I just got finished answering nine security questions for my payroll processing login. You know the kind, “What was the first name of the person you first kissed on the lips (pets don’t count)?”
Supposedly, these questions make us all more secure. I think they make us less secure.
They used to say, “Choose a really hard-to-guess password. Don’t use your mother’s maiden name, or anything that would be easy for someone to guess.” In those days, if a thief wanted to break into your account, they had to figure out two things: 1) what easy-to-remember password you chose—for example, your mother’s maiden name—and 2) what it actually was, for example, Judy Dench.
Now, banks and other “secure” institutions happily take half of the effort out of that equation. By virtue of the challenge question, they already tell a would-be hacker which piece of information they need. All the hacker needs to do is find that piece of information. It shouldn’t be hard, given that 99% of the sites that use these challenge questions ask for the same paltry, easily-obtained pieces of information.
I make up random answers to these “secure” questions, so they’re really pretty much impossible to guess. But since I had to do nine of them for my payroll service, I had to write all nine down. I’ll never remember them otherwise.
And now the universe collapses on itself: The ridiculously convoluted, insecure challenge question system is silly and insecure. To make it secure, I had to choose hard-to-guess answers. But I can’t commit nine to memory, so I had to write them down, making them insecure again.
It shouldn’t surprise me, though. My payroll company’s HTTPS security certificate had the wrong hostname on it, and their system only worked on Internet Explorer. With technical prowess like that, I can imagine that deep down inside, they haven’t the foggiest clue what constitutes security.
Sadly at this point, neither do I.