One of the worst, most annoying, and inept security practices to evolve in online applications over the years is the process of security questions and answers for logging in and/or password & account recovery. They’re annoying, vague and restricted and they absolute must die, die, die!
So let’s take a few minutes to examine what’s wrong with security questions.
They Aren’t Secure
Even if you’re certain of what the answers are, you still have to record the answer somewhere. And that makes them insecure. Why do you have to record them? Because in most instances, your answer must exactly match, character for character, what you originally entered.
Did I enter “Main St”? Or was it “Main Street”? Or maybe “Main St.”? Did I type “Joseph”? Or “joseph”? Was that “Columbus”? Or did I put “Columbus, OH”? Or was it “Columbus, Ohio”? And on and on. It doesn’t matter if the answer is a clear fact. How you recorded that fact can vary. And thus you are required to write it down somewhere. The result is that all that security goes right out the window.
And you’re even worse off if you made a typo when entering the question the first time and never knew because the app hid your answer like a password field and didn’t make you type the answer twice. More than once over the years have I had to abandon an account altogether because I couldn’t remember the exact answer for the password recovery questions and they had no other means of recovering my account.
Many of the security questions have changing answers. Common questions include things that are your “favorites”. I don’t know about you, but my favorites change over time. Some of them change often. My favorite actor two years ago is very likely not my favorite actor now.
My favorite sports team changes by day of the week. On Saturdays, it’s the Buckeyes. On Sundays,
it’s the Browns. UPDATE: No longer a Browns fan. Which one did I use to answer the “favorite sports team” question? I don’t know, because I wanted to be secure and didn’t write it down.
Their Validation Rules Are Broken
Here’s one I see a lot of complaints about. A security question will be something like: “What is your mother’s middle name?” As part of the validation on the answer fields, they require at least three characters in your answer. Well, what if your mother’s middle name is “Jo”? Or what if she doesn’t have a middle name?
Even worse, when you originally entered the answer to the question, it didn’t have validation on THAT field, so you put “Jo” in there. “Jo” is what you entered. “Jo” is the right answer. But you can’t enter “Jo” now in order to log in and change your selected security question. Sorry bout your luck.
Another one I see is on the opposite end where they limit your answers to a short number of characters. What if they allow a max of 10 characters and your father’s father’s middle name was “Maximillian” or “James Mycroft”?
They Have Multiple Correct Answers (or None at All)
Here’s another problem question I see a lot. “What street did you grow up on?” At what point? What if we moved after 5th grade? What if I was a military brat and we moved every couple of years? What answer do I put then? How do I remember which answer I gave if I’m being secure and not writing them down?
The same goes for any of the “favorite” questions. My preferences change over time. Doesn’t everyone? Apparently devs who make use of security questions like that don’t believe so. Hey, if their favorite author was, is and always will be J.R.R. Tolkien, that’s great. Mine changes from time to time.
It’s also not incorrect to say I have multiple favorite foods or favorite pets or favorite sports teams. I don’t have one favorite author. I have several. It’s a tie. They all win the battle for my affection. Good for them! Bad for security questions.
And what if I was an orphan or one of my parents was an orphan and I don’t know my parents or grandparents middle names? What if I was homeless growing up and had no address? What if I was home schooled and I have no school mascot or favorite teacher? Questions like these can marginalize people to whom they don’t apply. This is even worse if you are like many sites and only have 5 or 6 security questions to pick from.
They Are Easily Found or Guessed
Most of the questions on a typical security question list are easily found by social engineering attacks or just a plain old Googling of easily accessed public data. Most people would be amazed by how easy it is for someone to find out all kinds of information about them.
There are databases of information out there that contain hundreds and millions and billions and trillions of bytes of information about each and every one of us. And that’s just info collected by companies we willingly give our information to like Facebook and Google and Amazon.
Add to that any of a wide array of targeted advertising companies and other sources that watch our every online move, tracking us from site to site, learning our patterns and actions.
And with the pitiful security practices of so many companies out there, that information has been stolen time and time and time again. It’s out there. There are few secrets left in this world. And AI is helping to make sure there are fewer secrets every day.
The result: Common security questions like birth city or hospital, grandparent’s middle names, street addresses, school mascots, pet names and so forth are easy to find. And they get easier to find each year.
Other favorites are easily guessed. For example, favorite food: By some surveys, 30% of Americans will answer this question with pizza. Many people the world over will have one of their hometown sports teams as their favorite team. That often doesn’t leave many choices to pick from.
I live in Columbus, Ohio, USA. If I hadn’t already told you I love the Buckeyes and Browns, you could probably guess my favorite sports team in 10 guesses or less. There aren’t that many choices in Ohio. And Ohio has a LOT of pro sports teams for a state our size. A computer that knows I live in Columbus and that I have lived here most of my life could brute force guess my favorite sports team in just a few milliseconds, less if it already has my social media posts in its database.
Not even a full second needed to learn the answer to one of the most common security questions asked. And if that was my answer on one website, you can bet that’s my answer on every other site that uses that question. Once guessed, that tidbit of information will get added to my stored profile and a hacker can use that information everywhere.
They’re Utterly Useless and Completely Broken
When used as a form of authentication, security questions are completely, totally, utterly useless and broken. With rapidly growing access to cheap, powerful and easy to use AI, most security questions can be easily guessed based on other known information about you and records available all over the Internet.
They are a vulnerable access point that will lead to data theft and security breaches. Just ask the IRS. Improper controls let hacker systems brute force guess millions of security questions, gaining access to all kinds of information to be used against you.
Every legitimate security organization on the planet these days recommends that you should NOT use security questions as a form of security or authentication. The National Institute of Standards and Technology (NIST) and others have been telling us for years that they should not be used. At all. Ever. So stop it. Now.
It’s time to stop using security questions. If your website or application is using them, STOP! Remove them. Come up with a better plan. If you don’t, I will hate you forever. You are going to be breached and lose your customers’ information. Using security questions will make those breaches easier.
But don’t stop using them to protect your customers. Do it because I, and every intelligent person everywhere, will hate you otherwise. And you know what? You will deserve every last ounce of contempt that the world can heap on you. So save yourself a heaping pile of contempt and stop using security questions.
Did I mention stop?
Why are you still using them?
Stop already! JUST… STOP!!!!!
Husband, father, gamer, developer, manager, writer, creative, blogger, model railroader, Buckeyes fan