Bruce Schneier’s recent post in which he said that secret questions had reached a ‘new low’ may have shocked some casual observers, but for me it simply underlines a problem which is all too common.
Personal verification questions (PVQs) and answers have been the de facto solution for forgotten passwords since the creation of email itself, but in many cases (such as the one highlighted by Bruce) they are woefully inadequate and, one could argue, in fact do more harm than good. This is because, in many cases, they give an illusion of security without actually increasing the user’s protection.
I have personally experienced bank call centers recommending that I set ALL of my PVQs responses as the same answer. So, for example:
- What is your favorite color? “BLUE”
- What is your favorite sport? “BLUE”
- What is your favorite food? “BLUE”
Astonishingly, these call centers were actually advising customers to make their accounts less secure. Unfortunately, this is another example of “compliance think” – where banks or other organizations simply offer the least security required in order to meet legal requirements.
As we have touched upon before, the problem with passwords in general is that they are static information – they are rarely (if ever) changed. The system above (even if all the answers are not ‘blue’) is simply using even more static information to secure a problem which was created by the use of static information in the first place.
Using PVQs in this way can do more damage than good, as users believe they are secure. People operate thinking they are safer, but they are not. Given that there are so many technologies that are just as simple to use, and offer so much more security, it is shocking that methods as basic as PVQs are still in use today. For example, a simple text message to the user’s cell phone with a new password is exponentially more secure than a question which is easily guessable to even the most casual of acquaintances.
