dive into mark

Poi Circles © Hendrik Kueck / CC

In the wake of the much-publicized hacking of a webmail account, I thought I’d share my own anecdote about security questions. Sometime last year, I decided to consolidate my finances and roll over all my past employer 401(k) accounts to a new firm. Some companies make this easier than others, since, you know, they’d really like to continue holding your money for you. Most of them require you to call them up and get them to mail you some forms. And all of them have multiple layers of security.

In the process of convincing one of these firms to send me the requisite paperwork, a customer service rep challenged me to answer a custom security question that I had set up when I opened the account (close to 10 years ago now). This is a good thing, in theory. Most of the “canned” security questions (birthplace, mother’s maiden name) are easily answered with a quick web search these days, and even 10 years ago I was vaguely aware of this possibility. Thus, I had opted for a custom security question, in which I got to define both the question and the answer.

Like most people, I dated other people before meeting the woman who is now my wife. Like most people, I did not know when I met her that she would eventually become my wife. I had other relationships, some good, some bad, some that never quite got off the ground. One of those “never quite got off the ground” girls was a co-worker of mine who had come to work with me a few months after I had started dating my future wife. We became fast friends with a shared passion for electronic music (although she was way more into the “scene” than I was), but we never got around to dating because things were going so well with my future wife.

You see where this is going.

Nigh on ten years later, I find myself on the phone with a bored customer service rep who says, “All right, Mr. Pilgrim, I’d be happy to send you this rollover form as soon as you can answer the security question you set up with us: ‘Who is the queen of trance?’”

There was — literally — 45 seconds of dead air before I could come up with the name of the girl I didn’t marry.

§

Eleven comments here (latest comments)

1. For some time now I’ve been using a password manager to generate random passwords everywhere, including for security questions. This leads to fun moments wherein I tell the CSR that my first pet’s name was “jQnper7mcMjjW]NGg*3cFCViH”.

   — Jacob Kaplan-Moss 

2. Brilliant. So yes, that is a weak spot for custom security questions, but it sure beats using Mom’s maiden name (which I usually replace with two mnemonic words for the site in question) or transliterated Mandarin (another trick I tried for a while until I couldn’t remember the right translations).

   — Rui Carmo 

3. There are a large number of businesses who believe my mother’s maiden name is “fuckyou”. Which also makes for fun interactions with customer service.

   — Rod Begbie 

4. I guess I’m lucky in this regard, since I somehow am able to remember random strings of letters and numbers, even though my memory of events and conversations is terrible.
   Anyway, I just have a few different codes memorised, so for my security questions, I just put the first letter e.g. “x-code” or “z-code”, and then I just remember whichever code it was that starts with x, y or w/e.

   the maiden name/ girlfriend/ teacher ones are not very safe imo, since people can easily find those out.

   — Dan 

5. I like a suggestion I saw a while ago suggesting that your security question should be “Where did you lose your virginity?” on the grounds that, in most cases, only 2 people know this. Unfortunately, a decent objection was that for many, many people, the answer would be “in my parent’s bedroom” or something similarly generic.

   — Sam Kington 

6. You worked with DJ Tatana?

   — Tom Clancy 

7. And of course, the venerable Penny-Arcade treats the subject with wit and candor.

   — jldugger 

8. The same Penny Arcade link, linked properly.

   — Scott Johnson 

9. I am just sad you like techno

   — Rob 

10. Not techno, TRANCE! Get it straight.

    — SDC 

11. Not really a password recovery issue, but I discovered that one big reason you should encrypt user passwords in your database is that, frequently, the user has a good reason to keep that password secret… besides the access to your system. Like the user of a former employer’s product who logged in every day with “bigtittyfukka” as his password.

    — Gordon Weakliem 

Respond privately

I am no longer accepting public comments on this post, but you can use this form to contact me privately. (Your message will not be published.)

§