How Hackable Are Your Security Questions?

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Kevin Roose writes today that security questions are ridiculously easy to hack and we should get rid of them:

There are all kinds of ways to lock down your most important accounts — Gizmodo’s guide is a good place to start….Eventually, some advanced form of biometric authentication (fingerprints, retina scans) may become standard, and security questions may get phased out altogether.

But until then, when so many better options exist, there’s no reason a company like Apple should be relying on questions like “What was the model of your first car?” for password recovery in 2014. If that’s the best way we have of making sure a user is legit, we might as well change all of our passwords to “1234” and hope for the best.

All kinds of ways? I was intrigued. So I clicked on the Gizmodo link and found….two suggestions. The first is two-step authentication, which is a fine idea for anyone with a cell phone. The second is encrypting all your data. But like it or not, this is much too hard for most people to implement. There’s just no way it’s going to become widespread anytime in the near future.

So, basically, there aren’t all kinds of ways to lock down your most important accounts. There’s one. And even it only works on some accounts. If my bank doesn’t offer it, then I can’t use it.

I’d offer a different perspective. First, the level of security you need depends on who you are. If you think the NSA is after you, then your security better be pretty damn good. If you’re a celebrity, then it needs to be pretty good. If you’re just some regular guy, then the truth is that fairly ordinary measures are adequate. You should use decently secure passwords, but that’s probably about all you need to do for most of your accounts. Two-step authentication is a good idea for cloud accounts.

As for security questions, I suppose I’m on Roose’s side. Just get rid of them. They’re too easy to guess, especially for friends and family. Instead, either use a password manager or else create random passwords for your accounts and write them down on a piece of paper that you hide somewhere. I know you’ve been told forever to never write down your passwords, but the truth is that low-tech paper is actually pretty damn secure compared to anything digital.

Still, I can’t help but take Roose’s post as something of a challenge. Can we come up with security questions that don’t suck? At a minimum they need two characteristics. First, the answers have to be clear and distinct. I’ve never been able to use “first pet,” for example, because that’s a little fuzzy. I can think of several possibilities. Second, the answers need to be genuinely hard to guess, even for family and friends—but still easy to remember for you. They don’t need to be perfect, but they should certainly be better than “first car.” Any ideas?

UPDATE: Also, I’m curious about something. For us ordinary mortals, there has to be some way to recover lost passwords. What should it be?

A BETTER WAY TO DO THIS?

We have an ambitious $350,000 online fundraising goal this month and we can't afford to come up short. But when a reader recently asked how being a nonprofit makes Mother Jones different from other news organizations, we realized we needed to lay this out better: Because "in absolutely every way" is essentially the answer.

So we tried to explain why your year-end donations are so essential, and we'd like your help refining our pitch about what make Mother Jones valuable and worth reading to you.

We'd also like your support of our journalism with a year-end donation if you can right now—all online gifts will be doubled until we hit our $350,000 goal thanks to an incredibly generous donor's matching gift pledge.

payment methods

A BETTER WAY TO DO THIS?

We have an ambitious $350,000 online fundraising goal this month and we can't afford to come up short. But when a reader recently asked how being a nonprofit makes Mother Jones different from other news organizations, we realized we needed to lay this out better: Because "in absolutely every way" is essentially the answer.

So we tried to explain why your year-end donations are so essential, and we'd like your help refining our pitch about what make Mother Jones valuable and worth reading to you.

We'd also like your support of our journalism with a year-end donation if you can right now—all online gifts will be doubled until we hit our $350,000 goal thanks to an incredibly generous donor's matching gift pledge.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate