A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:
In what city were you born?
What is your mother’s maiden name?
Where did you go to high school?
The article notes that the recent Yahoo breach “included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords.”
Beyond answers getting leaked in breaches, another problem with recovery questions is that they are easy for hackers to guess. So you can create the world’s best password, but a hacker can reset your password by using the recovery questions. Information such as mother’s maiden name and the city of your birth are commonly available in public records. Other information, such as one’s pet’s name or high school can be readily figured out by looking at social media profiles or Twitter feeds.
The Funniest Password Recovery Questions
BB&T uses a very clever approach to password recovery questions — they depart from the commonly-used questions. The results are some of the funniest and most bizarre password recovery questions I have seen. Here are some of my favorites:
What is the favorite road on which you most like to travel?
What is your biggest pet peeve?
If you could be a character out of any novel, who would you be?
Who was your least favorite boss?
What is the name of your favorite relative not in the immediate family?
What was your childhood phone number?
What is the name of your least favorite teacher?
Where do you want to retire?
What is your dream car?
Where were you New Years 2000?
If you won a million dollars, what is the most extravagant purchase you would make?
What is the name of your most memorable stuffed animal?
Some of the questions seem like they are better suited for a psychological profile test. Do people really remember where they were on New Years 2000? And is it any of BB&T’s business?
Imagine what would happen if BB&T had a breach similar to Yahoo’s. I’m sure hundreds of thousands of bosses will be none too pleased to learn that they are an employee’s least favorite boss.
Although I admire the effort, there’s still a problem with BB&T’s unconventional questions: They are difficult for people to remember. Many years later, are you going to remember where you wanted to retire when you answered your recovery questions? Or your dream car? Recovery questions must be easy to remember — easier than one’s password — because the questions are designed to help people who forgot their password.
Tell Me Lies, Tell Me Sweet Little Lies
One approach discussed in the Wired article is to answer the security questions with lies. But as the article notes, it is easy to forget the lies.
So there’s a dilemma — easy-to-remember questions that might readily be guessed by hackers, or more obscure questions or wrong answers that might readily be forgotten.
The Problem Is Passwords
As I have written earlier in an article and post with Professor Woodrow Hartzog, passwords alone are poor security. The problem is that long complex passwords are difficult to remember — and people have so many different accounts (often hundreds of them) that it is demanding the impossible of human cognition to remember all of these passwords.
To make matters worse, sometimes people are made to change their passwords frequently, a practice that can undermine security. The FTC’s security expert Lorrie Cranor has a terrific post recommending that mandatory password changes be rethought.
There is simply no way a person can remember hundreds of unique long and complex passwords. To make the impossible demand on human memory even more impossible, people are also told not to write their passwords down. Hence, they forget their passwords and have to revert to the password recovery questions.
The answer, as Professor Hartzog and I suggested is to look to two-factor authentication. Passwords are still used in this approach, but a password alone isn’t enough to login. Something else is needed, typically a code sent to your smart phone. Two-factor authentication typically involves a factor you know (password) and a factor you have (device).
Minding the Human Factor
No matter what, we must not forget about the human factor. Data security involves people, and solutions must be built around human behavior. Until we account for the human factor, clever security measures might be good for a chuckle but not much else.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.