How Hackable Are Your Security Questions?

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.


Kevin Roose writes today that security questions are ridiculously easy to hack and we should get rid of them:

There are all kinds of ways to lock down your most important accounts — Gizmodo’s guide is a good place to start….Eventually, some advanced form of biometric authentication (fingerprints, retina scans) may become standard, and security questions may get phased out altogether.

But until then, when so many better options exist, there’s no reason a company like Apple should be relying on questions like “What was the model of your first car?” for password recovery in 2014. If that’s the best way we have of making sure a user is legit, we might as well change all of our passwords to “1234” and hope for the best.

All kinds of ways? I was intrigued. So I clicked on the Gizmodo link and found….two suggestions. The first is two-step authentication, which is a fine idea for anyone with a cell phone. The second is encrypting all your data. But like it or not, this is much too hard for most people to implement. There’s just no way it’s going to become widespread anytime in the near future.

So, basically, there aren’t all kinds of ways to lock down your most important accounts. There’s one. And even it only works on some accounts. If my bank doesn’t offer it, then I can’t use it.

I’d offer a different perspective. First, the level of security you need depends on who you are. If you think the NSA is after you, then your security better be pretty damn good. If you’re a celebrity, then it needs to be pretty good. If you’re just some regular guy, then the truth is that fairly ordinary measures are adequate. You should use decently secure passwords, but that’s probably about all you need to do for most of your accounts. Two-step authentication is a good idea for cloud accounts.

As for security questions, I suppose I’m on Roose’s side. Just get rid of them. They’re too easy to guess, especially for friends and family. Instead, either use a password manager or else create random passwords for your accounts and write them down on a piece of paper that you hide somewhere. I know you’ve been told forever to never write down your passwords, but the truth is that low-tech paper is actually pretty damn secure compared to anything digital.

Still, I can’t help but take Roose’s post as something of a challenge. Can we come up with security questions that don’t suck? At a minimum they need two characteristics. First, the answers have to be clear and distinct. I’ve never been able to use “first pet,” for example, because that’s a little fuzzy. I can think of several possibilities. Second, the answers need to be genuinely hard to guess, even for family and friends—but still easy to remember for you. They don’t need to be perfect, but they should certainly be better than “first car.” Any ideas?

UPDATE: Also, I’m curious about something. For us ordinary mortals, there has to be some way to recover lost passwords. What should it be?

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. It's our first time asking for an outpouring of support since screams of FAKE NEWS and so much of what Trump stood for made everything we do so visceral. Like most newsrooms, we face incredibly hard budget realities, and it's unnerving needing to raise big money when traffic is down.

So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate