By Harry McCracken | Monday, July 20, 2009 at 7:10 pm
I still have Twitter’s document leak on my mind, and am therefore hypersensitive at the moment to the “forgot your password?” features that Web services offer and their potential for abuse by people who want to steal your information (or even your money). I just signed up for a Barnes & Noble account, which I’m bringing up here not because it’s a bad example but because it’s perfectly typical.
B&N asked me to choose a question that nobody else could answer:
And then it gave me eight questions to choose from:
I don’t see a single question here that nobody else on earth can answer. Some are the very definition of public information, like the names of parents and pets. Others are profoundly guessable, even by perfect strangers. (If you know what metropolitan area someone lives in, doesn’t that give you a gigantic head start in figuring out what his or her favorite team might be?)
As for me: Lots of people know what city I was born in, what my mother’s middle name is, and what sports team I root for. If you’ve got access to my Facebook profile you can make excellent stabs at figuring out my favorite author and movie. My favorite car is pretty obvious, too–it’s the one parked in my driveway, and I’ve mentioned it repeatedly on Twitter and in other online venues.
Oh, and my father doesn’t have a middle name and I don’t own any pets at the moment, so those questions are out.
When you think about it, there’s almost no such thing as information that’s A) known only to one person and B) virtually impossible for anyone else to guess. There are terrible implementations of secret-question security and less terrible implementations, but they’re all based on a fundamentally flawed idea.
It’s true that like many services, Barnes & Noble only asks you the security question after you’ve clicked on a link it sends you via e-mail. So an intruder would have to both have access to your e-mail and know or be able to guess the answer to your security question to get access to your account. In other words, the security question is an added level of protection, not a primary means of defense–but I still don’t like the Web-wide pretension that nobody knows my mother’s name except me.
1) If Web sites insist on using secret questions–and I’m sure they’re not going anywhere–they should at least stop pretending there’s anything secret about them;
2) Letting us choose our own secret questions and answers is much better than forcing us to use one supplied by the company;
3) Providing bizarre made-up answers remains the best way to keep secret questions secret. Which is why I just decided that my favorite team is the Atascadero Wombats…