Security Questions: Are they a waste of time?

This post begins as a bit of a rant about Yahoo!, but there is a relatively serious (though probably widely discussed) point that comes out of it.

I recently had some trouble logging into my Yahoo! account.

I was entering the correct username and password, but it rejected it saying one of the pieces of information was incorrect. I was confident my details were correct, but tried some variations of them just in case. Still no luck.

I decided that the easiest solution would be to reset my password, and be done with the hassle. Perhaps I’d changed it without recording the change.

To reset your password with Yahoo!, you need to provide some information: either your alternative email address, or some personal information (like D.O.B., postcode etc). You are then prompted to answer your security question. The security question attached to my Yahoo! account was “who was your childhood hero?”.

I don’t have a childhood hero. There is no one that springs to mind when I think of this topic. There are some people who fit the bill here and there, and so I tried a bunch of them. None worked.

I then called Yahoo! and got through to someone completely incompetent at being able to actually assist me with my query. They were robotic and as a result insulting and condescending. They also told me they were unable to put me through to anyone else who may be able to help me.

The outcome of the conversation was that I either had to enter the correct username and password, or provide the answer to the security question. Failure to provide either would mean that I could not access my account, and after a pre-determined period of time, it would be deleted by Yahoo!. They were unable to email my registered email address with a password reset option.

The frustrating thing is that I don’t believe I’ve ever set this question. Indeed, the link to edit it in my account is not there, and it asks me to set one when I log in. I believe this may be because I did not have a Yahoo! account originally, I had a flickr account, which was then acquired by Yahoo!. Perhaps flickr accounts were transitioned differently and have had some incorrect data applied to them.

Eventually, my correct username and password (which I had been entering from the beginning) worked, and I was able to log in!

So, I’m coming to the point of this post. A security question is essentially a second password. You forget the first one, you enter the second one. However, security questions are generally significantly less secure than passwords – as they have a great big hint as to what the answer is. EG: Mother’s maiden name?, First pet’s name? etc.

Anyone that knows someone else relatively well may already know this information, and anyone else wouldn’t have too much difficulty finding it out (depending on the question).

Therefore, if the second layer of security is significantly less secure than the first, then why bother with it?

Surely something more robust is required here. To get access to bank accounts, you often need information like D.O.B. or postcode – if that information is stored in lots of online accounts which are protected by flimsy security questions, it doesn’t bode well for your chances of identity theft.

Unfortunately, I don’t really have any good ideas, this was just a vague excuse to write a post ranting about Yahoo!. What I am starting to do more frequently, is giving fake details to websites so that they don’t have my D.O.B. or post code, and using alphanumeric codes for answers to my security questions.

The trouble with that methodology is that I’m never going to know the answers to these off the top of my head. So if my password management system breaks, I lose all that information, and in the case of companies like Yahoo! having terrible customer support and no password reset functionality, then there may be slim hope of regaining access to those accounts.

3 thoughts on “Security Questions: Are they a waste of time?

  1. Loving the tagline “Life and Times of Fergus S. Macdonald” 🙂

    Do you keep any kind of backup in case your password management system fails? Do you have the data export, printed, and stored in a safety deposit box somewhere? Or exported, encrypted, and kept on disk somewhere? Or exported, encrypted, and kept on flash memory in a locked safe somewhere?

  2. Writing the above made me think the same thing. I have an encrypted backup, although I believe the encrypted backup requires the desktop application of the software to be decrypted. However, the desktop application can work offline so should be more stable if the system goes down (if I had it installed!).

    Will look into that now.

Leave a Reply

Your email address will not be published.