When setting up an online account at Fidelity Investments, I was first prompted to set up a single security question, and then to set up three more. Unfortunately I didn’t get an image of the original question and I don’t know what happened to it.
Fidelity is fairly clear how the questions and answers are used. If you press a “Why do I need this” link, the following pops up:
although this explanation seems to refer to the single security question, not the set of three later required.
Here are the questions themselves:
The first two sets of questions are fairly standard: most of the prompts involve information that can be determined with just a little research. I have to say that the “favorite restaurant in college” question is creative, but you can look on LinkedIn to find out where many people went to college, and find popular restaurants nearby (although my favorite closed long ago). But the third question is different and quite unusual: All the answers are 4 or 5 digits, and have very low entropy (around 8 bits for mmdd responses, even less for year of marriage [is this option for people who can’t remember their wedding date?]. Hopefully they need answers to all three.
After going through this, the user is congratulated:
My online account access is even more secure? No, it’s definitely not more secure if you create an additional way into my account. But it is good to know that I’ll get a confirmation — but why would e-mail take a few days? If a password reset was fraudulent, I would want to know right away.
Contributed by myself (Jim Fenton)
In the United States, the Social Security Administration has rolled out an online service to replace the paper statements they sent out to tell us the status of our account (earnings, etc.) so we don’t get surprised by an error at retirement time. While setting up an account, you need to create a username and password, and then you’re required to select and answer three “Password Reset Questions” (at least they’re honest about what they’re used for). The choices are different for each question.
Here are the choices:
For question 1, almost all of the questions deal with relatives’ names, often found on a genealogy service. The name of the hospital in question 2 is probably nearly fully determined by your birthplace, again readily found on genealogy services. For the third question, there aren’t that many car models, especially not “dream cars”.
“Name of your favorite childhood friend” doesn’t specify whether it’s first name or the phone name. And that’s one of the other problems with these questions: there are often different typographical answers to the questions, and hopefully the answers are hashed so they’re less subject to disclosure. But, in third grade, did I live on Maple, Maple Street, or Maple St.? Could be hard to get it right when it’s needed.
Social Security also provides password creation rules:
Password rules have been shown to lead to a false sense of security, because people focus on the rules rather than what makes a good password. But what good does it do to require that the password not begin with a symbol? Or is this just because the programmer didn’t want to handle that case correctly?
Submitted by myself (Jim Fenton)