Why I hate 'security questions'
You know 'security questions'; they are the extra questions that websites (and other services) attach to your account that will theoretically let you regain access to the account if you forget your password. I really don't like them, and it's not because they are a terrible security idea. Well, not directly.
Hopefully everyone already knows the primary problem with security questions: if you pick questions and answers that you can remember, it's quite likely that an attacker can work out the answers themselves from public or semi-public information (especially if you are paranoid enough to be concerned about people that know you to at least some extent, not just random strangers). Even without that, it may be easier to guess answers to the security questions than to guess your password.
What this means is that security questions are effectively additional passwords to your account, and your answers need to follow all of the rules for passwords. So what security questions are is hard to remember, rarely used passwords. That I have to write down and keep track of, securely, and worry about.
But that's just the obvious reason to hate security questions. The more subtle reason is the underlying reason why they exist in the first place. We can see this real reason by asking the question of what would happen if they didn't exist and you forgot your password: you'd go talk to customer service to sort out the situation. So security questions really exist so that companies don't have to have customer service people; in other words, they're making my life more painful (and reducing my security) in order to save themselves some money.
(The case of free services is one of those hard ones, since it might not be possible to provide the free services at all if you had to provide full customer support too. In some cases, such as free webmail providers, I would consider this a benefit.)
Comments on this page:Written on 22 November 2008.