Secret questions

In a way, this is my pet topic. If I find nothing else, I resort to cribbing about security questions.

The problem is that these security questions have tripped me so many times - they are kind of harassing to your mind. One may say that they may be challenging, not harassing, to put in an intellectual way - challenge you to think of the same answer everytime. But, see, I have other challenges in life - I do not need this additional one - something that is thrown at me rather than me choosing it. I hate these questions.

There are two types of questions - ones for which anyone can find out the answer by doing some background search, and others for which no one, not even I, can remember the answer for. Are there any others? I do not think so. 'What was the favorite place to visit as a child?' - secure, but answers could be really random, I wanted to visit so many places when I was a kid - but, heck, I do not even remember them now! 'Who is your favorite actor?' - either I blurted that answer in a public forum some way, or I do not have just one actor (also depends on genre). Name a question, and I will tell you at least one reason why it does not work for me.

Some have really researched this stuff and have come up with 'good' examples, and 'bad' examples. They prescribe a process by which you can come up with good questions and detect if a question is bad one. See goodsecurityquestions.com, for example. But in my view, this is a waste of time - just plain get rid of them. The only reasonable approach I have seen is at the OWASP site (see Parola Secreta?). They they do recommend policies to adopt for security questions and their implementation, they upfront tell you why security questions are weak. That list of weaknesses itself should close the case here. Another great advice from OWASP - "Providing the answer to a secret question should never be enough to validate a user, but combined with other factors, such as having access to the user's e-mail account, secret questions can be effective in helping to identify a user."

Another problem I have with security questions is that I do not want to share my 'secrets' with all these web sites. I have different passwords for my bank, mail, blog, so on. But guess what, my mother's maiden name is only one! Do I want to share that with buycheapink.com? I guess not. I do not mind creating an account with buycheapink.com, but I do mind sharing my mother's maiden name with them.

More frustrating than these questions themselves is the way people latched on, and refuse to leave, this technology. People, listen to me, it is just plain frustrating to users! Get it? Just do not make us go through them. And the real frustration comes from the fact that there are other, simpler alternatives. Send an email - simple, isn't it? Bank of America has instituted a password reset process that relies on your card # and other data on the card (alongwith last 4 of SSN, of course). That works for me. See, if you apply your mind, alternatives come easily. The thing is that the right solution is dependent on your business - not on a pattern from the industry. You need to have security expertise working on it, not just about anyone, but remember that the right solution for your business comes from your business.

I hate security questions.