mrkrstphr's blog

twitter github

The Insecurity of Security Questions

Posted on 01 Nov 2011

Security questions on websites where you have a log in can be great: they can help you gain access to your account when you’ve forgotten your log in credentials. Unfortunately, there are some gaping holes in the types of questions you have to answer in order to gain this access that could leave you unable to gain access to your site, or allow others who have the adequate information to gain access to your site.

Some sites allow you to use your own questions, while others provide you with a preset list of questions to chose from. And of course, some sites allow you to chose or create your own questions. There are essentially two types of questions: hard fact-based questions and floaty, non-permanent questions.

Hard Fact-Based Questions

These questions usually involve you answering some fact about your life, such as what city were you born in, what is your mother’s middle name or what elementary school did you go to. Those are hard facts, they never change, unless your parents were lying to you, or you have a foggy memory of your own past. The city you were born in, your mothers middle name (okay, she could change it) and the elementary school you went to are a part of history and cannot be changed.

The problem with these questions are that anyone who knows you well enough knows the answers to these questions. A close friend, an ex-lover or a rogue aunt with a vendetta could all potentially know this information, along with your email address, and gain access to your favorite sites or financial institutions.

Floaty Non-Permanent Questions

These are questions that ask what your favorite movie, book, song or band is, who your best friend is, what your pets name is, etc. These questions downright suck. Do yourself a favor: don’t ever pick them. Why? Because the answer to the question will likely change throughout your life. Aerosmith was once my favorite band, but I can’t tell you the last time I listened to them, and only the almighty knows just how many pets I’ve been through. “Did I have Buster or Puddles or Pepe when I created this account?”

These questions are downright unsafe as the answer will change as you move through life. On the upside, it might be harder for those who know you to guess the answers to these questions.

The Solution

Hell if I know. If I did, I’d probably have invented it and been on the cover of Nerd magazine. Picking your own questions when possible and picking a question you only know the answer to might be the best way to go. Getting ambiguous might be a good solution too, but you could get so ambiguous you don’t even know the answer.

Another good thing is that most sites require you answer 3 or 4 questions, and it’s far less likely your crazy coke-addicted Aunt Marge will know the answer to all four of them.. The downfall is when they only ask you to answer one of them when recovering your account.

Short of retina, dna or semen scanners that interface with the websites, there might not be a good solution. But heed my warning: be smart when picking and answering these questions.


The Clean Architecture in PHP

I've written a book on the Clean Architecture in PHP, which covers how to cleanly organize and decouple your code in a way that prepares it to survive and be easy to maintain for the long term.

Check it out!