A visitor to my blog commented on the post “No favourites” saying that her solution to the problem of being asked multiple security questions (none of which might apply) is to use a single word as the answer to all such questions.
So no matter whether they ask what your favourite movie is, or what your least favourite infectious disease is, or who you would most like to come back as if reincarnation were possible and you were run over by split-level sheep transporter, your answer might be “Rumplestiltskin”.
As with many elegant solutions, it is very simple.
Of course, the effect is to reduce all security questions down to one:
“What is your backup password?”
That’s right, all that time trying to come up with clever questions… wasted.
I’m not convinced that asking a bunch of questions to which the user might not be able to relate (or the answers to which might change over time) is the best solution, especially if it leads users to effectively using a backup password.
It makes me wonder whether the requirement was expressed along the following lines:
When a user forgets their password and has to ask for a reminder, we need to be able to ask security questions.
A poor requirements analyst would simply document the requirement as stated, then ask what the security questions should be and hand over the requirement and the list of questions to a developer. I call such people “requirements stenographers” and they are about as useful as a tape recorder but a lot more expensive. Chances are that a developer will simply build what was asked for, rather than questioning the requriement, especially if development is being done off-shore. GIGO.
An analyst, on the other hand, always asks why and by encouraging and helping the customer to find the right words to explain why, something along the following lines might be discovered and documented:
When a user forgets their password and has to ask for a reminder, we need to confirm the identity of the user.
Thus, a good analyst drives down to the real business need and expresses that need in a way that allows the maximum flexibility in producing both business and technical solutions.
Your visitors’ solution is a great, simple and elegant solution! However playing Devil’s advocate, I wanted to offer up an alternative with a rationale;
Call me paranoid, but I am uncomfortable with the idea of multiple un-connected sites/services all holding a consistent security set from me.
Say I sign up for some e-commerce site, and they are corrupt; if I use a consistent password as my password for them – it immediately becomes easy pickings for them to track down other sites/services I use, and make a gamble that the password or reminders I use for *their* service are the same as those I use for others.
What I have started doing is simply using to generate a random hexadecimal string for any such inputs.
I then use the “notes” feature in MS Outlook (which is secured by a local password of my choosing that I know well) to maintain storage of the ‘random’ strings, the content of which is backed up externally during my normal weekly backup routine.
Whilst all legitimate sites take great measures to secure (our) data, how many stories have we seen where hackers have accessed their servers, laptops containing sensitive data have been left on trains, and CDROMs have been ‘lost’ in surface mail services…
Clearly a major drawback to my solution, is if I wanted to access a site and I don’t have access to my local outlook – then I’m going to be somewhat stuck.
I guess one needs to assess whether the simplicity, freedom and elegance of the first solution outweigh the benefit of my more tedious and obstructive yet highly secure solution…
Devil’s Advocate is always welcome, Ryan!
You are absolutely right, in any case. Using a single password for everything and a single backup password, while simple and elegant, is risky from a security point of view. Each person has to find their own solution somewhere in the middle.
However, it still leaves the weakness in the whole “security question” issue, which is that a website can ask a thousand security questions, but the visitor is still able to use “Rumplestiltskin” as the answer to every one.
Hi Ryan and Declan,
I’m glad you guys liked my solution.
Ryan’s point is well taken. I have access to various websites but I have never used the same password for all of them, for the very security reasons you adduce. I would limit my single word solution to one website.
Also note that the security questions that many websites use are designed as backup in case someone forgets their primary password, so its status is secondary. So the security risk is lessened, as the primary password (in my case anyway) is always different.
I’ve only used my solution once so far, but it was primarily to avoid the nuisance of the 5(!) security questions. Had it only been one or two questions, I might have simply yielded and answered them according to the conventions out of sheer boredom and desire to just get to the function I needed – which turned out to be inaccessible anyway because of compatibility and access issues! Not a site I will return to.
I also use different passwords for everything. Each one is a randomly generated collection of letters and cases, numbers, symbols. I keep the list of passwords in a password protected file, which in turn is in a password-protected online location. Even if someone did manage to get into that location and then into that file, the stored passwords need an additional key combination, which I keep in my head.