Schneier on Security: The Curse of the Secret Question
Bruce Schneier on “secret questions”, like what your mother’s maiden name is.
The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It’s a great idea from a customer service perspective — a user is less likely to forget his first pet’s name than some random password — but terrible for security.
He bangs on his keyboard to make random answers to his security questions. I have a program that randomly selects words from my spell checker’s list of all words, and then I store each word with the corresponding security question in 1Password. But, seriously: this is nuts. How is having a less good password a good substitute for a password?
