March 25, 2013

732 words 4 mins read

Password reset questions are getting out of hand

Screen Shot 2013-03-24 at 4.09.58 PM
As soon as the Web had developed sites that required logging into, it also developed the problem of lost passwords. The solution for that was simple: password reset questions. You’ve probably run into these a hundred times and they are typically the same questions on every site, like “Where were you born?”, “What’s your mothers maiden name?” and “What street did you grow up on?”.

The problem with these generic password reset questions is two fold. The first issue is that if every site uses the same questions, one of the sites could be compromised and the password questions/answers will get out. The second issue is even more problematic: most of these questions are a matter of public record. If I’m trying to break into your account and I know just a little bit of information about you, I can find out what your Mother’s name is, what street you grew up on, and where you were born. Heck, you might even have posted some/all of the information publicly on your Facebook page.

So how do you fix this? Well, you use questions that are less common and questions that aren’t a matter of public record. For example: What’s your favorite color? What’s your doctor’s name? What food do you like the least?

Screen Shot 2013-03-23 at 12.18.47 PM
Once you’re off the “public record” information, all you need to worry about is questions that can be answered via Facebook, so “Favorite Color” is probably a bad choice for a question too. With all this in mind, websites have started to come up with more clever questions. Sometimes they ask questions that are totally obscure, but typically you have a number of options.

However, I ran into a financial services firm (yay for security!) that required you have 5 password reset questions, and their options were… insane. I decided to copy down the list here just so I could figure out how many of these I could actually answer. Maybe I’m a bad person, but I couldn’t answer a large majority of them. Count for yourself, how many can you answer?

  • What is your grandfathers middle name (your father’s father)?
  • What is the name of the hospital in which you were born?
  • What is your grandfather’s profession?
  • What is the middle name of your oldest sibling?
  • In what city did your parents get married?
  • What is the first name of the eldest cousin (father’s side)?
  • In what city was your mother born?
  • What city were you in on New Year’s Eve, 1999?
  • What is your oldest sibling’s nickname?
  • What is the last name of your high school best friend?
  • What is the first name of your favorite teacher in high school?
  • What is the last name of your first boyfriend or girlfriend?
  • What is your spouse’s middle name?
  • What is your grandmother’s middle name (your mothers mother)?
  • What is the last name of your first grade teacher?
  • What is the first name of the eldest of your cousins (mothers side)?
  • What state did you first visit (outside the one you were born in)?
  • What is the street name where you lived when you were 10 years old?
  • What is your father’s middle name?
  • What is the name of your first pet?
  • What was the first foreign country you visited?
  • What is your grandfather’s middle name (your mother’s father)?
  • In what city was your father born?
  • What is the first name of the person you went to your prom with?
  • What is your mother’s middle name?
So out of 25 questions, I could answer 10 of these questions. A whopping 40% of the questions. How many could you answer? Leave your answer in the comments. I’m curious to see if I’m a bad person, or if these questions are totally out of hand. Sure, I could research most of the answers, but how am I going to remember the answers if I can’t even remember my password (which I actually use)?

Let’s not forget though, as asinine as some of these questions are, a large majority are names of family members — making them a matter of public record. So while I might not know what city my parents got married in, will tell me that without even needing to signup or create an account. You’re better off asking me asking me the name of my favorite childhood stuffed animal, at least that’s not in the public record.