Death to the Secret Question

In The curse of the secret question, an article by Bruce Schneier, he explains why security questions are so inadequate. Schneier and I share the view that the security question is, essentially, a second password which serves as an alternate login mechanism. Since most people answer these questions truthfully the accounts that these questions are supposed to protect are only as safe as the answers provided. Having more security questions does little to solve the problem.

Consider this, you are asked to choose one of the "secret questions" and to provide an answer. The questions are:
  1. What is your dogs name?
  2. What was your first phone number?
  3. What color was your first house?
  4. What was the name of the street you lived on when you were 10?

You choose number 2, "What was your first phone number?" and you answer truthfully, 321-555-1212. Is that really as secure as your password was? (You have good password management practices, right?) NO, it's not as secure, because that phone number was known by everyone else that lived in the house and all the people who called it knew it too. Worse yet, it's still your phone number because you haven't moved out yet! Most people answer these security questions truthfully because they know they won't remember anything else. By doing this they have weakened the security of the account that is supposed to be protected by the security question. Instead people should get a good password manager, like Password Safe or pwsafe, and when they are asked to choose a secret question and answer they can plug in a long string of randomness as their answer, effectively creating a stronger password then their regular password was. Then they can enter that string into their password manager for safe keeping and future reference.

The other problem with security questions like this is that the answers are not usually encrypted in the database the way passwords should be because most developers don't realize that the answer IS A PASSWORD.

Bottom line, treat answers to security questions as a chance to establish a stronger password and never answer these questions truthfully. If you're a developer don't build in security question functionality to please the marketing or help desk folks, it weakens the security of the system. Be creative, come up with something more secure. For instance, don't ask a question, call it a secret code and tell people to put something into the box that they will remember.