password security questions

RCN has been hassling me with automated phone calls to set up a new account password. If I don’t do that, apparently, I will never be allowed to discuss my account with them again. I don’t get it, but I just called in to set up my password.

They asked me to set up two backup security questions, too. That’s fine. We use those at Pobox, but we do what everyone should do: we let the customer pick both the question and the answer. Unfortunately, too many people provide only a question, or a list of questions. Worse, many are now asking questions, the answer to which is not a fact but an opinion that could change over time. My choices were:

  • What is your favorite place?
  • What is your favorite food?
  • What was your first pet?

There were a few other options, which I think were fairly opinion-like. (I know that the order of my pets is not an opinion, but it’s hard to remember which one came first, since we had them when I was so young.)

The purpose of these questions is to make sure that even if you lose the slip of paper on which you wrote our password, you will still be able to verify your identity with something you will know without fail. That’s why “mother’s maiden name” is a good idea: if you know it, you know it. It will never change, and you are not likely to forget it. I understand that it’s good to have alternate questions – some people don’t or can’t know their mother’s maiden name. The alternate question, if you can’t bring yourself to let the user specify a question, should also be about a fact.

Otherwise, the user will do what I did: decide on answers and write them down on the same slip of paper as the password. Well, that or in two years he will be unwilling to believe that he specified anything other than squid as his favorite food. Then how will he get his pay per view?

Written on December 1, 2007
🔐 security
🤤 stupid