Stop Asking Security Questions

You are viewing an old revision of this post, from May 16, 2019 @ 19:58:26. See below for differences between this version and the current revision.

I typically see one or both of these pieces of advice regarding the ubiquitous “security questions”:

  1. Users should go to absurd lengths to hide personal details about themselves online to make it impossible for hackers to guess the answers to security questions.

    A company might ask you to use your favorite movie as a security question? Better not let anybody know about your affinity for Italian horror films.
  2. Users should never answer security questions truthfully. Treat them for what they (sort of) are, secondary passwords and use arbitrary answers to them.

Like so much of infosec, these pieces of advice treat the user as the problem rather than the convoluted security mechanisms they are forced to endure. The best advice is, simply,

3. Stop asking users security questions.

Security questions add additional difficulty to accessing accounts without adding any additional security. At best, they force users to create and track multiple pseudo-passwords. At worst (which I suspect happens routinely), they trick users into tying easily discoverable personal information to their accounts, which makes targeted hacking attempts much more likely to succeed.

Just stop using them.

Post Revisions:

Changes:

May 16, 2019 @ 19:58:26Current Revision
Content
Unchanged: <!-- wp:paragraph --> Unchanged: <!-- wp:paragraph -->
Unchanged: <p>I typically see one or both of these pieces of advice regarding the ubiquitous "security questions":</p> Unchanged: <p>I typically see one or both of these pieces of advice regarding the ubiquitous "security questions":</p>
Unchanged: <!-- /wp:paragraph --> Unchanged: <!-- /wp:paragraph -->
Deleted: <!-- wp:list {"ordered":true} -->  
  Added: <!-- wp:html -->
Deleted: <ol><li>Users should go to absurd lengths to hide personal details about themselves online to make it impossible for hackers to guess the answers to security questions.<br><br>A company might ask you to use your favorite movie as a security question? Better not let anybody know about your affinity for Italian horror films.<br></li><li>Users should never answer security questions truthfully. Treat them for what they (sort of) are, secondary passwords and use arbitrary answers to them.</li></ol>  Added: <p>1.&nbsp;Users should go to absurd lengths to hide personal details about themselves online to make it impossible for hackers to guess the answers to security questions.<br><br>A company might ask you to use your favorite movie as a security question? Better not let anybody know about your affinity for Italian horror films.<br><br></p>
Deleted: <!-- /wp:list -->  Added: <!-- /wp:html -->
  Added: <!-- wp:paragraph -->
  Added: <p><strong>2.&nbsp; </strong>Users should never answer security questions truthfully. Treat them for what they (sort of) are, secondary passwords and use arbitrary answers to them.</p>
  Added: <!-- /wp:paragraph -->
Unchanged: <!-- wp:paragraph --> Unchanged: <!-- wp:paragraph -->
Unchanged: <p>Like so much of infosec, these pieces of advice treat the user as the problem rather than the convoluted security mechanisms they are forced to endure. The best advice is, simply,</p> Unchanged: <p>Like so much of infosec, these pieces of advice treat the user as the problem rather than the convoluted security mechanisms they are forced to endure. The best advice is, simply,</p>
Unchanged: <!-- /wp:paragraph --> Unchanged: <!-- /wp:paragraph -->
Deleted: <!-- wp:html -->  Added: <!-- wp:paragraph -->
Deleted: <p style="padding- left:30px;"><strong>3. Stop asking users security questions.</strong></p>  Added: <p><strong>3.&nbsp;Stop asking users security questions.</strong></p>
Deleted: <!-- /wp:html -->  Added: <!-- /wp:paragraph -->
Unchanged: <!-- wp:paragraph --> Unchanged: <!-- wp:paragraph -->
Unchanged: <p>Security questions add additional difficulty to accessing accounts without adding any additional security. At best, they force users to create and track multiple pseudo-passwords. At worst (which I suspect happens routinely), they trick users into tying easily discoverable personal information to their accounts, which makes targeted hacking attempts much more likely to succeed.</p> Unchanged: <p>Security questions add additional difficulty to accessing accounts without adding any additional security. At best, they force users to create and track multiple pseudo-passwords. At worst (which I suspect happens routinely), they trick users into tying easily discoverable personal information to their accounts, which makes targeted hacking attempts much more likely to succeed.</p>
Unchanged: <!-- /wp:paragraph --> Unchanged: <!-- /wp:paragraph -->
Unchanged: <!-- wp:paragraph --> Unchanged: <!-- wp:paragraph -->
Unchanged: <p>Just stop using them.</p> Unchanged: <p>Just stop using them.</p>
Unchanged: <!-- /wp:paragraph --> Unchanged: <!-- /wp:paragraph -->

Note: Spaces may be added to comparison text to allow better line wrapping.

Leave a Reply