back to article City of birth? Why password questions are a terrible idea

Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google. A white paper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" dug into the data of millions of users interactions with a range of password- …

  1. choleric
    Terminator

    inquiring minds

    Yes but what is Google's favourite food this month?

    1. Antonymous Coward
      Terminator

      Re: inquiring minds

      Fucktard.

      That one never changes. Google is a fucktardivore.

      Which makes me wonder if there's truth to the old adage you are what you eat... the empirical evidence El Reg just presented doesn't seem to leave much room for doubt... hmmm...

      1. Anonymous Coward
        Anonymous Coward

        Re: inquiring minds

        I can see from your down votes that Google employees are spamming the comment board again.

    2. Anonymous Coward
      Anonymous Coward

      Re: inquiring minds

      Whenever I lose my Google password, I just call the NSA. After all, Google hands them everything anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: inquiring minds

        obligatory dilbert

  2. MrDamage Silver badge

    Spell it phonetically

    Combine phonetic spelling, especially in conjunction with any local accent you may have, and it suddenly makes password guessing a whole lot harder, even if you do have the details plastered all over your farcebook page.

    eg: City of Birth: Lifpull vs Liverpool.

    1. Anonymous Coward
      Anonymous Coward

      Re: Spell it phonetically

      Brilliant! Ergo: sanfrnsisco

    2. Deltics

      Re: Spell it phonetically

      Why does the answer even have to relate to the question ?

      If you simply adopt the practice of consistently using the same non-relevant answer to a particular question you both improve the ability to recall it (since it is contextual - password recovery - and specific - always the same for a given question)

      e.g.

      Town where you were born: Fish and chips

      Mothers maiden name: Capsicum

      Favourite food: Kylie Minogue

      Needless to say, these are not the answers I use. :)

      1. Craigness

        Re: Spell it phonetically

        "Why does the answer even have to relate to the question?"

        My father's middle name has 200 bits of entropy, constantly changes, and is stored in my password manager.

        Why would a company want customers who are likely to forget their password anyway?

        1. Yag

          Re: Spell it phonetically

          ...stored in my password manager.

          Why would a company want customers who are likely to forget their password anyway?

          Love the irony...

          1. Craigness

            Re: Spell it phonetically

            "Love the irony..."

            I've never forgotten a password, because I have a password manager. I don't see the irony there. The point is that an easy to guess "security" question makes the password weak, nomatter how long it is, so the answer to the question has to be something which can't be guessed, and your father's name should be different on every site just like your password is. That requires a password manager...and that's the irony! Instead of having 1 high-entropy string to remember, you have 2.

            1. Yag

              Re: Spell it phonetically

              You don't remember your password. It's your password manager that remembers them for you.

              No need for justification, it's fine you know...

        2. h4rm0ny

          Re: Spell it phonetically

          >>"My father's middle name has 200 bits of entropy, constantly changes"

          Let me guess, your father is Bruce Schneier?

          1. breakfast Silver badge
            Thumb Up

            Re: Spell it phonetically

            His full name is currently Bruce QKNNqX5RPied54StngMi0ZfMNF8l637cwywzQJ1302FdwG3R4NLodqYi1vMy6FS Schneier.

            1. Michael H.F. Wilkinson Silver badge

              Re: Spell it phonetically

              Reminds me of the BOFH episode where Simon reminisced about the time he set the password expiry time to 24 hours and minimum required length to 32 characters, forcing people to use a password generator which produced results looking like "vaguely pronounceable line noise"

              Brilliant

              1. Anonymous Coward
                Anonymous Coward

                Re: Spell it phonetically

                Reminds me of the BOFH episode where Simon reminisced about the time he set the password expiry time to 24 hours and minimum required length to 32 characters, forcing people to use a password generator which produced results looking like "vaguely pronounceable line noise"

                You're referring to this passage… from The Striped Irregular Bucket (which predates the BOFH):

                I hang up - he'll call back. Meantime I open up a copy of "VMS BASTARD OPERATORS MANUAL FROM HELL" I'm reading the article I sent in about getting rid of those trouble users...

                "... Modify the user's password minimum from 6 to 32 letters, give the password a 1 day lifetime, set it so that they HAVE to use the password generate utility when they change their password (so their password will always be something that looks like vaguely pronouncable line-noise), add a secondary password with the same as the above, then redefine their CLI tables so that the only command that works is DELETE, and all other commands point to it."

                (Above passage © Simon Travaglia, ~1988~89)

      2. Anonymous Coward
        Anonymous Coward

        Re: Spell it phonetically

        " using the same non-relevant answer to a particular question ....Favourite food: Kylie Minogue"

        Non relevant for you perhaps. There's some people round here would be delighted to have a munch.

  3. Anonymous Coward
    Anonymous Coward

    Damned lies

    A few years back I cashed in the residue of a UK ISA (remaining balance just £1.50 but local tax laws forced it to be closed). No longer being in Blighty it transpired this would be a serious posterial pain involving sending of certified passport copies to validate signatures, etc, but their helpful man on the phone explained I could skip all that simply by registering for their internet banking access, then login and transfer the investment funds to wherever I liked. So off I toddled and being in a hurry and not overly concerned about the risk that some miscreant steal my half-a-cup-of-coffee's worth I pasted "sasquatch" into all the security question prompts. Clickety-click, done, now to close the account... "Please phone our banking service team for this request"

    "Hello Mr Mongo, I can see your account number but first I just have to ask you some security questions...what was your grandfather's occupation?"

    "Sasquatch"

    "That's fine ... now what was the name of your first school?"

    "(nervous giggle) Sasquatch"

    "Ahhh...and was your first pet's name?"

    "Sasquatch, too. I mean too as in also, not two as in the number...I really didn't expect I'd be telling these to a person, it was just a nice word to say..."

    He kindly overlooked my embarrassed tittering, didn't go all jobsworth about this horrific breach of security best practice, nor yet accuse me of lying to one of Her Majesty's civil servants for pecuniary advantage. And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Damned lies

      You're more sensible than I am. At one time, all of the answers to my security questions were strings of obscenities. I think I'm going to start using strings like: theresabombunderyourchair

    2. VinceH
      Joke

      Re: Damned lies

      "And (in my defense) no amount of dumpster diving or Facebook scraping would have revealed my family's secret shame that grandpa used to roam the American woods in a monkey suit."

      Yet you happily revealed that shameful secret in a comment on El Reg!

      I think as a punishment, you should don a dinosaur suit and start swimming in Loch Ness.

    3. Bob Dole (tm)

      Re: Damned lies

      I suspect a LOT of people do this. I know I do.

  4. Andrew Jones 2

    This would explain Google's ridiculously over complicated password recovery system then.

    A friend was trying to remember her password and we eventually opted for the account recovery thing.

    An email address we can contact you on.

    What is the last Password you remember

    When did create your account MM/YY

    When can you remember last using your account MM/YY

    Secret Question & Answer

    When did you last use:

    Google Mail MM/YY

    Hangouts MM/YY

    Google+ MM/YY

    Wallet MM/YY

    OK it only wanted approximate dates - but still - I went through that 6 times - before we finally recovered her account!

    1. Qu Dawei

      only password recovery

      I've found gmail to become almost unusable since it seems to object to me accessing my email account with them from multiple locations. It required the use of some bizarre extra level of security I could just do without, and there was no way of opting out from it. A total pain.

      1. Phuq Witt

        Re: only password recovery

        Plus a zillion on that!

        I opened an account with Yandex mail and [as one of the options] chose to import my existing email from a Gmail account. It didn't work and I later got an email from Google along the lines of "We prevented unauthorised access to your account".

        Clicking a link in that email took me to a Google Account Security page where a nice map showed me that an attempt had been made to access my account from St. Petersburg, Russia [obviously Yandex's mail importer trying to do it's thing].

        Under the map was a box to tick saying something along the lines of "It's OK. That was me". So I ticked this and went back to Yandex to try again...

        Rinse and repeat, ad nauseam.

        No matter how many times I told Google it was OK to allow the connection attempt from St. Petersburg, they still blocked it —even after I ticked some other option to use less stringent security on my Gmail account.

  5. itzman

    What is the name of your pet rabbit?

    I dont have a pet rabbit.

    Actually the things I use tend to be stuff that is buried so far in my altogether too long past that no one else has a cats chance in hell of discovering them

    I am probably the only person alive who remembers the name of the family cat in 1954....

    1. Evil Auditor Silver badge
      Joke

      Re: What is the name of your pet rabbit?

      But why the heck would someone name a cat "in 1954"?

      1. Naughtyhorse

        Re: What is the name of your pet rabbit?

        clearly a top secbod

    2. Irongut

      Re: What is the name of your pet rabbit?

      At least you had a family cat. I've never owned a pet, don't have a favourite food or colour and my father has no middle name. A lot of the truthful answers to my security questions are 'None'.

      Fortunately I don't have to worry about a hacker looking me up on Facebook to find out the other answers. I've never had an account and my name is common enough they would probably find someone else.

  6. Gene Cash Silver badge

    Even worse

    I've been asked for my city of birth....

    "Ocala"

    "Response must be 8 letters or longer"

    "Ocala, FL"

    "Response cannot contain spaces or punctuation"

    My next response didn't contain spaces or punctuation, but it certainly contained my opinion of the bank and the coders.

    1. Anonymous Coward
      Anonymous Coward

      Re: Even worse

      Something along the lines of "LearnToCodeProperlyYouLazyGits"?

    2. Craigness

      Re: Even worse

      That would help some of the 38% of Koreans. And Londoners, Parisians, Romans, Dubliners, Los Angelinos,......

    3. Crazy Operations Guy

      Re: Even worse

      What is your favorite color? (Answer must be 8 characters or longer). So that gives only two options (That I can think of): Aqua-marine and Vermilion...

      1. choleric

        Re: Even worse

        Turquoise?

        1. king of foo

          Re: Even worse

          Durchfall ?

          Because I can't spell it in Englisch... despite being Schottisch.

          1. Evil Auditor Silver badge
            Trollface

            Re: Even worse

            @king of foo, I'm sure your Durchfall has some colour and I don't want to hear any more details about that. But I'd tell you the same as recently told the missus: apricot is a fruit and not a feckin' colour!

            1. Myself-NZ

              Re: Even worse

              What about orange ? Both a fruit and a colour.

              1. AndrueC Silver badge
                Boffin

                Re: Even worse

                What about orange ? Both a fruit and a colour.

                Fun fact: No they aren't. Not really :D

      2. Captain Hogwash

        Re: Even worse

        Use modifiers e.g. dark black, light black, pale black, etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: Even worse

          The use of these type of questions is clearly stupid. The answers are either easily guessable or unmemorable. I also don't want to give that kind of information to the majority of sites I use.

          The only solution I've come up with is to make stuff up and store it in a password manager.

      3. Picky

        Re: Even worse

        Aqua-marine contains a hyphen ... ncomputer says no ...

      4. tony2heads

        Re: Even worse

        color:#80BFFF

      5. Kubla Cant

        Re: Even worse

        Ultramarine? Viridian? Charcoal? Aureolin?

        But seriously, who the hell has a favourite colour past the age of six?

      6. Stoneshop

        Re: Even worse

        What is your favorite color?

        Ultraviolent, infradead, burnthombre, loathsomelilac, gangreen...

        Or maybe BlueNoyelAuuuuuuuugh!

      7. heyrick Silver badge

        Re: Even worse

        Amaranth? Chartreuse? Cerulean?

        (red, yellow (or green as a web colour for some reason), greeny-blue)

      8. Tromos

        Re: Even worse

        Greenish

    4. Whit.I.Are

      Re: Even Worse

      I had the same with my mother's maiden name - which at 4 characters long was too short for the dumbass site I was trying to register for.

      1. Stoneshop
        Pint

        Re: Even Worse

        I had the same with my mother's maiden name

        I have an inkling their code would also barf if your mother's father was Johann Gambolputty-de-von-Ausfern-schplenden-schlitter-crass-cren-bon-fried-digger-dangle-dungle-burstein-von-knacker-thrasher-apple-banger-horowitz-ticolensic-grander-knotty-spelltinkle-grandlich-grumblemeyer-spelter-wasser-kurstlich-himble-eisen-bahnwagen-guten-abend-bitte-ein-nürnburger-bratwürstel-gespurten-mitz-weimache-luber-hundsfut-gumberaber-schönendanker-kalbsfleisch-mittleraucher-von-Hautkopft von Ulm

        (beer, to lubricate your throat in case you have to read it on the telephone)

    5. jonathanb Silver badge

      Re: Even worse

      The largest cities in most countries I can think of are less than 8 characters long.

    6. Irongut

      Re: Even worse

      The first line of my address has a slash in it. This could be replaced by a dash and the postie will still understand. What really annoys me is the number of sites that won't allow punctuation of any kind in an address. Especially since you pick what you want to buy, they make you create an account with a bunch of stupid security questions and only as you're completing the order do they tell you that / isn't allowed in an address.

      YES IT BLOODY WELL IS!

    7. macjules
      FAIL

      Re: Even worse

      Florida, fine but a bit of an embuggerance if you come from somewhere like Luxembourg, Andorra, Lichtenstein or Monaco.

      Significantly worse if you happen to have been born in Scunthorpe I think.

    8. Anonymous Coward
      Anonymous Coward

      Re: Even worse

      Limely alert -

      So how would people in "New York" manage?

      1. Michael H.F. Wilkinson Silver badge
        Coat

        Re: Even worse

        Blue,....

        No, RED!!

        WAAAAAAAAAAAAAAAAH!

        ---------------------------------------------------------------------------

        And now for something completely different:

        I could imagine some online forms choking on Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch as a place of birth

        Coat please! Mine is the one with the souvenir ruler from Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch in the pocket

        1. Midnight

          Re: Even worse

          Achievement unlocked! Longest. Name. Ever.

        2. Anonymous Coward
          Anonymous Coward

          Re: Even worse

          I could imagine some online forms choking on Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch as a place of birth

          The Kiwis can go one better:

          http://upload.wikimedia.org/wikipedia/commons/5/5b/New_Zealand_0577.jpg

  7. dan1980

    Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google anyone with a brain.

    Bleeding obvious really - unchangeable, factual answers (like city of birth) are easy to remember but the easiest for someone else to find out.

    The best compromise for secret questions is to allow users to write their own questions as well as then the user can - if they are clever* - setup questions where the answers are easy to remember but very hard to guess or discover.

    * - Big "if", I know . . .

    1. Crazy Operations Guy

      "are easy to remember but the easiest for someone else to find out."

      Hell, even Sarah Palin knows that...

    2. a_yank_lurker

      My favorite question is when you can write your. I have a good question that very few people would the answer to.

      1. MrZoolook
        Coat

        Please input a question only you know the answer to

        "You're letting me write my own question?"

        Sorry, your reply must not contain any spaces or punctuation, and must have at least one capital and one small letter, and must contain at least one number.

        "5oY0uWan7Me2AskAQuest1onL1keThi5"

        Thank you. Now please type in the answer to that question.

        *clicks 'forgotten your question' button*

      2. Evil Auditor Silver badge
        Devil

        @a_yank_lurker, and the answer is "2 inches".

        1. Anonymous Coward
          Anonymous Coward

          @Evil Auditor

          You are a_yank_lurker's other half, and I claim my £5!

    3. Tannin

      easy to remermber? really?

      Great post, Dan1980 but just one thing: "Bleeding obvious really - unchangeable, factual answers (like city of birth) are easy to remember but the easiest for someone else to find out."

      Well, actually, no. I was born in .... well, sometimes that particular part of Melbourne is regarded as Elwood, sometimes it's East St Kilda, but people mostly save confusion and say Elsternwick (which is right next door and better known) or possibly St Kilda. On your power bill it might say "Elwood", but your electoral registration is "East St Kilda" .... and I haven't even mentioned the rates notice, which says "St Kilda, East". Then again, whichever way you think of it, it's part of the municipality of Caufield. That might be a better answer. On the other hand, maybe I should just say "Melbourne" as all these are suburbs of Melbourne. But that's too easy for third parties to guess - probably 70% of all Australiand living in Victoria were born somewhere in Melbourne.

      Right: it's three years later and some stupid website is asking me where I was born so that I can get back into my account. Do I feel lucky?

      (Disclaimer: I wasn't really born in the place(s) I mentioned, but in a different part of town with an equal multiplicity of possible names. Better not to menton these things on-line. At least not truthfully. Especially not when I don't even know for sure what the "truth" is! Should I just give a lat/long instead? Or possibly just go to a different website where the IT gnomes are slightly less stupid.)

      1. Matt 21

        Re: easy to remermber? really?

        Surly the problem here, even if you can remember the "unique" answer you gave, or even the "unique" question you asked, is that once it's compromised it's compromised everywhere.

        So, the only real solution is to give a different answer on each site which works like this and then record them somewhere... oh hang on a mo, if that's compromised we're back to the same problem....

      2. glen waverley
        Holmes

        east st kilda

        Was City of Caulfield. Now city of Glen Eira. But city of St Kilda now city of Bayside. So a few more chances of misremembering "correct" answer.

        (Same logic applies to yr real suburb since all the council names were forcibly changed in the 90s.)

    4. John H Woods Silver badge

      Set your own questions ...

      My erstwhile boss had something like:

      Q: "I hope you don't think you're going out dressed like that, young lady!"

      A: "I'll go out dressed how I like, I hate you and you aren't my real dad anyway!"

      Ironically when these Q&A pairs get funny enough, you usually can't resist telling someone else ...

    5. breakfast Silver badge

      The problem with allowing users to write their own question is that although it confers security to smart users, it confers broad new vistas of insecurity to dumb ones. Which is, unfortunately, most of us...

    6. NotoriousREV

      On one website I was using, when I created my account it asked me to create 2 questions and associated answers to be used in the event of needing to recover my password. 3 months later, I've forgotten the password and click on the "Forgotten my password" link.

      "What is the answer to question 1?"

      That was it. It didn't actually display my question, it just assumed that, despite the fact I've proven I'm incapable of remembering a password, you now think I can remember the questions I wrote, the answer AND the order in which I wrote them?!

    7. IglooDude
      Facepalm

      I once encountered a forum where they prompted for a custom secret question. Great idea, I thought, and put in a properly clever one. And some lengthy time later, had to do a password recovery, and it started with asking me a fill-in-the-blank "What is your secret question?" At which point I abandoned the site, never to return.

  8. Medixstiff

    I've always preferred sites that allow you to create the question and answer yourself, so you create outside the box questions that are harder if not impossible to find via social engineering.

    Plus I keep everything in a password safe with a copy online and with the questions in the notes section.

    1. MacroRodent

      Questions

      I've always preferred sites that allow you to create the question and answer yourself

      Agreed. I have long wondered why there are prepared questions at all. When you write the question yourself, it can be made to relate to a personally memorable event or fact, which is easier to remember and far less likely to be discoverable by an attacker than something like mother's maiden name.

      1. Anonymous Coward
        Anonymous Coward

        Re: Questions

        The "conventional wisdom" (take that as you wish) is that if you allow people to enter their own question then the majority will be too lazy, enter something like "2 + 2?" (with the correct answer!) and any semblance of security has vanished in a puff of smoke.

        Now of course the retort to that is that those (of us) who are sensible and have a clue will not enter such a trivial question, or will enter a non-obvious answer.

        Basically, do you try to get everyone to a level where there is a veneer of security by asking from a pre-defined list of supposedly non-obvious questions, or do you allow a free-for-all knowing that some will end up being more secure and some end up being significantly less secure?

    2. thondwe

      Write your own question

      Doesn't all this boil down to...

      Question - "What's my other password?"

      Answer - "MyOtherFavouritePassword"

      Which isn't a million miles away from a two factor scheme which asks for two things? Which then let's you tick to "trust" this device (forever/30 days), which is the one that's hacked and can bypass the MFA anyway...

      1. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Eh?

      If you keep the account details in a Password safe then why would you even need to go through the forgot password questions in the first place?

  9. Anonymous Coward
    Anonymous Coward

    One time when signing up to something I got a security question that asked

    "First telephone number:"

    I couldn't remember it so I took the only logical step and put

    "1"

    Which the form happily accepted.

    1. Anonymous Coward
      Anonymous Coward

      I see Alexander Graham Bell is making a comeback on The Register… and we thought he was dead!

      1. mhoulden
        Boffin

        "Hello. You have reached the answering machine of Alexander Graham Bell, inventor of the first telephone. If you've invented another telephone..."

        (From the Celebrity Answerphones round on I'm Sorry I Haven't A Clue a few years ago)

        1. Anonymous Coward
          Anonymous Coward

          (From the Celebrity Answerphones round on I'm Sorry I Haven't A Clue a few years ago)

          God I miss that show… used to hear it on 4QR (aka ABC Radio National Brisbane; 792kHz) some mornings before 6AM as well as other BBC classics like My Word and The Goons.

          1. D@v3

            ISIHAC

            Still going, with Jack Dee in the chair, and (surprisingly?) still quite good

  10. Barry Rueger

    My bank

    The weakest passwords in use are for my bank, who claim - seriously - that allowing upper case and non-alphabetic characters would be too confusing for customers.

    Unlike questions about my childhood, answers to which have either been forgotten or suppressed decades earlier.

  11. Anonymous Coward
    Anonymous Coward

    Choose a question (and answer) on car numbers

    What was the registration of your first car?

    What was the registration of your previous car?

    What was the registration of your red car?

    What was the registration of your father's car?

    Etc.

    Would work for quite a few people.

    1. Tannin

      Re: Choose a question (and answer) on car numbers

      What was the registration of your first car? (Ans: PWT-377. Easy.)

      What was the registration of your previous car? (Ans: I didn't *have* a car previous to my first car! Or maybe you mean the one previous to the one I have now. Easy: IOW:682.)

      What was the registration of your red car? (Ans: GTE-221. Simple)

      What was the registration of your father's car? (Ans: TJQ:710. I'll never forget that one.)

      What is the registration of your current car? (Ans: Um ... hang on a minute .... I'll just go outside and look.)

      1. Captain Hogwash

        Re: What was the registration of your father's car?

        His first car, his previous car or his red car?

    2. VinceH

      Re: Choose a question (and answer) on car numbers

      (Leaving aside that car registration numbers can be a bit short)

      "What was the registration of your first car?"

      Okay, fair enough.

      "What was the registration of your previous car?"

      What happens if you change cars one or more times after choosing that question and setting the answer?

      You set it up and enter AB12 CDE as your answer - then n years down the line, you have to resort to answering that question. You think back, and remember that the registration of your previous car (to the one you now have) is VW12XYZ.

      "What was the registration of your red car?"

      Even if you select a colour for which you have only had one car, the n years later problem still applies - between setting that question and answer and the arbitrary point in the future when you need to answer that question, you may have had more.

      "What was the registration of your father's car?"

      Which one? (Car, not father!) My step dad has had quite a few in the 40+ years I've known him!

      "Would work for quite a few people."

      I see flaws. :)

      The advice I generally give to people is to treat "secret questions" as password prompts, and enter a sensible password instead - especially on sites that have replaced passwords with secret questions (HSBC, I'm looking at you - the use of 2FA does not make this acceptable). However, since it's likely that (because they aren't passwords) many sites won't salt/hash the answers, this makes it even more important to ensure that password is unique. (So use a password manager such as KeePass)

      1. DropBear
        Trollface

        Re: Choose a question (and answer) on car numbers

        "What was the registration of your favourite car?"

        - OUTATIME

        "Invalid, your answer must contain at least one number"

        - Yeah, I already knew you were going to say that... fine, OUTATIME1

        "Invalid, your answer must contain a least one symbol"

        - Dang it... OUTATIME-1

        "Invalid, your answer must contain eight characters or less"

        - Arrrrgh!... TIME1

        "Invalid, your answer is based on a dictionary word you miserable no-good two-timing bastard!"

        - What the... Hey, is that you, KITT?!?

    3. Irongut

      Re: Choose a question (and answer) on car numbers

      Nope. I couldn't tell you the reg of my current car.

    4. Tom 7

      Re: Choose a question (and answer) on car numbers

      The fucking car park has started to ask my registration number before it will give me a ticket these days!

      I might learn it soon - but by the time I'm back at the car the dogs had a shit so no need for the ticket!

  12. Iznik

    That'll work

    The best (as in, most idiotic) security question I've come across was "Where did you go on your last holiday?". Presumably they decided "What did you eat last?" as too ridiculous.

    1. 's water music

      "Where did you go on your last holiday?"

      Chainsaw Juggling Resort?

      Dignitas Clinic?

      Thomas Cook?

  13. Mark #255
    Facepalm

    Still too many failures

    I'd think that for far too many people, Google's suggested questions still wouldn't work.

    I wasn't born in a city, and my dad doesn't have a middle name.

    (this post from the I-am-Spartacus department)

    1. Kubla Cant

      Re: Still too many failures

      I wasn't born in a city, and my dad doesn't have a middle name.

      My impression from completing web forms is that for Americans "city" means anything from a hamlet up.

  14. TVC

    I just don't see the problem

    I've got over 200 sign ons and PINs to various online systems and similar. All the passwords are different. Sometime ago I started using fictitious answers to the security questions. All these are stored in a password vault that is password protected and encrypted and not stored anywhere online or in the "cloud" - but is backed up. The few systems I access regularly, I remember, anything I cannot remember I look up.

    I have Power of Attorney over my mother's affairs and use the same system for her stuff.

    Over the years I've spent so much time helping people access their systems, because they are too hopeless to even note the password they just set 3 minutes earlier or explaining to them that having the same password everywhere is just plain daft. Some people even find it impossible to remember their own name.

  15. dave 81

    SQRL

    Seems solid.

  16. Tsung
    FAIL

    You're all forgetting the rules...

    Not only do they ask these "stupid" question but they set rules on the answer.

    Where where you born? Bath

    *Sorry please enter an answers longer than 5 characters.

    Resetting by SMS is a nice idea, but I still work in an area of the UK that has zero mobile coverage. When my bank started using a 10 minute SMS message to grant access to my on-line account I was locked out from work. Very frustrating...

  17. Anonymous Coward
    Windows

    Too old to remember

    I have no hope of remembering all of the passwords that I need these days, still less of remembering answers to questions.

    So I use gibberish throughout and write it down in my little black book. Perfectly OK wrt on-line threats, but of course burglars are remotely a threat.

    1. Craig 2

      Re: Too old to remember

      Ditto. In any case, I would bet the circles of real / virtual criminals (aka. burglars / hackers) don't have much overlap.

  18. John Crisp

    "Using SMS and another email address is more secure" said Google.

    "Quite honestly your fathers middle name is pretty worthless to us. We much rather you gave us relevant and useful info...."

  19. Ben Bonsall

    If I get free choice of question, then I tend to do jeopardy-style, the question goes in the answer box, the answer in the question... So 'please answer your security question: Bugsy?' with the answer 'what was your grandma's dog called'

    Surprisingly easy to remember.

    If not, I make up something rubbish like 'Where did you go to school?' 'Zamonia High' and store it in my password manager. Which is kind of redundant. If I have the password manager to get the answer from, then I also have the password.

    Note: My grandma didn't have a dog.

  20. Hans 1

    I call BS on this, I think they just want to harvest phone numbers out of people - a way to identify you and better target their ads.

    Their questions are rather silly, especially the family-related questions ... you would not want your wife/brother/sister/father to access your email account, would you ? City of birth is really silly, too many people know that. These, of course, make social engineering so much easier.

    I think you should be able to ask your own questions, as for the mathematical "questions", those can be detected and vetoed.

    I hate it when I cannot use spaces in passwords.

    The worst website I have come across in recent years is www.apec.fr - THEY EMAIL YOUR PASSWORD TO YOU, IN 2015, HONEST!!!!!

    1. J.G.Harston Silver badge

      I used to be registered on a job website that would send me my password in clear text with every job listing email - WHILE I WAS IN THE JOB CENTRE WORK CLUB!!!!! (JobClubsWorth: Why aren't you reading your jobs emails? Me: Because you're looking over my shoulder watching my emails!)

      But, tangentially, WTF does a job website want super-secure authentication? WhoTF can do anything with the list of jobs I've applied for?

  21. Jim 59

    Secret questions are a hangover from the "security" procedures used by banks before the Internet. They never offered much security, for the obvious reasons outlined in the article.

    1. Kubla Cant

      Secret questions are a hangover from the "security" procedures used by banks before the Internet.

      I have to tell you that bank security questions are alive and all too predictable. DOB, who else uses the account, mother's maiden name!

      Not so long ago my bank started asking questions about recent transactions and repeat payments on the account, which was probably more secure, but generally impossible to answer. They seem to have dropped that approach, presumably because so few people could answer.

      1. Anonymous Coward
        Anonymous Coward

        "Not so long ago my bank started asking questions about recent transactions and repeat payments on the account, [...]"

        Had that one day for a credit card that had been "fraud" stopped due to a large purchase from a "new" company. It was in fact the company with whom I placed a large order a few times every year for at least a decade. The identity test only had access to the last two months statement records so they didn't see it was a repeat. In the end the satisfactory answer was "amazon".

        Another time they stopped the card because there had been a threshold number of small transactions in a short time. Turned out that it was my splurge on cheap DVDs which Amazon checkout billed to me as one transaction - but which they then presented to the credit card company as many individual items purchased almost simultaneously.

  22. Lee D Silver badge

    According to some accounts I have, my city of birth is

    49283hasepry79q

    My pet's name is:

    dsgfob20yweGFITw74

    and my mother's maiden name is:

    98432bgaisvffagsefroah

    Who the hell actually cares what the answers are, so long as you can provide them on demand and other people don't know them. And nothing quite proves that you're the owner of the account than "Mother's maiden name?" "98432bgaisvffagsefroah"... "WOW! Okay, sir, yes, that's definitely you then!".

    Hell, it's quite tricky to guess a valid email address for me, let alone the password to read that email. The security questions are even more secure and never used because I usually tie anything important into 2-factor authentication anyway.

    1. Michael Habel

      According to some accounts I have, my city of birth is

      49283hasepry79q

      My pet's name is:

      dsgfob20yweGFITw74

      and my mother's maiden name is:

      98432bgaisvffagsefroah

      Why hasn't anyone ever thought of that before!? your a [REDACTED] GENUS! I'm gonna have to rethink how to answer these in future times....

  23. Charlie Clark Silver badge
    Holmes

    Security theatre

    Effective security has been understood for a while: something you have and something you know. This is the underpinning of 2FA in systems like PGP (you have a private key which only you can decrypt with your passphrase). So why isn't it standard? HTML5 forms even contain a field for key generation. Given the complexity of many of the security theatre alternatives out there, the difficulty of using such a system can't really be an argument.

    Could it be that companies don't really care about the security of the systems? There is certainly ample, albeit anecdotal, evidence to support this theory: banks have at times actively resisted improving the security of debit and credit cards. It is only now that the US is moving from easily scammed magnetic stripes to chips. One of my companies asks me to verify the first few characters of my password when I call them, which means that at least part of it is stored as plaintext!

    At some point, of course, studies like Google's can be used to justify liability claims. This is when we tend to see movement. In general, companies like to have systems that can be judged secure enough so that they cannot be held liable for individual breaches. The backup question strategy would seem to fit in here: people routinely forget passwords, which is why they are so unsuitable in the first place. Google's study is valuable, I guess, because they have access to such huge study samples and can thus empirically verify some the ideas: people choose weak passwords because they are memorable; behaviour is eminently predictable.

    Of course, if we do do things correctly then we risk falling foul of the law: restrict access to our private keys by encrypting our disks and we can now be prosecuted.

  24. Lazy Jack

    So what should those unfortunate souls do, whose fathers don't have middle name? It's not usual in every country.

    BTW. You know that a site is designed by Americans without the slightest idea of what is going on in the rest of the world, when it insists on filling out the 'middle initial' and 'state' fields in a web form.

    1. Dan 55 Silver badge

      The 4% of Spanish speakers who got their father's middle name right, according to Google, are using made-up answers because Spanish and Spanish-speaking South Americans don't have middle names.

      1. A. Coatsworth Silver badge
        FAIL

        Says who?

        The norm in Latin America (and I think in Spain too) is having 2 first names and 2 last names. People usually uses the first - first name and first last name only, so the second first name (so to speak) is in fact a middle name. Some people, like my father, have 2 first names and an invocation to a Patron Saint, which works as a 3rd first name (Something along the lines of Luis Alberto de la Trinidad Lastname Lastname)

        Confusing?

        Let's see well-known example: Everybody hs heard of Hugo Chávez. His full name was Hugo Rafael Chávez Frías. "Rafael" being his middle name and "Frías" his mother's last name

        I'd bet the 4% percent that got the middle name right tried with "José"

        1. Dan 55 Silver badge

          You could map the second and successive nombres onto the English-speaking countries middle names but if you ask someone from a Spanish-speaking country what a "nombre medio" is (and I've seen this in web forms) you're going to get a blank look. Just as you can map the apellidos onto a double-barrelled surname which superficially works until a couple marry or have children.

          Someone's written a very good essay on the subject here...

          http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/

  25. JeffUK

    I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..

    E.g. I don't have a 'Favourite colour' because I'm not 7.

    1. Anonymous Coward
      Anonymous Coward

      You don'r?

      Mine is 'flesh'.

      1. Omgwtfbbqtime
        Trollface

        Re: You don'r?

        I prefer 'necrotic'

    2. macjules

      Easy, "The colour of banker's arterial blood spurting from where I just plunged a Bic biro into their neck"

  26. Doctor Syntax Silver badge

    What is it with S/W writers that assume we always live/work/were born in cities? It's an inevitable field in addresses - even genealogical S/W which can reasonably be expected to collect location data from times when relatively few people lived in towns let alone cities.

    And then there's the 2FA gadget that my bank gave me. I tried to use it to change my email address and the website simply refused to accept the answer it gave. It's going to be a real benefit of I ever need it to authenticate some financial transaction.

  27. Phuq Witt
    Facepalm

    From one Extreme to the Other

    Most idiotic "security wall" I ever faced was a call centre operator for an insurance company I had to ring to confirm a small detail on a Motor Insurance policy I was about to take out. After having already correctly answered at least three security questions, we arrived at:

    HER: ...and can you confirm your email address?

    ME: Oh. I don't know. I have several email addresses and I'm not near the computer at the minute to check which one I used to sign up with you...

    HER: I'm sorry. You'll have to confirm your email address

    ME: Well, tell me the first letter of it and I'll tell you which one it is

    HER: I can't do that for security reasons

    ME: [incredulous] You can't even tell me the first letter?!

    HER: No

    At which point I hung up and took my custom elsewhere

    [I'll leave it as an exercise for the reader to calculate how many possible email addresses there are in the world and how much easier knowing the first letter would make it for a would-be miscreant to randomly guess the right one.]

    1. Anonymous Coward
      Anonymous Coward

      Re: From one Extreme to the Other

      Pah. Trying to do some business with Lloyds Bank a while back, I was told they won't send email as a matter of policy and I'd have to meet face to face or on the phone to do anything (this was not bog standard banking, was non-banking, financial services type stuff). Naturally they got themselves stuffed.

    2. Lee D Silver badge

      Re: From one Extreme to the Other

      I lost my little banking-calculator thing that creates transaction PINs for you.

      Then my bank started offering a digital PIN on a smartphone app. Much better, I thought, and tried to sign up. How can you lose a smartphone app? Except you can't sign up without plugging in a code from your PINPad thing. Fair enough. I can see the logic there.

      I phoned up to get a replacement. Went through the security questions. Told them that I'd lost the PINPad. I was told about the fancy new smartphone app instead. Yes, please, I'll have one.

      "Great, Sir, all you need to do is go on our website and put in a code from your PINPad".

      "The one I lost?"

      "Yes."

      After ten minutes of to-ing and fro-ing I got put through to someone who could understand the infinite loop / hole in my bucket situation.

      "Great, Sir, I'll send you out a PINPad and when it arrives you can sign up to the smartphone app and then throw the PINPad away as it can't be used any more" (Green credentials be damned, apparently).

      "Okay, cool".

      "I just need to send you out the pad and also a security code to activate it."

      "No problem."

      "The PIN pad will be sent by mail, it'll take 2-3 weeks."

      "Grr... okay then."

      "How would you like the code sent out? I can send it to you by email so you have it instantly or I can pop it in the post and it'll be with you in 2-3 days."

      "Well... what difference does it make?"

      "Email is faster, Sir".

      "But... if the PIN thing isn't here for weeks, how's that help?"

      "Well, it's faster sir." (Fortunately, he didn't try the "green" argument or I'd have cited the above exchange anyway.

      I was always told that to work in a bank was a prestigious job and they only took the finest candidates and you had to pass all kinds of tests because you were handling people's money. It appears I was lied to.

  28. Anonymous Coward
    Anonymous Coward

    re: we humans remain pretty stupid while simultaneously believing ourselves to be very clever.

    Hell yeah. I even still think that digital watches are a pretty neat idea!

    1. macjules

      Re: re: we humans remain pretty stupid while simultaneously believing ourselves to be very clever.

      So did I until AppleWatch ...

  29. Michael Habel

    SMS --- In essence 2FA, Which is probably the best way to protect stuff (Google Accounts!), with... Only problem here is what happens after a given time, and you switch providers? (i.e. SIM Card + Number?)

    eMail --- Doesn't that hearken back to the "Stupid Questions" that the Article seems to address? As in my experience you have to first answer some dimwitted question, like First School, First Pet's name. etc... etc...

    1. Stoneshop
      WTF?

      Only problem here is what happens after a given time, and you switch providers? (i.e. SIM Card + Number?)

      I've switched providers, and thus SIM cards, at least half a dozen times, but still have the number I chose 15+ years ago.

  30. JJKing

    When I created an account to access Microsoft TechNet many years ago, I entered what I thought was a very secure password and may even make the grade today. MS rejected it due to ASCII characters. Tried again without those villainous characters and again rejected. It took 7 or 8 tries before I discovered the maximum password length was 8 characters. Bloody silly. Even now when you install Server 2012 and you have to enter a new password an 8 character length password is still acceptable (with it being 1 of the 3 out of 4 requirements).

    1. J.G.Harston Silver badge

      "Tried again without those villainous (ASCII) characters and again rejected"

      You entered a password that consisted of no characters at all?

  31. Nigel Whitfield.

    I'm off ...

    To make a couple of "What's your porn/movie star name" type quizzes for Facebook, one of which will involve the city of birth, and the other father's middle name....

    I've tried pointing out to people when they share these wretched things how they're giving away info that could be used to hack them. Mostly, people just tell me not to be a spoilsport.

  32. Anonymous Coward
    Anonymous Coward

    Place of Birt

    I can't recall where I was born, I couldnt read at the time. Also we moved within a month and I am told it was demolished years ago though the person who told me was a bit (very) unsure if it was the same place anyway.

    This is almost all true. For certain values of truth

    1. Androgynous Cupboard Silver badge

      Re: Place of Birt

      Is he still at the BBC?

  33. John Sanders
    Paris Hilton

    """Two things: one, as a species, we humans remain pretty stupid while simultaneously believing ourselves to be very clever."""

    Google (and other large companies) love to smell the aroma of their own farts.

  34. disgruntled yank

    39%

    "For example, with just 10 guesses it is possible to correctly guess 39 per cent of a Korea-speakers' city of birth question, since there aren't that many big cities in Korea."

    Setting aside the question of what constitutes a "Korea-speaker", what does it mean guess 2/5 of the city? So if, let us say, Cincinnati were in Korea, one would be able guess the "Cincin but not the "nati"? And if I were able to speak Korea[n] (beyond "kimchee" and "bulgogi"), one could guess "Washin" but not "gton"?

  35. RU37

    An original(?) thought

    Hey, you know-it-all tech-meisters (commentors, commentees and well-paid researchers) here's a thought for you: why not throttle back on your whole authentication thing? For crying out loud, even this dingaling website wants me to enter a password to put my comment on here. [Edit, naturally, I couldn't remember it from nine months ago the last time I put a comment here, so I needed to reset it. Christ.] If one wants to ask somebody a question about a freaking paper clip on line, there is some buttcrack cable plugging dingdong somewhere who figured out how to add an authentication module, who is getting in one's way, forcing one to dig into one's distant past about the color of one's date's corsage the first time one got laid, in order to find out about a bloody (bloody is brit for "gol-darn") paper clip.

    No, that would mean LESS of something. We can't ever put a little though into it, if it means that ultimately we end up with LESS of something, can we?

  36. RU37

    collective inability to distinguish categories

    This forum is a vivid demonstration of modern human inability to make the distinction between a TECH PROBLEM and a DESIGN PROBLEM. The DESIGN PROBLEM here is the ubiquity of automated authentication in our daily lives. The problem with the way this necessary thing is being implemented is that it has become UBIQUITOUS and PERVASIVE in modern living, because there is some tech that makes it available cheaply. Authentication is important to have. For those things in our lives that are important.

    So get over yourself, guy who sells condiments to restaurant chains. You don't need authentication tech in order to protect your data from your potential customers.

    1. Charles 9

      Re: collective inability to distinguish categories

      "So get over yourself, guy who sells condiments to restaurant chains. You don't need authentication tech in order to protect your data from your potential customers."

      Sure you do; it's called "trade secrets". Negotiations between companies are almost always secret because the prices involves tend to differ each time, and negotiations are things you do not want the competition to know since they can use that to undercut you and steal your business.

      1. This post has been deleted by its author

      2. RU37

        Re: collective inability to distinguish categories

        My original reply was posted, after being partly redacted. Since it was a heady mixture of ad hominem and other things that might wake a moderator from their slumber, I'll save time by using good old trial and error, instead of trying to look it up. I will have a complete reply to your question about "trade secrets and negotiations" on my blog, which you can find online. My blog is called "igibud", and my post is called "What is Artisanal Duh". "Artisanal Duh" is not an insult on this forum. That is the name of the post, as well as the name of a domain I have registered.

  37. Charles 9

    So tell me, how DO you provide sufficient security to a site full of people with truly awful memories? And you can forget 2FA because these people don't have cell phones and the password they forget most is the one for their e-mail.

    1. RU37

      Ten years ago, it would make sense to talk about solving your security design question strictly using automated solutions. But now you have to think about your question of "providing sufficient security to a site full of people" in terms of DESIGN, and not TECH. What is it about your "site full of people" that is worth protecting? When you use the word "site" is that supposed to mean some internet domain thingy? I suspect that is what you mean, and I suspect that is the Achilles heel in your method of thinking. In 1998, and 2008. And today etc etc more and more cheap clueless automation. Hence this absurd article, which describes a world only some demented sicko of the Orwell/William Gibson variety could ever dream up.

      1. Charles 9

        Except these demented sickos exists and the truth is stranger than fiction. IOW, this isn't Oceania or the Sprawl. This is Earth, it's real, and it's even worse than those two envisioned. Let's play along, shall we?

        "What is it about your "site full of people" that is worth protecting?"

        Suppose you're a bank or a medical site? BY LAW, they have LOTS of stuff worth protecting BUT still need to be readily accessible by your clients. So you're facing two extremes. When NOT IN USE, the data has to be tighter than Fort Knox, but once IN USE, it has to be wide open. But then these dual requirements come with them their share of inconveniences (that the clients then bitch about). Trying to prove who you are can be problematic: thus the problem of passwords and bad memories, for which there are few effective alternatives. Meanwhile, once you're in, it's hard to keep the information under wraps anymore which poses liability issues. And yet people want no less than perfection and bitch when it doesn't happen, such as with these data breaches.

    2. JeffUK

      Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...

      Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.

      Simples.

  38. Tree

    Keep a text file

    If you don't want Goooogle or others to know all your private info, just put BS in the fields for your mom, pet, etc. and save the BS in a text file so you can enter it if you are locked out. Now what to name that file?

    1. Charles 9

      Re: Keep a text file

      And how to keep the missus or someone else from uncovering it...

  39. Morten Bjoernsvik

    lastpass

    One passord to rule them all.

  40. mark 177
    FAIL

    Newcastle Building Society Fail

    "The Newcastle" asks for a memorable date. Now most people will choose a date of birth or marriage, etc. of a relative or friend.

    Say 8th June 1950 (08061950)

    Then they ask for three digits from that date:

    Digit 3 - can only be zero or one

    Digit 5 - for the last millennium or so at least, 1 or 2

    Digit 1 - can only be 0,1,2 or 3

    That means I have approximately 1 in 16 chance of a completely (well, almost) random guess being correct.

    Also for dates in the recent past, digit 6 is likely to be either 9 or 0.

    I told them about this years ago - did they change it? of course not.

  41. AndrueC Silver badge
    Facepalm

    I think it was Apple iTunes that has the security question 'What is your favourite teacher's name?'

    I'm 48 and left school in 1982.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like