Occasionally some people want answers just to change your log in info. Why do web sites feel the need to verify that the one with valid credentials can also answer a bunch of personal questions? Its just another useless security layer that might prevent <1% of unauthorized accesses for the retards using ‘password’ as their password. Security questions are nothing more than a retard test, and having to pass a retard test each time a user wants to log in is insulting to everyone; or at least it should be.
I have no idea what my favorite book/movie/show/teacher/school/band is, and since that knocks out 80% of the available questions right off the bat I am left with ‘city I was born in’, ‘name of high school’ or some equally obvious trivia from the life of Charles. I can not count how many times I have tried to answer these questions only to have the computer tell me I am wrong. Me, the real flesh and blood, knows less about my life than a computer. Favorite bands change, pets die, K-12 merges into one big blur, these are all to be expected from the average adult; so where do these web sites get the idea that it is a good idea to ask these things?
I had a gmail account get taken over one time. For a period of time I always put in the answer ‘none’ for every security question, including the ones on my email account. So someone found out my email was tied to my old wow account, and sent a password reset to my address. Turns out when you try and ‘remember my password’ with gmail it just asks for the answer to your security question. So this smart guy entered ‘none’ and won a free expired wow account.
Why am I pissed at security questions instead if my own incompetence? For the same reason I still fill in ‘none’ for all my answers. I do not want to be bothered with remembering my favorite movie, my favorite book or any of that crap. Not only that but why would I want some random web site knowing that information?
Well I think that is enough ranting, you might be wondering what I am suggesting instead. Well I would question the use the security questions at all. First off they should be optional, that way users are not forced to fill in garbage they will eventually forget. What about account recovery? There are two kinds of account recovery, a recovery for a web site account for someplace like slashdot.org, and there is account recovery for an email address. For slashdot the answer is easy, send an email confirmation to the recorded email address. There is no reason why a web site like slashdot’s responsibility should extend any farther than that. You (the web site owner) do not need to worry about whether the person knows his favorite band, if he access to his email address, that should be good enough for you.
If you are the email provider you have an interesting problem. I would argue that if you forget the password to your email address you are beyond hope. However I will admit that is a bit harsh. If you are that worried about your customers then I would advocate a password HINT, where they can type a phrase to remember their password. OR let them type their own question and answer.
Other valid solutions would be ask several questions about the state of their inbox. “When was the last time you logged in,” “Name one address in your address book,” “Who do you send the most mail to” etc. And lets not overlook the most vital part of client identification, his ip address, browser information, operating system etc. You get the point.
So why would you want to implement something like that when a select box with answers is incredibly easy? Because you will impress those of us who hate security questions, and give the appearance that your web site is more intelligent than those fill in the blank wanna bees.
