My favorite part of registering for a website is usually near the bottom of the registration form. You know, that little drop down box with 3 choices in it: "What is your mother's maiden name?" "What is your favorite color?" "What is the airspeed velocity of an unladen swallow?". You are supposed to select a question for "security purposes." Sometimes you even get the option to create your own question. Whoop-dee-doo.
Why is this bad?
Next time you are presented with the options, see how many people you can name the know the answer to each question. I bet if you think hard enough, you can usually name someone for each question. If someone really wants to impersonate you, all they need to do is find your friends and do some social engineering to find the answers. In most cases, all you need is a few simple answers and you can get and/or change passwords to most online accounts.
You didn't seem too excited about creating your own questions. Why not?
The chances of you coming up with a question that is more secure is slim, but possible. If you take a look at some recent data on passwords, you can see that people in general aren't really all that creative (except that password1 replaced password--if you call that creative).
Yeah, yeah, yeah, but most of these sites are harmless anyway, aren't they?
It's true, most of the sites that want this information are indeed harmless. You've got forums pertaining to a topic, free software download sites, etc. I have noticed, however, that more and more commercial entities are sneaking these into their registration forms. The more popular it becomes, the more popular it becomes. It's perceived security, much like airport security, but I digress. Some of these companies--insurance agents, banks, hospitals, etc.--can have lots of your personal data.
So why are you writing about this now?
I'm glad you asked... This morning when logging into the web interface for my credit card, they informed me that I could only log in 3 more times without setting up my security questions. Umm... What?!? I HAVE to set up my security questions? They want to make my account less secure by giving people more ways to prove that they are me? That just doesn't make a bit of sense to me. At least the questions were off the wall, but I can still name at least one person (other than my wife) for each question that knows the answer. Usually I will use the questions to see how many random and special characters (%, &, *, etc.) I can fill the box with, but I decided to use real answers, as they said the questions would also be used to access certain sections of my account. Unfortunately one of my answers had a single apostrophe in it, and it complained about the special characters.
Thanks for "increasing" security. I'd rather call you to change my password, thanks.
