I saw a post at Schneier on Security this evening that I wanted to highlight.  In light of the Palin email hack incident, Bruce Schneier discusses the “extra security questions” that various websites will ask you to verify your identity in case you’ve lost your password.  You’ve seen these: the things like, “What was your first high school mascot?”  As Schneier points out, these are the opposite of increased security.  In fact, they can make you more vulnerable, because they are usually quite easy to figure out.

Let’s see… Colin grew up in Green Bay, WI.  Even counting the parochial schools and allowing that he might live as far away from Green Bay as, say, a radius of one county in any direction, that will leave us what, maybe a dozen school districts and perhaps two dozen high school mascots to try?  Hmm… what is harder to guess: a 8-12 character password of letters and numbers (36⁸+…+36¹² = 4,784 million billion possibilities) to log in to my account, or a high school mascot (24 possibilities) to get the opportunity to pick the password to my account?  Even if I were from somewhere with a few more schools to pick from, say New York, the list is still, shall we say, “short” compared to the number of passwords an attacker does not have to guess.

Oh, and shucks… Looks like I just gave away the answer to “City you grew up in?”

Thinking about this reminded me of a related experience from a recent ordeal in opening a bank account.  Near the very end of the application, the bank pulled data from my credit report to “verify my online identity.”  Presumably, they were going to ask me questions that only I or someone with very intimate knowledge of my financial situation and history could know the answers to.  Well, two slight problems with that idea.

• Problem the First: They had one of the answers wrong.  Believe me.  I took the test 7 times over several weeks, and surprisingly, I happen to know exactly what type (mobile, land line, pager, etc) of phone number the number I gave them was.  Their answer (whatever it was…) was wrong.  How do I know that I didn’t get one of the other questions wrong?  Well…
• Problem the Second: They asked a question anyone could answer correctly:  “In what state was your social security number issued?”  This doesn’t seem so bad on first blush: after all, you’d need to know where I was born to know that.  Except for the slight problem that births are public record, so anyone who knew enough about me to forge a bank application but happened to lack my place of birth could readily guess and find out, and second: social security numbers are issued with the first three digits identifying the place they were issued in.  Oh, and the application just asked for that social security number, too… funny, that.

I’ll not claim to be the security wizard that Mr. Schneier is, but I do think it is a great idea to try to think things through, and hope I can encourage that for you as well.

For those security questions? I like answers like: “My high school mascot was a enT&)slelj3734lcnsf8a-1-&&+{”

You either trust yourself to remember your password, or you don’t.