Stop Using Security Questions

Please stop using security questions.

Why security questions were designed with good intentions

If you forget your password, a site can ask you a series of security questions. This allows you to recover your account while still potentially authenticating you with questions only you know.

Account recovery options are always a great idea, but doing so with security questions is bad.

Insecurity Questions

Seriously — they introduce insecurity. In my experience, I’ve come across a form like this:

What is your favorite color?

Your security question must contain at least five characters!

What do you think the most popular colors are? Red? Blue? What about: teal, gray/grey, etc. A form I’ve came across actually had a 5-character minimum, which removed options from this answer and made guessing black/green/white/yellow a bit easier. My wife will tell you that everybody from the 90’s would say “Crayola Cerulean” is their favorite — I’m inclined to agree.

Facebook even has a feature where people can “know you better” where you can answer questions about yourself and paste it on your profile. Yikes!

Mother’s maiden names are easy to get from your social network (click you, click your mom, look at her friends names, or look at whom you call “aunt”, “uncle” etc).

Distributing Security Questions

I’ve once seen an admin that would screenshot a page that shown user’s security questions. This page existed to help admins verify users are who they say they are over the phone. In lieu of using it for this function, people were screen shotting this info and sending it to users who “forgot” them. Yikes.

I’m a site user — what should I do?

If a site insists you complete security questions, generate random text and throw that in the box. If you need to recover the account later, paste in that random text. While there, look for the company’s security@ e-mail, Twitter, etc. Tell them to fix it.

I’m a webmaster on the world wide web

Heh, old terms. Disable the requirement for security questions, remove account recovery until you can fix it. Replace it with CAPTCHAs and allow them to reset it via an e-mailed link. Make the link valid for <30 minutes, and with a bunch of entropy in the query string. Don’t store the expiration in the query string. If their e-mail is compromised, they indeed can steal this account. For this reason, it is imperative for users to have secure e-mail accounts. Also, wipe the security questions out of the database. If you’re compromised, those answers can quickly become public.

What if I follow the email reset and security questions?

You could. It’s better than no email reset.