Setting up reasonable security questions is actually incredibly difficult, because the answer has to be memorable and unambiguous, as well as (hopefully) not "guessable". Like Sylvania, I am often thwarted by a set of questions that either don't apply to me, or are ambiguous enough that I know I won't be able to remember my exact answer -- exact same word, spelled the same way, etc.
As this paper from last year's SOUPS conference pointed out, there is also concern that many of the common questions relate to information that is now readily available online: http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf Kind of funny aside: I work with a bunch of engineers who created one of these systems, and their personal way of handling them is to answer *every* question with the same nonsense string. What's your mother's maiden name? Bob. Where did you go to high school? Bob. And so on. That way, at least you won't get locked out because you forgot your answers. And you know, it might be equally secure to sweating over trying to remember whether you entered "Thomas Jefferson High School" or "T J High". (Of course, some systems now prevent you from doing this, for your own good, of course.) Cheers, Jean-Anne On Mon, Dec 22, 2008 at 11:52 AM, Dye, Sylvania <[email protected]> wrote: > Secret questions invariably thwart me, maybe because they always ask for > something that I can't remember, that changes, or that doesn't apply to me. > Which phone number - my cell or land line? Address - did I set this up > before or after I moved? I went to 11 different schools, my favourite colour > and food change often, and my husband took my last name, so he's the one > with the maiden name, not me... (Maybe I'm odd, but all of this is true.) > The only secret question that has ever done me any good is "Type your own > secret question and answer." > > Bruce Schneier's article makes a very good point, too, that this is just a > less secure, backup password. I'm not versed in internet security, but it > seems odd to me that my bank account protects my atm access with a single > 4-digit code, while Yahoo Groups went to incredible lengths to punish me and > lock me out for having the audacity to forget my password. > > *I'm sure this is a naive question,* but some major sites will simply send > a reset link to the email on file when i forget my password (after making me > verify that I'm a real human by copying text from a janky image)... what's > wrong with that? > > Cheers, > Sylvania > > User Experience Designer > ________________________________________________________________ > Welcome to the Interaction Design Association (IxDA)! > To post to this list ....... [email protected] > Unsubscribe ................ http://www.ixda.org/unsubscribe > List Guidelines ............ http://www.ixda.org/guidelines > List Help .................. http://www.ixda.org/help > ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
