You are here

For Pity's Sake, Don't Actually Use Your Mother's Maiden Name!

Those security questions that Yahoo, Google, your bank, and everyone else ask you when you register for an account (what's your mother's maiden name? where did you go to high school?) are a stupid, stupid idea.

They always were. I've been telling people this for years: Your city of birth, high school mascot, and mother's maiden name are all matters of public record for just about anyone. If you supply accurate answers to those questions, you are essentially creating a password that can be looked up by random strangers. Your favorite color, the place where you met your spouse and the model of your first car are all things that casual acquaintences could know. A story on Threat Level (@ Wired blogs) about the Sarah Palin Yahoo Mail cracking episode beautifully illustrates exactly why. Here's a description, posted on 4chan by someone alleging to be the cracker:

... it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

In other words, s/he was able to crack Palin's account with only the most basic reverse-social-engineering techniques

The biggest irony in all of this is that it all worked, basically, because for once in her recent life Sarah Palin told the truth. If she'd lied in answering that security question, none of this would have ever happened.

Obscuring the questions does not help. All it does is require a little more research and maybe a little more guessing. What you need to do is have a question that only the person being asked can answer, that would be very difficult for a stranger to guess. You can achieve that very easily with the current generation of "security" questions by simply lieing. For example, if you're born in Atlanta, you give your city of birth as 'Schenectady.' Or, better yet, some random word that as far as you know isn't the name of any actual city, like "mumbledypeg." Your first car? For pity's sake, do not answer that one with the name of an actual car model. Instead, give an unrelated answer that you can remember, like "a raisin."

Ideally, this kind of security regime should involve several questions, about which you tell several different lies, and which lies you should never discuss with anyone. For example, Sarah Palin could say she met Todd at "acetominophen", or that her mother's maiden name was "rotary." But under no circumstance should a regime that's intended to increase security create de facto passwords that someone can just look up via Google.

Add new comment