Comments on: What Is Your Favorite Annoying Question? http://blogs.law.harvard.edu/infolaw/2008/01/30/what-is-your-favorite-annoying-question/ Information, Law, and the Law of Information Tue, 24 Nov 2009 00:08:14 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Scott Gunsaullus http://blogs.law.harvard.edu/infolaw/2008/01/30/what-is-your-favorite-annoying-question/comment-page-1/#comment-44647 Scott Gunsaullus Mon, 04 Feb 2008 18:15:32 +0000 http://blogs.law.harvard.edu/infolaw/2008/01/30/what-is-your-favorite-annoying-questi#comment-44647 I'm convinced that these personalized security questions are an attempt at data mining. I’m convinced that these personalized security questions are an attempt at data mining.

]]> By: Jim Graves http://blogs.law.harvard.edu/infolaw/2008/01/30/what-is-your-favorite-annoying-question/comment-page-1/#comment-43791 Jim Graves Thu, 31 Jan 2008 05:13:29 +0000 http://blogs.law.harvard.edu/infolaw/2008/01/30/what-is-your-favorite-annoying-questi#comment-43791 I've been griping about (and trying to avoid) these silly things since they first popped up. Anyone who thinks a "favorite" anything is a valid verification question is seriously underestimating my ability to be fickle. And to steal from John Scalzi—my favorite color? <a href="http://scalzi.com/whatever/?p=321" rel="nofollow">Seriously? What am I, nine or something?</a> The problem with these things goes beyond questions with shifting answers or low entropy (really, how many answers to "what's your favorite color?" are there going to be?). It's that most of them actually weaken security. Example. My online banking password is over eight characters of what should look like gibberish to anyone but me, with uppercase letters, lowercase letters, and punctuation. Fairly secure, right? We're always told not to use English words for our passwords, and rightly so. Then why build a way to change that password by merely answering a question that (a) will almost always be an English word and (b) gives a big fat hint what that word will be? I avoid the security questions whenever possible, and give gibberish as the answer when I can't. I haven't been locked out of a system yet because of it, and I haven't had an account compromised by somoene who was able to guess that my favorite color is blue. Or is it red? I can't remember. I’ve been griping about (and trying to avoid) these silly things since they first popped up. Anyone who thinks a “favorite” anything is a valid verification question is seriously underestimating my ability to be fickle. And to steal from John Scalzi—my favorite color? Seriously? What am I, nine or something?

The problem with these things goes beyond questions with shifting answers or low entropy (really, how many answers to “what’s your favorite color?” are there going to be?). It’s that most of them actually weaken security.

Example. My online banking password is over eight characters of what should look like gibberish to anyone but me, with uppercase letters, lowercase letters, and punctuation. Fairly secure, right? We’re always told not to use English words for our passwords, and rightly so. Then why build a way to change that password by merely answering a question that (a) will almost always be an English word and (b) gives a big fat hint what that word will be?

I avoid the security questions whenever possible, and give gibberish as the answer when I can’t. I haven’t been locked out of a system yet because of it, and I haven’t had an account compromised by somoene who was able to guess that my favorite color is blue. Or is it red? I can’t remember.

]]>