Tuesday, November 10, 2009


I'm looking for security questions and your comments on them. I've created an email account for this purpose: stupidsecurityquestions@gmail.com. Please be sure to include the URL of the site in question, and include a link to the sign-up page if it isn't obvious. If it's not a public sign-up (e.g. your bank) you can just copy and paste the options from the source code. I'd love to hear your comments on it as well.

I would be remiss, of course, if I didn't comment on the security questions that Gmail offered me. They are:
  • What is your primary frequent flyer number
I've never had a frequent flyer number, and so this question doesn't work for me. Wikipedia doesn't say what percentage of adults have a frequent flyer number, but I'm guessing it's not a whole lot. I don't know how common it is to have more than one number (perhaps not all that common, after all the point of the program is to get you to always use one airline) but that might make it less definite as well. And I'm sure it's possible to change favorite airlines. Fails on applicability, invariability and possibly unambiguousness.
  • What is your library card number
Most people have library cards, it's impossible to guess, and it's not something you post on Facebook. This is a good one... as long as you don't move. I moved just a few months ago and I already lost the old card. Of course, you don't have to move to lose your library card, you could just misplace it, and if you've gotten a new one it might or might not have the same number. Risk of #4 and #5 (fails on invariance and forgettability).
  • What was your first phone number
I remember this one for sure. Most everybody should have one, and probably only one. With the exception of people who still have their first phone number, it's probably hard to research, and definitely impossible to guess. The issue with this one? I could type my first phone number 555-5555, 555-555-5555, (555) 555-555, or 555 555 5555 and there are probably a few more ways that I haven't thought of. I don't always format phone numbers the same way. It's possible that Google is being smart on this one and ignoring punctuation, I didn't bother testing it, but this is definitely at risk of #7 (Unambiguous phrasing).
  • What was your first teacher's name
I definitely remember my Jr. Kindergarten teacher's name. I think a lot of people would, and I can't imagine many circumstances where there would be more than one good answer to this. Home-schooled people can't use this one, but I think that's a pretty small segment of the population. However high-schoolers who grew up together could probably use this to get into eachothers accounts because they had the same teachers, or even just went to the same school and knew which teachers taught Pre-K. Failure of privacy for at least part of the population--the part that most utilizes social networks and cloud services.

  • Write your own question...
Well, I definitely liked this one. I can think of a whole lot of things that I will always remember, but nobody else would ever guess, that would make a suitable security question. I could ask "What was the nickname of your dumpster-diving friend in Elementary School?", and I know the answer to it will never change, never be forgotten, and never be phrased differently. Or I could ask "What was the name of the book you had to pay your elementary school library to replace in 5th grade?". Nobody could ever possibly guess either of these things any more than I could forget them.

But there are dangers in giving the public this option. Like password hints, people can and will use it to subvert the security of their own accounts. They will chose obvious things like their name or birthday. If you make sure that the question doesn't contain the answer, they will obfuscate it by putting spaces in between characters. In any segment of the population, there will be some segment that is just too lazy to care about security. Does that mean they deserve to have their accounts compromised? Probably, but institutions don't have the option to think that way, and even if they did it would still increase their support costs. Banks especially are legally limited in how much the customer was liable for, even if the customer was an idiot.

So while I would vastly prefer being given the option to create my own question, especially since I sometimes have a hard time choosing one that is both applicable and secure, but I understand why it's not always available. It is perhaps a shame that your security has to cater to the lowest common denominator, but if the general public is using your website or service then you may not have much choice.


  1. Any girl can be glamorous. All you have to do is stand still and look stupid. See the link below for more info.


  2. You have done a great work. Thanks for making this blog. You helped me a lot on my research topic. Keep it up guys!


  3. Gmail Technical Support Number - this number is for helping or specialized help identified with Major Gmail Issues or Complex Gmail Issues. Gmail or Google Mail stands separated from a few other ESP (Email Service Provider) as a result of its flexible elements.https://robetbuckner.quora.com/How-We-Can-Change-Our-Gmail-Password-Easily