Not at all hiding in plain sight

The “security question,” as an institution, is “superbly moronic,” says Jack Baruth:

[T]here is no reason for the security question to exist. Not the way it’s implemented at most websites. A security question, when used properly, can be helpful. PEER1 and Rackspace, as an example, use security questions to authenticate requests for phone support. The security question, in those cases, is one that you provide. As an example, your Rackspace security question could be, “What’s the pinkest brown?” and the answer could be “867-5309”. It’s a true shared secret. Of course, it’s stored on the Rackspace systems, which means its vulnerable. But as a good way to authenticate a voice on the phone that’s asking you to reboot a server or add a credential, it’s not bad.

The typical security question implementation, however, is not anything like that.

Oh, hell no. Instead, it’s something you’ve probably already posted on Facebook that anyone keen on stealing your identity has already read and filed away for reference.

I admit to having outsmarted myself once, with the requested item being the “name of your high-school sweetheart.” Like rather a lot of women of this era, she has a first and a middle name; unlike most, she was going by the middle name back then. So I plugged in the first name, which I’m pretty sure I’ve never mentioned anywhere, even here on this site. (Don’t mention this: it’s pseudonyms all the way down.) You can guess what happened next, or more precisely after a year or two.

Incidentally, I live in what has been known in the neighborhood as the Brown House. But it’s the pinkest brown you’ve ever seen.



  1. Dr. Weevil »

    7 March 2016 · 1:48 pm

    I believe that’s how a teenager in Tennessee got into Sarah Palin’s e-mail system: things like grandparents’ first names and high-school mascot are public records and not that hard to find for a public figure.

  2. McGehee »

    7 March 2016 · 2:24 pm

    I once signed up for a site that required three security questions, each of which offered about a dozen options. I actually have in the past used non sequitur answers to security questions, but they have to be questions I expect to deal with more than once in a solar-eclipsing full moon.

    By the time I was dealing with the third question the options were insufficiently secure for my taste and I couldn’t go non sequitur in case my wife needed to use the login someday.

    So far I’ve only been asked the first question I selected.

RSS feed for comments on this post · TrackBack URI

Leave a comment