Recently, as I attempted to remember when my bills were due, I logged in to my financial debt carriers website only to realize that it's been a good long while since I had last seen this place. My usual password pattern didn't work. Nor did my second password pattern. Or any other random pattern that came to mind after. After various variations and the error messages getting bolder and meaner, warning me that I was on my last limb as far as attempts go before I was blocked for some time, I decided to give in and surrender. I clicked on forgot password and was ready to do the usual "Send recover email" routine.
Except this website wasn't the most modern looking thing and instead of sending me a unique token in an email it proceeded to guide me through an interrogation process. The first few questions were simple enough. Last name, partial SSN and date of birth. Great I thought. These should be enough to identify me as a human. And they all went through like a champ. Then came phase 2 in the process. Security questions.
Normally, security questions are questions that are preselected for you and that involve some personal history in some way.
- Name your first pet
- Name of favorite high school teacher
- What was your first car
- What is your favorite color
Essentially, you should be able to know these answers, if you know yourself. Unless you are a celebrity, in which case probably thousands of people know your answer, but we'll get into that later. I had apparently selected the following questions when I signed up eons ago, and they went as follows.
Name your favorite school teacher: - This one wasn't too bad as the list isn't massive in any way. It was either my 7th grade math teacher, who taught me college level calculus when I was 12, or my high school math teacher who took calculus classes at the local community college in order to teach the class the following the day. As you can tell, I enjoy my math teachers. Easy enough. The only issue I had here was with their prefix. Was it a Mr. or a Ms. or a Mrs. Several guesses and attempts later, I had hit a valid answer. Though, this left me a bit nervous as to the following questions.
What is your favorite color?: This is where things got a bit dodgy. I assumed it was black, as that is my favorite color now. But what was my favorite color when I filled out this form years ago? Because it wasn't black. Blue perhaps, I wondered. Maybe a nice magenta. None of the usual colors worked, unfortunately. So I did what any rational person would do, I ran through all the colors until it worked. Easy enough I thought. And unsafe, in many ways.
At this stage, I didn't care anymore about my bills due date. I just wanted access to my account. So I continued with this troll under the bridge questions three scenario.
Name your favorite pet: This is where things went south. And that's because these things aren't exactly clear in my memory. That and pet names aren't normally standard in any shape way or form. I've had plenty of pets growing up. Hamsters, turtles, dogs, cats. They've all been pretty great. And they've all had non-human names, such as "Doggy", "Cat" and "Spike". Or maybe even "Spikey". With every last fiber of my being, I attempted to relive my childhood, in terms of pets at least. Only to be greeted over and over again with invalid answer.
The one plus side was that apparently I could just keep attempting to enter answers until the cows came home. But quickly, I gave up and looked for an alternative. Well, there wasn't one. There wasn't a recovery email that I could get or an SMS key. Or something modern and new that I could use to recover my password. It was either force myself to relive my childhood and the many pet names that my mind could produce at that age, or to email support. Or to jump online and write a blog post on it.
The issues with security questions
Aside from the fact that they are indeed a strange way of logging in to a secure system, there are a few other issues with the practice of implementing security questions. For one, they are not that secure. Passwords are unique to each individual for the most part. One person knows the answer. The password might be 'shoe' or 'house', but at least that is only known to you and to you alone.
Security questions however can be known by a vast variety of people. People that knew you in the past, old girlfriends, family and if you are a celebrity that anybody online willing to do a bit of research. Your mother's maiden can just as easily be found on whitepages many a time.
And secondly, they slow down the registration process and the password recovery process. Registering to a website should be a seamless and almost joyful event. You should want to sign up, as you will be able to use some service afterwords. But having to stop to remember your 3rd grade PE teacher's last name in the middle of signing up can repel users away from your site.
And because the answers are somewhat personal and related to spatial time events, there is a good chance that you won't remember the correct answers. What was favorite pet today, might not be tomorrow. Your favorite color, probably changes monthly and you don't even realize it. And this leads to a frustrating process down the road.
And the worst part, is that once you enter the valid answers to these questions, you are greeted with the option to receive a recovery email. Which is what you wanted in the first place!
Alternatives
The most obvious alternative of course is the traditional Recovery Email method without any bells attached. You enter your email, and if the system finds it, it will email you a short-lived URL where you can enter your new password. The only time this doesn't work, is if your email is compromised. And if it is, take care of that before you take of recovering passwords. For a few more secure scenarios, I definitely understand having to enter your partial SSN or some other type of account number that more than likely only you should know.
Some companies are attempting to do away with passwords altogether by integrating your mobile phone into the login equation. Yahoo Mail for example will send you a notification to a registered phone where you are one touch away from logging in on your desktop. It's a very natural feeling actually, but a bit odd, to get access to your data without having to enter any sort of information. It almost makes it feel a bit unsecure, and you wonder where the catch is. Though there might not be a catch.
At the end of the day, we're all human, and recovering our passwords shouldn't be a top secret project coded in some bunker under Arizona. It should be a 2-step process regardless of the medium that you use to do so. This is something that is definitely outdated in our current society and something that should be addressed at some point. How many people have to email support or contact the companies themselves after their attempts at finding their grandparents marriage year fails. We can definitely and should definitely do better.