In the United States, the Social Security Administration has rolled out an online service to replace the paper statements they sent out to tell us the status of our account (earnings, etc.) so we don’t get surprised by an error at retirement time. While setting up an account, you need to create a username and password, and then you’re required to select and answer three “Password Reset Questions” (at least they’re honest about what they’re used for). The choices are different for each question.
Here are the choices:
For question 1, almost all of the questions deal with relatives’ names, often found on a genealogy service. The name of the hospital in question 2 is probably nearly fully determined by your birthplace, again readily found on genealogy services. For the third question, there aren’t that many car models, especially not “dream cars”.
“Name of your favorite childhood friend” doesn’t specify whether it’s first name or the phone name. And that’s one of the other problems with these questions: there are often different typographical answers to the questions, and hopefully the answers are hashed so they’re less subject to disclosure. But, in third grade, did I live on Maple, Maple Street, or Maple St.? Could be hard to get it right when it’s needed.
Social Security also provides password creation rules:
Password rules have been shown to lead to a false sense of security, because people focus on the rules rather than what makes a good password. But what good does it do to require that the password not begin with a symbol? Or is this just because the programmer didn’t want to handle that case correctly?
Submitted by myself (Jim Fenton)