In The curse of the secret question
, an article by Bruce Schneier
, he explains why security questions are so inadequate. Schneier and I share the view that the security question is, essentially, a second password which serves as an alternate login mechanism. Since most people answer these questions truthfully the accounts that these questions are supposed to protect are only as safe as the answers provided. Having more security questions does little to solve the problem.
Consider this, you are asked to choose one of the "secret questions" and to provide an answer. The questions are:
- What is your dogs name?
- What was your first phone number?
- What color was your first house?
- What was the name of the street you lived on when you were 10?
You choose number 2, "What was your first phone number?" and you answer truthfully, 321-555-1212. Is that really as secure as your password was? (You have good password management
practices, right?) NO, it's not as secure, because that phone number was known by everyone else that lived in the house and all the people who called it knew it too. Worse yet, it's still your phone number because you haven't moved out yet!