The Problem With Security Questions

The recent IRS breach (Hackers stole personal information from 104,000 taxpayers, IRS says) succeeded because the attackers knew how to answer the “security questions” for a lot of people. The attackers had a phenomenal 50% success rate, roughly 100,000 successes out of about 200,000 attempts. As attacks go, that’s hugely successful.

The incident highlights two important trends:

  • Security questions stink. The attack on the IRS succeeded because attackers were able to get the right answers on half of their targets.
  • Computers keep getting more powerful, but we don’t get any better at remembering passwords or security answers. The attack succeeded because the attackers had the resources for collecting and tracking individual security answers.

What’s wrong with most security questions?

You get the questions that are easy for someone to figure out. Your mother’s maiden name. Your birthday. Your favorite sport, movie, book, or song. These are easy because a lot of people state these things on their social networking sites, or in online profiles. This is how Sarah Palin’s email got hacked in 2008.

You get the questions that are hard for you to remember. Did you enter your city of birth as Washington, Washington DC, or Washington, D.C.? Was my “first car” the first one I drove or the first one I bought?

Some security questions have answers that might change over time. Is your favorite movie today the same as it was when you first provided answers to your security questions?

Password advice usually tells you not to pick a name, date, or place that’s easily associated with you, and yet that’s exactly what the “security” questions are asking you to provide.

When you’re stuck with setting up security questions, try these ideas:

  • Use a password manager, and have it generate and track random answers. What’s your mother’s maiden name? 8=z<BzDb’wvd{J(~
  • Pick what your answer would have been in 2000, before there was Facebook, or in 1990, before the Internet became popular – unless it’s the same as today’s answer.
  • Add a standard bit of nonsense to the end of every answer. What’s your favorite color? blue biscuit. What was the first car you drove? Nova biscuit. Just don’t tell anybody what your nonsense add-on is, and make sure you’ll remember it.

On top of security questions, take advantage of two-factor authentication (also known as two-step verification) wherever possible. Many banks, email systems, gaming sites, and other online services offer this now. If your password or security questions are ever guessed or stolen, you’ll still have a layer of safety for stopping attackers.