Over-security questions
January 28, 2011
Hey, let’s not get the idea that I only think about web passwords, because I don’t, despite this being the second consecutive blog post about web passwords.
But, you know, sometimes companies do it wrong.
Background: I sometimes forget passwords, especially those connected to sites I rarely visit. When that happens, I usually just click the “retrieve password” link. That’s what you do. That’s just how it’s done.
Often, password retrieval is a simple process. They send a message to the email associated with the account, and you click the link, and you reset the password, and then you get into your account, and hooray!
Perfect. Especially if you’re the only person with your email password. And ESPECIALLY if you’ve taken time to make a good email password, because that’s an ACTUAL account that deserves major protection, and one you should rarely forget because it’s YOUR EMAIL and there’s a good chance you have to enter the password every two days.
Other times, you’re required to answer a “security question” before getting your magic email. Such as “What is your dad’s middle name?” or “What is your waist size?” or “What did you drink the last time you threw up?” One question. Then, you get your password.
This is common with sites that need a lot of extra protection. Banks. Credit cards. Airline mile programs.
NO SERIOUSLY. Airline mile programs.
Enter Delta.
As with any airline-related web property, Delta’s site is bogged down with extraneous security and over-written drivel. It’s like one of those collections of legal books you see behind most personal injury lawyers has BLOWN UP and reanimated itself as a website.
I forgot my airline mile password, because I usually don’t care about my airline miles. I hopped in to reset my password and was greeted by a new step: selecting security questions.
Security questions are designed to offer security via a person’s history. The assumption is that the answers are known only by the person accessing the website, and are therefore more secure than an address or zip code or whatever. Also, they’re easier to REMEMBER, because they are a part of our personal history.
Delta, however, attempted to make this process as difficult as possible.
Issue Number One
First, I had to select TWO security questions.
Answers must be AT LEAST 4 CHARACTERS LONG, for some reason. Also, let me remind you, I was logging in to check airline miles. Miles that I can only use as Corey Vilhauer. Miles that do not need to be double protected, because they are useless unless I have a hundred thousand of them. Which I don’t.
Whatever, though. I chose the first one (“What is your father’s middle name?”). Then, I tried to choose the second. And I couldn’t.
Issue Number Two
I couldn’t because I was unable to nail down definitive answers to any of the remaining questions.
Understanding that these are security questions, I needed to be fully sure that the answer I gave then was an answer that can be replicated later on. The problem is, I couldn’t guarantee I’d be able to do that.
None of the questions related to DEFINITIVE answers:
1. What was your first phone number? Do I enter with dashes or without? With or without area code? Will I remember which one I did six months from now?
2. What is your paternal grandmother’s given name? I couldn’t remember this at the time. I know it now, but that wouldn’t have helped much.
3. What was your favorite place to visit as a child? I had several. How will I remember which one?
4. What is the name of your first pet? We had a dog and two cats growing up. I don’t remember which was my first, and I sure won’t remember which one I chose six months from now.
5. Where did you meet your spouse/partner? We went to high school together. Will I remember if I say “high school” or will I assume it’s something more detailed, like “biology class?”
6. What is the name of your childhood best friend? I had three very close friends. Which one will I choose?
7. What is the phone number you remember most from your childhood? Is this even a real question?
I decided to choose the last one (“What is the name of the first school you attended?”) Even then, I knew I wouldn’t remember if I answered “Lincoln High” or “Lincoln High School” or “Lincoln.”
Issue Number Three
Which brings us to the last issue. The only question I could definitively answer, I COULDN’T ACTUALLY USE.
My father’s middle name is “Lee.” Three letters.
Disqualified.
Why can’t this have been easier?
In issues of security, definitive answers are required. These wishy-washy security questions are unusable and frustrating, and the character limit for answers is misguided.
The solution is to allow a user to create BOTH the question and the answer. In my case, I could have said “Full Name of High School” and the answer would have been “Lincoln High School.” No ambiguity. I make the rules.
Instead, I fell back to a makeshift solution: I wrote the answers on a piece of paper.
Pretty safe, huh?
(Originally posted on Black Marks on Wood Pulp.)