How Hackable Are Your Security Questions?


Kevin Roose writes today that security questions are ridiculously easy to hack and we should get rid of them:

There are all kinds of ways to lock down your most important accounts — Gizmodo’s guide is a good place to start….Eventually, some advanced form of biometric authentication (fingerprints, retina scans) may become standard, and security questions may get phased out altogether.

But until then, when so many better options exist, there’s no reason a company like Apple should be relying on questions like “What was the model of your first car?” for password recovery in 2014. If that’s the best way we have of making sure a user is legit, we might as well change all of our passwords to “1234” and hope for the best.

All kinds of ways? I was intrigued. So I clicked on the Gizmodo link and found….two suggestions. The first is two-step authentication, which is a fine idea for anyone with a cell phone. The second is encrypting all your data. But like it or not, this is much too hard for most people to implement. There’s just no way it’s going to become widespread anytime in the near future.

So, basically, there aren’t all kinds of ways to lock down your most important accounts. There’s one. And even it only works on some accounts. If my bank doesn’t offer it, then I can’t use it.

I’d offer a different perspective. First, the level of security you need depends on who you are. If you think the NSA is after you, then your security better be pretty damn good. If you’re a celebrity, then it needs to be pretty good. If you’re just some regular guy, then the truth is that fairly ordinary measures are adequate. You should use decently secure passwords, but that’s probably about all you need to do for most of your accounts. Two-step authentication is a good idea for cloud accounts.

As for security questions, I suppose I’m on Roose’s side. Just get rid of them. They’re too easy to guess, especially for friends and family. Instead, either use a password manager or else create random passwords for your accounts and write them down on a piece of paper that you hide somewhere. I know you’ve been told forever to never write down your passwords, but the truth is that low-tech paper is actually pretty damn secure compared to anything digital.

Still, I can’t help but take Roose’s post as something of a challenge. Can we come up with security questions that don’t suck? At a minimum they need two characteristics. First, the answers have to be clear and distinct. I’ve never been able to use “first pet,” for example, because that’s a little fuzzy. I can think of several possibilities. Second, the answers need to be genuinely hard to guess, even for family and friends—but still easy to remember for you. They don’t need to be perfect, but they should certainly be better than “first car.” Any ideas?

UPDATE: Also, I’m curious about something. For us ordinary mortals, there has to be some way to recover lost passwords. What should it be?

DOES IT FEEL LIKE POLITICS IS AT A BREAKING POINT?

Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

Share your feedback: We’re planning to launch a new version of the comments section. Help us test it.