What is your favourite Security Question?

Software

Up to now, I’ve always declined to set up security questions on my Yahoo Mail account, simply because I have no fears of forgetting my password.  I’ve never really thought much about the whole thing. But to my annoyance, today I was forced to select two security questions and answers, before I could even log into my account.  Through pure annoyance I nearly lapsed into parody (Question: “Do I really give a F—?”) but then realised this would leave my account wide open for somebody to easily recover my password! This caused me to realise just how big a loophole the security question model is.  Upon reflection, I felt was being forced to provide an additional - and less secure - means of access to my account.  Even if I selected one of the provided questions (”What was the name of the hospital you were born in?”), this could be easily learned through a little social engineering.  Most likely, family members and those in close relationships would have a good chance at correctly answering the security questions for each other. But a further gap exists where it is possible to provide your own question and answer, which may not be chosen with security in mind.  How many people will opt for “What is my favourite colour?” (even a stranger could guess that after a few tries), or even worse “Do I really give a f—” as I nearly set up in my annoyance (the answer to this rhetorical question is obvious). Ideally, we would all set up our own question which only we can answer, but in practice a lot of people will be lax on this. I wonder why Yahoo made security questions mandatory all of a sudden? Presumably I did not choose any when I registered, and perhaps Yahoo are spending a lot of money manually recovering accounts. Although there needs to be a way to recover lost email accounts, the security question model seems far from ideal.  Is there a better way to recover lost email accounts without invoking a manual process?  To answer this, we are really asking the question of “what alternatives are there to passwords - which I can easily forget”?

  • Encourage usage of  single sign-on solutions such as OpenID (Yahoo recently became an OpenID Provider, so you can log in to many sites such as blogspot or stackoverflow using your existing Yahoo login)
  • Biometrics: Facial recognition, fingerprint/iris/retinal scan (Known to provide a high level of security, but there may be avenues for circumvention through faked credentials.  Also there are legal and privacy issues to deal with)
  • Smartcards: Do I need a different smartcard for every site I log in to?  Introduces an operating cost.  Might work in conjunction with a single sign-on approach like OpenID.

One option I do not like is the reliance upon “password managers” which are built into many web browsers.  They are helpful as a convenience, but not as a long-term solution.  They discourage the credentials from being remembered, and are tied to a particular web browser or operating system.  The combination of these two things could leave a person in a difficult spot if they lose their data, or simply if they want to change to different software which doesn’t support the password manager they were using. I’m beginning to like the OpenID option.  Because you only ever need to remember one password, there is a greater incentive to make it a strong one which cannot be easily brute-forced. One downside of OpenID is that you could lose access to all your sites if you forget your password, but more care would be taken to remember what could be a “password for life” (it takes on average 13 years for a Pentium 4 computer to break a strong 8-digit password).  Another downside is that not every site is compatible with OpenID, but this will hopefully get better over time. There are privacy issues with the use of OpenID - you would be building a reputation throughout the web which can all be linked to your single identity.  Additionally, all your website registrations are stored by the provider, but you can at least choose wisely. The only remaining issue is which security questions to set up on my OpenID account …