I recently got to renew my driver’s license online rather than go to the Department of Motor Vehicles office. Naturally, this required that I create an account at the DMV, and of course they had security questions for me to supply answers to. Two sets this time, but both with the same list of prompts:
Having only one list of questions of course is more limiting: you need to pick 2 out of 10 questions to answer (truthfully or not). There is a little creativity here: the question about the prom is not one I have seen elsewhere. But the question about who you voted for is terrible, since a 50 year-old person may have voted in only 7 presidential elections, and most likely voted for one of two people (immigrants have the possible advantage of unusual answers here). This narrows down further if you can estimate the person’s age, since they likely first voted close to the time they became eligible. So no more than 4 bits of entropy here, and perhaps less.
The context of the security questions here is more troubling. The registration form places these questions in between email address (which you need to enter twice) and driver’s license/ID number, date of birth, last 4 digits of Social Security Number, and driver’s license/ID issue date, all of which need to be answered truthfully in order for the registration to succeed. The placement of these questions discourages users from doing the secure thing, which is to make answers up.
Contributed by myself (Jim Fenton)
When setting up an online account at Fidelity Investments, I was first prompted to set up a single security question, and then to set up three more. Unfortunately I didn’t get an image of the original question and I don’t know what happened to it.
Fidelity is fairly clear how the questions and answers are used. If you press a “Why do I need this” link, the following pops up:
although this explanation seems to refer to the single security question, not the set of three later required.
Here are the questions themselves:
The first two sets of questions are fairly standard: most of the prompts involve information that can be determined with just a little research. I have to say that the “favorite restaurant in college” question is creative, but you can look on LinkedIn to find out where many people went to college, and find popular restaurants nearby (although my favorite closed long ago). But the third question is different and quite unusual: All the answers are 4 or 5 digits, and have very low entropy (around 8 bits for mmdd responses, even less for year of marriage [is this option for people who can’t remember their wedding date?]. Hopefully they need answers to all three.
After going through this, the user is congratulated:
My online account access is even more secure? No, it’s definitely not more secure if you create an additional way into my account. But it is good to know that I’ll get a confirmation — but why would e-mail take a few days? If a password reset was fraudulent, I would want to know right away.
Contributed by myself (Jim Fenton)
In the United States, the Social Security Administration has rolled out an online service to replace the paper statements they sent out to tell us the status of our account (earnings, etc.) so we don’t get surprised by an error at retirement time. While setting up an account, you need to create a username and password, and then you’re required to select and answer three “Password Reset Questions” (at least they’re honest about what they’re used for). The choices are different for each question.
Here are the choices:
For question 1, almost all of the questions deal with relatives’ names, often found on a genealogy service. The name of the hospital in question 2 is probably nearly fully determined by your birthplace, again readily found on genealogy services. For the third question, there aren’t that many car models, especially not “dream cars”.
“Name of your favorite childhood friend” doesn’t specify whether it’s first name or the phone name. And that’s one of the other problems with these questions: there are often different typographical answers to the questions, and hopefully the answers are hashed so they’re less subject to disclosure. But, in third grade, did I live on Maple, Maple Street, or Maple St.? Could be hard to get it right when it’s needed.
Social Security also provides password creation rules:
Password rules have been shown to lead to a false sense of security, because people focus on the rules rather than what makes a good password. But what good does it do to require that the password not begin with a symbol? Or is this just because the programmer didn’t want to handle that case correctly?
Submitted by myself (Jim Fenton)