Last Wednesday, I lost my cell phone. "Great," I muttered. I looked everywhere in my home, my office at work, and the probably location in which I lost it (one of the cafes at Microsoft). No luck. I wasn't looking forward to it but I resigned myself to the fact I'd have to repopulate my address book.
Luckily, I have an extra cell phone at home, a Blackberry Pearl. "Well, now's as good a time to start using it as any." The only problem with it is that the battery is a piece of junk. It doesn't even recharge at all. I had to go buy a new one. I went down to the local AT&T store and tried to get one but they didn't have one in stock. I went to the other AT&T store and they didn't have one either. I'd have to order one online which meant waiting about a week. Sigh. Fine, whatever.
Then, this past Monday, I went down to the University of Washington for a medical appointment. I found the University just fine but finding the clinic was a bit of a challenge because I had to drive around the whole campus, go through a cave, climb up a hill in order to come to a wall and then speak "Friend" in Elvish to reveal the secret entrance to this place. As I left my car, I decided to quickly check something in my bag (which I left in my car) before heading out again.
I went in, had the appointment and then came out of the building. As I was walking to my car, I put my hand into my pockets. I expected to feel my keys in my pocket but I didn't. I immediately figured out what happened: I had left my keys in the car. I had locked myself out of the car with no way to get back in, and I couldn’t pull out my cell phone and call a lock smith or get emergency road side assistance because my phone was both lost and my backup phone didn’t work.
The reason I bring this up is about a week ago, John Graham-Cumming posted on his site about the vulnerability of security questions. Suppose there’s a website that you go to regularly and one day you forget your password. Many sites nowadays have security questions like “naming your first pet” or “the street you grew up on.” The idea is that this is information that only you could know and therefore if you got the answers right, it would be safe to release the password to you (ie, the person typing the answers) with little risk of an impersonator getting access to your personal data.
Graham-Cumming suggests that even these hints are too easy and that someone who is known to you would be able to guess these and they provide little security. So, what he does is lie. If asked for your favorite pet, he might give his second favorite pet.
The problem with lying is that it is basically a second password. I go to a lot of websites, some of which I log into regularly (like my bank), others I log into irregularly (like paying my cable bill), and still more I log into once in a blue moon (like my foreign currency CD which completely backfired last year when the US dollar rallied out of no where). The point is that the sites I log into less frequently I have forgotten my password. So, I need to have the security questions. And if I have to lie about my answers, then I need to remember that I lied and then remember what I think I said. It’s hard enough to remember whether or not I did case-sensitivity to my answers. Now I have to remember that the answer to my question is not actually the answer to my question.
It wouldn’t be so bad if I had the same answer for every site; I don’t. The security questions are different. Quite frankly, I don’t think that the practice of providing false answers to these security questions is valid. As humans, it relies on tricks of psychology. We cannot recall abstract phrases such as random numbers and letters (which is what my passwords all are… which is why I forget them so often), but we do remember people, events and places that have emotional meaning to us. I can’t remember how much the plane ticket cost me to go to China last year but I do remember that I was there for 9 days. The cost of the flight has no meaning to me, but recalling all of the stuff I did and how long it took sure does.
So yes, I do think these password hints can insecure in that somebody close to us could likely guess them. However, they are also the best way I can currently think of to conveniently unlock a forgotten password because they rely on past emotional experiences that we are unlikely to forget, unlike a password. If you don’t provide the correct answer to the question in the first place, then you’ll be completely locked out – just like me from my car.
Which brings me back to my car. I wish my car had security questions. I could answer them and then it would magically unlock. Or maybe I just need to hide a secret key somewhere on it in the likely event that I one lock myself out again. It happens more often than I care to admit.