Fog Creek Software
Discussion Board

"Secret Question" Password Reminders

Is anyone else annoyed with those "secret question" password hints that are on every web site with user accounts?

You're supposed to give the site an answer to one of several usually-predetermined questions, like your mother's maiden name, or your pets name, or where you were born.  Then, if you forget your password, they ask you the question back and you provide the correct answer.

Problem is, to me, that the questions are always so simple that anyone who knew me personally could find that stuff out.  Lots of people could know my pets name, and I'm sure they could find out where I was born with a little digging. 

So WTF?  Doesn't that throw all the SSL encryption out the window?  It doesn't matter on random discussion boards so much, but ecommerce/job search sites with sensitive information seem to be using this as well, and it's becomming preferred or even mandatory when it used to be optional. 

I usually just put in garbage, but that could be a PITA if I ever forget the passwords.  Seems like such a gaping security hole... am I missing something obvious?

My Aibo's name is Spike
Friday, December 5, 2003

I can see why you don't like the "Secret Questions".  However, to avoid the inherent security risks that you mentioned you could simply supply answers of "123" to each of the questions.  Who could guess or find out that your mother's maiden name is "123"?

Friday, December 5, 2003

Generate a secure passphrase /password this way, and then use the secret question to clue yourself in to which die rolls you used to get there.
Friday, December 5, 2003

Yes there's no necessity for the answer to be correct or even remotely connected to the question.

Just so long as you remember the relationship

Simon Lucy
Friday, December 5, 2003

I hate those sites that let you receiving your password, in case you forget it, by emailing the address they have in their database.

That's just lovely, if someone on a shared network wanted your password to something, and they knew your username, it's pretty easy to get the password.

Just issue secureID cards to everyone...

Friday, December 5, 2003

Oh wait, the answer to a question that is the seed for your generated password won't help because you won't have access to that either.

How much less secure is this than a bank that uses your address, mother's maiden name, and SSN to identify you?

Most banks will let you change the secure question they use to identify you.

I'd be more concerned with some admin having acces to your mother's maiden name than with my friends having access to my hotmail.

Invent fake answers to all of the questions.

Mother's maiden name: supercalafragilisticexpialadocious
City where you were born: antiestablishmentarianism
Pet's Name: fourscoreandsevenyearsago

And stick with these from site to site so you can remember them if need be.
Friday, December 5, 2003

I just use something like, ";asdfiahega834y23t948tyljkhsdfas;lda8ehfasfdkfj"

for the answer to the question.  I'll never be able to answer the question, then again, I'll never need to.

Une Ternal
Friday, December 5, 2003

I do the same thing as Une Ternal -- some random long string of junk. 

Friday, December 5, 2003

"I hate those sites that let you receiving your password, in case you forget it, by emailing the address they have in their database."

"That's just lovely, if someone on a shared network wanted your password to something, and they knew your username, it's pretty easy to get the password."

That is much more secure than actually displaying the password onscreen.  They send email to the address you previously gave them, not to one you are just providing them.  How would someone get your password just from knowing your username?

T. Norman
Friday, December 5, 2003

the real annoyance is having to enter a password for a useless site in the first place.  Do I really have to remember my username and password to read the New York Times online?  Forget remembering invented answers to "security" questions, don't make me remember anything!
Of course, this probably isn't the kind of site you had in mind.  Security is always a tradeoff.  If you think the site you are dealing with doesn't adequately protect your account, let them know.

Friday, December 5, 2003

> And stick with these from site to site so you can remember them if need be.

Seems like bad advice if you want to maintain security.  I generally don't want site A to have access to my password for site B.

Saturday, December 6, 2003

I agree. On the other hand, writing them down seems like as much a breach of security as writing down your password.

So the dillema is: You want your password to be retrievable if you forget it. You want a way to authenticate that you genuinely are the person requesting the password reset. You don't want this to be based on common knowledge. How do you do it?

I prefer the site that let you write your own question.
Saturday, December 6, 2003

If you get a site which lets you ask your own question, then you get people who will put in questions like "asdf" where the answer is "asdf". Sometimes people need protecting from themselves. I, therefore, don't agree with letting people ask their own questions.

Sunday, December 7, 2003

I agree with Brian - it depends on the site.

For all sites were I don't care about the security I use the same password, question / answer.  I don't do that for the my online banking!

It usually comes down to whose benefits from me logging in - is it for my benefit / protection, or just so that the site owner can track things better.

I don't mind too much logging in if that is the case, but I'm not going to try and remember a secure password for the site.

Rob Walker
Sunday, December 7, 2003

T. Norman,

Email is sent over the internet in plain text, much like sending a postcard through the mail.  Anyone with a sniffer inbetween (or a nosey sysadmin on your end) can read the password easily.

Monday, December 8, 2003

Which brings up one great point about useless logins, I guess: There are so many web sites you have to log into now, the signal-to-noise ratio will be painfully low for those password sniffers.

Monday, December 8, 2003

Financial institutions should watch what they ask for.  By representing that "mother's maiden name" is a security key, they are assuming a liability. 

Makes me mad that they know it is a latch, which is very different from a lock.  Yet they want to sell, sell, sell and make it easy for people to buy, buy, buy, so they promote the use of these non-secure, worthless identifiers. 

My local paper tells the maiden name of the mom upon the death of any of her family member and reminds us of her children and siblings when she passes away.  How secure is that for her children and others.  I believe that makes it public information. 

Banks might as well publish the combination to their safes just so they can claim to be as stupid in all matters that relate to security of our money <grin>.

chris collman
Sunday, April 18, 2004

*  Recent Topics

*  Fog Creek Home