How Hackable Are Your Security Questions?
Kevin Roose writes today that security questions are ridiculously easy to hack and we should get rid of them:
There are all kinds of ways to lock down your most important accounts — Gizmodo's guide is a good place to start....Eventually, some advanced form of biometric authentication (fingerprints, retina scans) may become standard, and security questions may get phased out altogether.
But until then, when so many better options exist, there's no reason a company like Apple should be relying on questions like "What was the model of your first car?" for password recovery in 2014. If that's the best way we have of making sure a user is legit, we might as well change all of our passwords to "1234" and hope for the best.
All kinds of ways? I was intrigued. So I clicked on the Gizmodo link and found....two suggestions. The first is two-step authentication, which is a fine idea for anyone with a cell phone. The second is encrypting all your data. But like it or not, this is much too hard for most people to implement. There's just no way it's going to become widespread anytime in the near future.
So, basically, there aren't all kinds of ways to lock down your most important accounts. There's one. And even it only works on some accounts. If my bank doesn't offer it, then I can't use it.
I'd offer a different perspective. First, the level of security you need depends on who you are. If you think the NSA is after you, then your security better be pretty damn good. If you're a celebrity, then it needs to be pretty good. If you're just some regular guy, then the truth is that fairly ordinary measures are adequate. You should use decently secure passwords, but that's probably about all you need to do for most of your accounts. Two-step authentication is a good idea for cloud accounts.
As for security questions, I suppose I'm on Roose's side. Just get rid of them. They're too easy to guess, especially for friends and family. Instead, either use a password manager or else create random passwords for your accounts and write them down on a piece of paper that you hide somewhere. I know you've been told forever to never write down your passwords, but the truth is that low-tech paper is actually pretty damn secure compared to anything digital.
Still, I can't help but take Roose's post as something of a challenge. Can we come up with security questions that don't suck? At a minimum they need two characteristics. First, the answers have to be clear and distinct. I've never been able to use "first pet," for example, because that's a little fuzzy. I can think of several possibilities. Second, the answers need to be genuinely hard to guess, even for family and friends—but still easy to remember for you. They don't need to be perfect, but they should certainly be better than "first car." Any ideas?
UPDATE: Also, I'm curious about something. For us ordinary mortals, there has to be some way to recover lost passwords. What should it be?