An Insurance Company Website

This company is a disability insurance company similar to Aflac.  I recently had the ‘pleasure’ of signing up for their online system and was presented with the following questions:

What is your father's middle name?
What is your mother's maiden name?
In what city were your born?
What is your mother's middle name?
What is the last name of your favorite grade school teacher?
What is the first name of your favorite relative when you were a child?
What is your greatest fear?
What is the first name of your best friend from childhood?
What was the make and model of your first car (Make Model: e.g. Jeep Wrangler)?
What was your first job (Company Name no abbreviations)?
What was the name of the first grade school you attended?
What was the name of your first pet?
What is the last name of your favorite author?

I usually try to avoid the easily-researchable things like parents middle names or my place of birth, and I couldn’t really answer any of the ‘preference’ questions since I liked many of my teachers, had several best friends in childhood, etc.  So right away lots of questions fail on ambiguity and sometimes privacy as well.

I was amused by the question “What is your greatest fear?” partly because it’s not a great question for me--my answer could be phrased a lot of different ways--but also because do you really want your customers thinking about their greatest fear while they’re visiting your website?  It just seems a bit weird to me.

I kind of liked the “What was your first job (Company Name no abbreviations)?” because it made some attempt to remove ambiguity by specifying exactly what it was looking for (e.g. not ‘cashier’ or ‘paralegal’) and how it should be entered (not using abbrevs. or ACRONYMS).  I could answer that but first I go onto other questions.

The next question is no longer a bad question for me:  I’ve gotten a new car since I last posted about this, so the answer to the question is no longer sitting in the parking lot outside my apartment.  So I put that in.

I put in my first grade school and the standard, made-up name of my first pet since I don’t really have a real first pet, and hit Continue.

It says that I need to fix the answer to my first car.  It doesn’t say why.  Not helpful.  I try again with the first company I worked for.  It makes exactly the same complaint!  l try a few other things before realizing:  Spaces aren’t allowed in your answers.  For a question that gives the example “Jeep Wrangler” that’s sheer jaw-dropping idiocy.  This apparently applies to all of the answers, so my answer for first job is also not allowed (and now you know that my first job has a space in it!).

I can kind of understand not allowing special characters in some cases, but what if your mother’s maiden name was O’Leary!.  It’s probably better to just ignore the special characters when comparing by stripping them out.  But a space is not a ‘special character’.  Even worse, they didn’t tell me what was wrong with my answer!  I had to figure it out through trial and error.  I’ve had that problem a few times with sites that don’t allow special characters in passwords too: Things don’t work, and they don’t tell you why, or even give an inaccurate error message like ‘invalid password’.  I once used a website that let me change my password to one with a special character in it, but then Javascript on the login page prevented me from entering that same password to access my account!

Best practices lessons:
1. Be wary of prohibiting special characters: there are quite a few questions whose answers will require them.  Names can have apostrophes.  Even if you ask for just a last name it can be hyphenated or even have two parts.  Companies names can have numbers in them (“Cash4Gold” for example), and sometimes they can even have foreign characters.  These cases may be rare enough that the user can select a different question if you offer plenty of choices, but not allowing a space in the make and model of your car is just terrible.


2. Give the user a useful error message if their answer isn't allowed for whatever reason.  It took me forever to realize that such an obvious and essential character as space was the cause of that vague error message.

Contest

And NOW it's TIME for... Guess my Security Question, the only online blog-based gameshow where you get to guess (or uncover) the answer to my security question. In the future I'll be using questions submitted by users for this, but I think I'll start with one that my bank uses:

What is my High School mascot?

Answer in the comments. First person to guess correctly gets mentioned in the next post. Maybe in the future I'll put up a few bucks for a prize but for now you just get the glory.  You may submit as many guesses as you want but each guess has to be in a different comment.  Also, minor props to the first person to identify which attribute(s) this lacks.

Working vocabulary (What makes a good security question, redux)

Helpful reader Rick Auricchio has informed me that the numbering I was using in previous posts was rather opaque, especially since the list it drew from wasn't actually numbered, and suggested instead using more descriptive adjectives. He had a good list of adjectives to match the numbers, and I made just a few changes. The list is as follows:

Applicable: It actually applies to you and has an answer. Sites should either provide security questions that apply to a large portion of their user base or have many questions to choose from. Where you met your spouse is probably not a great question for a singles dating site.

Private: It's something that few other people know, that's not in public records or all over your blog or resume. First grade teacher is a good question for a site with an adult user base, but not great for one that caters to high-schoolers who probably all have the same answer.

Unpredictable: The answer is hard to guess. 'Favorite Color' fails this hard: one third of people have Blue as their favorite color. If you're a bank with one branch in one city then birthplace is also not ideal.

Unforgettable: You will definitely know/remember the answer. Otherwise you've defeated the purpose.

Invariant: The answer won't change even if your home, job, tastes, or even spouse changes. It happens more often than you'd think.

Unambiguous: There's only one good answer AND that answer is only typed/phrased in one way. God help you if it's case sensitive.

Allowable: The users answer is not blocked due to technical limitations (e.g. length, special characters). What state were you born in doesn't work if you have a 6 character minimum (poor buckeyes!).

It's not perfect. For example, some of the adjectives describe the questions whereas other describe ideal answers. But I think it's important to try and develop a vocabulary for talking about security questions. goodsecurityquestions.com (which I hadn't come across when I first made this blog) has done something similar, and has some great tips, but I'd like to go into a bit more detail to figure out problems with security questions.

I'm going to go back a bit and clarify some of the older posts as necessary so they have more than just numbers in the discussions.

And I'm back

A post on Bruce Schneier's blog about stupid security questions reminded me that this blog exists, and so I'm thinking about trying to start updating again. One of the comments on his post also links to a great entry in The Daily WTF about Multiple-choice security questions, which are beyond stupid: They fail the 'easy to guess' criteria (Assuming it's a bank in North America, what do you think's the safest bet as to where his father was born) and they don't even allow the user to actually pick their real least-favorite vegetable (mine is eggplant) but I'll bet 'beets' or 'brussel sprouts' are good guesses for a large portion of the population, given that list of choices.

Since I hadn't updated this blog in a while I had forgotten the password to the gmail account that I created with it: stupidsecurityquestions@gmail.com. Yeah, you can guess where this is headed. I opted to use my security question to recover my account and it asked me one thing: "What was your first teacher's name". I answered, and then it let me set a new password. I didn't even have to give it a birthday or answer more than one question.

I had apparently opted for the pre-set one out of laziness because I couldn't think of a security question truly fitting an account about bad security questions. I didn't realize that the account could be completely taken over by anyone who could answer it. Anyone in my family would know that, and if I ever mentioned what school I went to you could just check their website to narrow it down to just one or two teachers (small school) since the teacher is still working there.

One thing about security questions is that you often see several of them. If you have to answer all three every time you log into your bank (no joke, I have to do this) it's a huge pain. But if you can take control of somebody's account with just a little bit of research that's a failure in a completely different direction.

Gmail

I'm looking for security questions and your comments on them. I've created an email account for this purpose: stupidsecurityquestions@gmail.com. Please be sure to include the URL of the site in question, and include a link to the sign-up page if it isn't obvious. If it's not a public sign-up (e.g. your bank) you can just copy and paste the options from the source code. I'd love to hear your comments on it as well.

I would be remiss, of course, if I didn't comment on the security questions that Gmail offered me. They are:

• What is your primary frequent flyer number

I've never had a frequent flyer number, and so this question doesn't work for me. Wikipedia doesn't say what percentage of adults have a frequent flyer number, but I'm guessing it's not a whole lot. I don't know how common it is to have more than one number (perhaps not all that common, after all the point of the program is to get you to always use one airline) but that might make it less definite as well. And I'm sure it's possible to change favorite airlines. Fails on applicability, invariability and possibly unambiguousness.

• What is your library card number

Most people have library cards, it's impossible to guess, and it's not something you post on Facebook. This is a good one... as long as you don't move. I moved just a few months ago and I already lost the old card. Of course, you don't have to move to lose your library card, you could just misplace it, and if you've gotten a new one it might or might not have the same number. Risk of #4 and #5 (fails on invariance and forgettability).

• What was your first phone number

I remember this one for sure. Most everybody should have one, and probably only one. With the exception of people who still have their first phone number, it's probably hard to research, and definitely impossible to guess. The issue with this one? I could type my first phone number 555-5555, 555-555-5555, (555) 555-555, or 555 555 5555 and there are probably a few more ways that I haven't thought of. I don't always format phone numbers the same way. It's possible that Google is being smart on this one and ignoring punctuation, I didn't bother testing it, but this is definitely at risk of #7 (Unambiguous phrasing).

• What was your first teacher's name

I definitely remember my Jr. Kindergarten teacher's name. I think a lot of people would, and I can't imagine many circumstances where there would be more than one good answer to this. Home-schooled people can't use this one, but I think that's a pretty small segment of the population. However high-schoolers who grew up together could probably use this to get into eachothers accounts because they had the same teachers, or even just went to the same school and knew which teachers taught Pre-K. Failure of privacy for at least part of the population--the part that most utilizes social networks and cloud services.

• Write your own question...

Well, I definitely liked this one. I can think of a whole lot of things that I will always remember, but nobody else would ever guess, that would make a suitable security question. I could ask "What was the nickname of your dumpster-diving friend in Elementary School?", and I know the answer to it will never change, never be forgotten, and never be phrased differently. Or I could ask "What was the name of the book you had to pay your elementary school library to replace in 5th grade?". Nobody could ever possibly guess either of these things any more than I could forget them.

But there are dangers in giving the public this option. Like password hints, people can and will use it to subvert the security of their own accounts. They will chose obvious things like their name or birthday. If you make sure that the question doesn't contain the answer, they will obfuscate it by putting spaces in between characters. In any segment of the population, there will be some segment that is just too lazy to care about security. Does that mean they deserve to have their accounts compromised? Probably, but institutions don't have the option to think that way, and even if they did it would still increase their support costs. Banks especially are legally limited in how much the customer was liable for, even if the customer was an idiot.

So while I would vastly prefer being given the option to create my own question, especially since I sometimes have a hard time choosing one that is both applicable and secure, but I understand why it's not always available. It is perhaps a shame that your security has to cater to the lowest common denominator, but if the general public is using your website or service then you may not have much choice.

Stupid security questions - ADP iPay - the beginning

So I'm registering for my iPay, the online payroll service by ADP that probably owes Apple money for stealing their iDea. I am required to choose two security questions out of the following:

• What is the name of your first pet?
• In what town does your nearest sibling live?
• What is the name of your childhood best friend?
• Who was your best man or maid/matron of honor at your wedding?
• Where did you first meet your spouse/partner?
• In what town was your first job?
• What were the year, make, and model of your first car?
• What was your first job?
• What is your favorite past-time?
• What was your favorite subject in school?

I read them and take several minutes to try to decide which ones to use, and I become increasingly irritated, because they're all bad.

I've been irritated by security questions before, but for some reason these particular options annoyed me so much that I was inspired to write this huge rant on bad security questions. I've seen worse questions, I suppose, so this was really more of a 'straw that broke the camel's back' but now I'm in the mood to criticize, so let's get started:

To understand my problems with these specific security questions, let's take a look at what makes a good security question:

1. It actually applies to you/has an answer
2. It's something that few other people know or can find out (e.g. by checking their target's blog?)
3. It's not something that can be guessed easily
4. You will definitely know/remember the answer
5. The answer won't change
6. There's only one good answer to it, or one that is obviously best/most correct
7. That answer can only be typed/phrased in one way that immediately comes to mind, god help you if it's case sensitive
8. That answer will meet the minimum length requirement

So, security questions have 3 basic problems:

• Some of them don't apply to people, or they can't answer it easily
• Some people won't be able to remember exactly what they typed 6 months later
• Some of them are easy to find the answer to, or even just guess

Based on the requirements, what makes a 'good' security question depends heavily on the person who is answering it. For my dad, the first car question would be pretty good, probably a handful of people in the world ever knew, and few remember. For me, my first car is also my current car, so anybody who lives near me, works near me, etc, could probably answer it without too much effort. Perhaps my life isn't as typical and straightforward as most others', but I can't be the only one who has this sort of problem.

My problems with the questions they offer:

• What is the name of your first pet?

I dunno, I had some hermit crabs in grade school, but I don't think there's a person alive who remembers their names. Plus there were several of them, so which one would I put if I did remember? If you don't count minor pets (Should you? Will I remember which pets 'count' a year later when I have to answer this?) then I'm left with my current pet, a cat whose name my wife has posted enthusiastically on Facebook and on her blog.

Really, this question is only usable if you (a) had only one pet at a time, and (b) had a pet that lived long enough (or recently enough) for you to remember their name. In my experience pet owners tend to have more than one, and unless it's a dog or cat you won't remember what you called it. So for many people this fails on #1 (Applicability) or #6 (Ambiguousness), and for people with blogs it might fail on #2(Privateness) as well.

What's worse, while people can be very imaginative in naming their pets, they can also pick ones on this list. Even if you're really careful about allowing too many attempts, the attacker can just figure out your threshold and go a little bit slower. So this fails #3 as well. This question can also run afoul of #8, since there are people who name their dog 'Rex' and websites that require four or five character answers.

• In what town does your nearest sibling live?

I have two siblings. Wait, that's not quite true. I also have a step-sibling. Does he count? He's living on the opposite coast, so I suppose it doesn't really matter, but the question isn't as clear cut as it was at first glance. The two closer siblings currently live about the same distance away, but let's say I consulted Google Maps and found the answer. Next year I need to reset my password and... they've graduated from college and moved somewhere else. Do I try and remember when I signed up for it, and which sibling was living where at the time? So that definitely fails #5 (Invariance). It doesn't work at all for only children, or those whose siblings are deceased. Since it doesn't specify the town only, perhaps #7 (Unambiguous phrasing) too.

• What is the name of your childhood best friend?

As a kid I lived in two different places, went to four different school districts, and had different best friends at each one. Even just counting elementary school, there were at least two or three kids I think of when I am asked who my 'best friend' was. There was one who was perhaps a bit closer than the rest, but damnit, I don't remember how to spell his last name. Maybe I should just use his first name. Or his nickname. Will I remember to do that two years later when it asks me? Of course not. I'll be trying different spellings and wondering why it isn't working. For most people this fails #6 (Unambiguousness) HARD, and in some cases #7(Unambiguous phrasing) as well.

• Who was your best man or maid/matron of honor at your wedding?

Well given that this is a payroll website and not MySpace I suppose most (but of course not all!) people using it will be married. My wedding was not exactly a formal affair, so it didn't have a best man per se, but my younger sibling was the one who handed us the rings during the ceremony, so I guess that counts. Attack idea: Check your victim's Facebook page and see if they have any siblings. #2(Privateness) is sort of a problem here, and #1 (Applicability), but it's hardly the worst question on this list.

• Where did you first meet your spouse/partner?

Ah. Finally one I have a good, simple answer to, one that immediately comes to mind that I don't wonder about how to phrase it or spell it, and won't change. Just put in the name of the place we met and... must be at least 6 characters! At least it didn't ask what state we met in, then require 6 characters. Tough luck for those who met in Ohio (you laugh but it happens!), and by the way there's only 50 different states that I need to try if I want to hack your account. But I'm getting off their actual question. Fails on #8 (Allowability) for me.

• In what town was your first job?

My blog history is currently private, so I'll temporarily ignore the fact that this is plastered all over it, and my resume, and the fact that anybody who ever asked me where I went to High School could answer it as well. "Where did you go to High School" is a pretty innocent question for anybody under 30, and most people start work during high school, near where they live. Unless they mowed lawns? Does that count? Do I put the state? That sort of fails #6 (Unambiguousness), but mostly #2 (Privateness).

• What were the year, make, and model of your first car?

This one would be a bad choice for Tom and Ray Magliozzi of Car Talk fame--their automotive history is legendary. But if they didn't think "how many people know the answer to this question" before jumping to it because they love cars, millions of people might know or be able to find the answer. Celebrities, and people with public blogs, tend to make easy targets when their accounts are protected by security questions. Perhaps this question isn't so bad for most people whose first car has long been compacted into cubic meter of steel, but my first car is sitting outside in the parking lot, and I take it with me to work every day. Fails on point #2 (Privateness) for me. And do I include the trimline? #7 (Unambiguous phrasing) as well maybe, although it's only two different possibilities.

• What was your first job?

My answer would be "cashier". I wonder how many people would answer this with "cashier"... A quarter of the population? A third? Off the top of my head, here's five jobs that I bet would cover 2/3 of the U.S. population:
Waiter
Waitress
Cashier
Pizza Delivery
Stocker

FAIL #3 (Unpredictability). #6 and #7 (Unambiguousness) might also be a problem, since some positions don't always have definite titles. Was I a 'cashier' or was I in 'retail'? Was my first job 'Pizza delivery' or was I a 'Delivery boy'?

• What is your favorite past-time?

This fails #6 and #7 (Unambiguousness) so hard it makes my eyes bleed. I love to do lots of things, such as reading, biking, sex, etc but I suppose it's fair to say that I do one thing more than any of the others, and that is doing stuff with computers. What kind of stuff? Well all sorts! I like to check blogs, and write blogs, and edit wikipedia, and configure networks, and last year I enjoyed programming and systems administration and computer charity and... see what I mean? I could put "computering" which might best sum up my interests but it's not really a word, and maybe next year I'll focus on some different aspect of it and the answer will be different, and of course I'll never remember exactly what I put here, and it'll change too, failing #5 (Invariance). The point is that this one fails to have a clear-cut 'best' answer that comes immediately to mind. Are there people who can put down 'Sailing' and then six months later when asked their favorite pastime, get it right? Sure there are. Just like there are people who grew up with exactly one pet.

• What was your favorite subject in school?

For me this immediately fails #2 (Privateness), since it also happens to correlate pretty strongly to my current employment as a computer security professional. Barring any knowledge of the target, here's a list of subjects that probably covers half the population:

Math
History
Art
English
Phys Ed
Science

If I were to expand with specifics such as Calculus, Biology, Trigonometry, Literature, German, etc, and add different phrasing e.g. "Physical Education" and "Gym", I could probably bring that up to 90% or so. So it even fails on #3 (Unpredictability).



I ultimately picked two questions that weren't the best, but definitely wouldn't lock me out of my account if I forgot the password. Fortunately their password policy allowed some special characters, although for reasons unknown it didn't allow all special characters, just a few.

So ultimately I give iPay a D. I did manage to find questions that worked for me, but some of their questions were weak, and some were vague or open enough that I'd have to remember what I put down (which defeats the point) or make many attempts to guess my own security question answer.