cdixon blog

Bad trend of the week: security questions

I’ve noticed more and more websites ask you to enter answers to security questions like “what is your mother’s maiden name” or “where were you born”. This is a very bad trend. Here’s why:

1. Answers to security questions are far more easily guessed than passwords. e.g. Just guess the biggest US cities for “where were you born?”

2. Security questions are far more easily figured out by clever hackers. See e.g. “Messin’ with Texas, Deriving Mother’s Maiden Names Using Public Records.” V. Griffith and M. Jakobsson. ACNS ‘05, 2005 and CryptoBytes Winter ‘07. link to pdf
3. Every time you answer a question like “What city you were born?”, you spread that important piece of information more widely, thereby increasing the chance that a rogue employee or a data breach exposes valuable information about you. This is particularly bad when the same security questions are shared by sites with no real need for security (e.g. a casual game site) and sites with a strong need for security (e.g. your bank).

My advice next time you are asked for an answer to a security question is not to answer truthfully but instead use a “strong” password (”strong” means, roughly, 8 or more letters (with mixed case), numbers and perhaps if allowed symbols). So when they ask you what “City were you born?” answer “5ght11YT” or something, effectively turning their security question into a conventional password. And then I’d write that password down on a piece of paper (not on your computer).

Update:  David Weinberger has some other reasons security questions are dumb.