After last week's revelation of a record-smashing breach at Yahoo (which the company covered up for years), security researcher Matt Blaze tweeted: "Sorry, but if you have a Yahoo account, you will need to find a new mother, and have grown up on a different street." Ha, ha, only serious.
Yahoo is just one of many companies that use "pre-registered knowledge tokens" (AKA security questions) for password recovery, insisting that you give out unchangeable, often easy-to-research personal information that can be abused to take over your account. These make for really bad authentication systems, because good auth systems don't reuse tokens between services (your mother has one maiden name, meaning that a leak of that fact — which is a public record! — gives attackers access to every service that asks this question); and they can be changed if they're compromised (you need a time machine to change your mother's maiden name).
There's an obvious, not-great answer to this: just make up nonsense answers, preferably containing the ingredients of a good password (length, unpronounceable characters, absence from any real or machine-generated dictionary), for every service. In other words, a signup for a service turns into: "Please supply a password, and another password, and another password, and another password, etc etc" and then remember which password you gave for which service.
The paranoid among us (ahem) have been using this system for years, but it's by no means perfect. For example, my neighborhood credit union presents its security questions as multiple choice, something I didn't realize when I was setting up the account. It also thinks that it's never seen my browser before on every login (because some combination of the privacy, ad-blocking, script-blocking and cookie-blocking tools I use frustrates its first-line security measures). That means that every login involves answering one of these security questions, which ends up looking like this:
What color was your first car?
[ ] White
[ ] Black
[ ] Blue
[ ] Red
[ ] Silver
[ ] White
[ ] 5jLuHY<5WeU
This makes me well up with the cassandrafreude every time I see it.
If you’ve taken the time to add as many accounts as possible to a password manager and randomize all the passwords, you know that this is a doable but long-term project. Even at maximum efficiency, it takes a minute or two to reset a password, add a new one, and ensure that the random string of characters is correctly saved in your password manager. The average U.S. user has more than 100 digital accounts linked to their primary email address, so to randomize every security question when the mechanisms aren’t always easily available remains a slog. Insecurity Questions’ Fenton suggests focusing on changing the security answers on accounts that contain your most sensitive data like your email, financial, and medical accounts. And even if you’re someone who doesn’t have a password manager up and running, you can still start using one to keep track of security answers. “You should have unique passwords for each site and service and you should have unique answers to security questions, and a password manager is the way to do that,” says AgileBits’ Goldberg. “But that’s not an all-or nothing statement. You can just start by deciding to put [some] security answers into a password manager. You don’t have to do the impossible.”
Time to Kill Security Questions—or Answer Them With Lies [Lily Hay Newman/Wired]