password insecurity questions

20 December 2005, 3:16 pm

Here’s a screen capture from on-line retailer’s registration form. The red asterisk indicates that these elements are both required.

Mandatory password security question

I’m specifically picking on, but many other web commerce sites have similar problems. These questions and their answers can be divided neatly into two equally unsatisfactory categories:

  1. Questions that are too easy for a would-be identity thief to answer
  2. Questions that are too hard for a customer to answer

The city in which I was born, and my parents’ full names are inappropriate questions for security purposes because they’re much too easily acquired.

The other questions are inappropriate because they’re too subject to change: If I create an account now and say that my favorite film is Revenge of the Sith, then I have to remember that next year when my favorite film is Spiderman III.

Oh, but wait a minute, I can’t even use Revenge of the Sith because it’s more than 15 characters. Good thing it’s not my favorite film after all. For that matter, I can’t use my mother’s middle name, or my pet’s name — they flunk the 6-15 character length requirement.

The underlying problem is that persistence of customer data is for the retailer’s convenience, not the customer’s. The retailer wants the longitudinal data on the customer’s purchase history; the customer doesn’t really care.

Yes, checking out takes a minute or two less if I don’t have to re-enter my shipping address. And maybe I don’t have to have my credit card handy if I was foolhardy enough to leave the number on file with the retailer.

But personally, I would much rather enter all of my information each time I make a purchase than have it inadequately safeguarded.

3 comments on “password insecurity questions”

  1. Janet

    Doug, I just saw the following in the weekly Wait Wait Don’t Tell Me e-mail and thought immediately back to this entry:

    Q: Up next, we head back to February when the FBI and the Secret Service both mobilized to investigate a particularly heinous computer crime. Apparently, our national security was at stake, when essential data was stolen from whom?

    HINT: If Tinkerbell’s feeding schedule gets in the hands of the terrorists, we’re doomed.

    HINT: They’re limiting their searches to cyber-criminals with computers big enough to handle all the phone numbers of boyfriends.

    A.[ PARIS HILTON. Ms. Hilton has one of those Sidekick devices, which accesses an online database of personal data and photos. And, amazingly, the owner of Tinkerbell, the world’s most overexposed chihuhua, used “What’s your favorite pet’s name?” as her security question. So, hackers stole and posted online the contact info of dozens of celebrities, and, of course, the obligatory nude photos of Paris herself. Why the Secret Service is investigating is anybody’s guess…but they did threaten at least one website into taking down the data. Immediately after the theft, The Late Show asked the question, “Is there anything of Paris Hilton’s that’s NOT on the internet?” ]

  2. 2fs

    No one ever said Paris Hilton was renowned for her vast intellect.

  3. summervillain

    Janet, I recall seeing a story about Hilton’s personal info being hacked, but I had no idea one of these silly mandatory password (in)security questions played a role. Thanks much for sharing!


Comments are subject to moderation. Unless you have been whitelisted, your comment will not appear on the site until it is approved. Links are allowed for whitelisted commenters; images are not permitted.