Secret Questions

Interesting research:

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

I've written about this problem.

EDITED TO ADD (4/13): xkcd on the secret question.

Posted on March 16, 2010 at 6:44 AM • 63 Comments

Comments

Clive RobinsonMarch 16, 2010 8:16 AM

As I said to one of the researchers, as the designers of these systems are not going to replace them overnight (or possably at all) perhaps we should strengthen them by asking multiple questions to reduce the guess factor.

That is instead of just answering "first pets name" you have to answer three or four all correctly before the system says yes or no.

Andre LePlumeMarch 16, 2010 8:31 AM

We're overthinking this. You can *double* the security of such a system trivially.

Secret Q: "What is your favorite integer between 0 and 511?"

jgrecoMarch 16, 2010 8:41 AM

@Andre LePlume

The most common answers will be 0 and 511 by far, anthing 1-10 will closely follow, then 11-100. Expect 69 to be rather high on that list, as well as 60-90 (year of birth, varies depending on age demographic).

Just like nearly every 4 digit pin ever picked has been between 1900 and 2000. People will always fine stupid ways to answer these questions. :)

MuffinMarch 16, 2010 8:46 AM

@Andre LePlume: I know you're probably not being serious, but schemes like that have the disadvantage that users' answers will be biased towards lower numbers.

To give an (admittedly somewhat contrived) example, you couldn't get 128 bits of security by asking "what's your favorite non-negative integer smaller than 2^128", but even when you only go to 511, chances are you'd get, say, "10" more often than "437".

RonKMarch 16, 2010 8:58 AM

I always encrypt the answers in an unusual fashion, but I'm well aware that in most cases this is non-optimal "security overkill" when I look at the comparative probabilities that I actually need to recover a password vs. the probability that someone will actually bother to try to compromise my account.

@ Clive
"the designers of these systems are not going to replace them overnight"

I think you're even optimistic. For example, I've encountered at least one case where such a system _refused_ to let me give it an unusual answer.

jdMarch 16, 2010 8:59 AM

It seems like sites that let you specify your own "secret questions" (OPM e-Qip comes to mind) are more effective than ones that enforce the usual selection of "mother's maiden name/first pet/favorite color"

Or, at least, they can be.

DayOwlMarch 16, 2010 9:04 AM

@Andre LePlume: The Secret Integer question would probably need a "What's This?" link next to it. Not that too many people are likely to type in something with a decimal in it...

It might make a really interesting man-on-the-street survey: "What's an integer?" I predict the number of correct answers would be somewhere below those for "Who is our vice-president?"

Patrick G.March 16, 2010 9:14 AM

A long term solution would be to give your kids unique names or at least differently spelled ones...

This will guarantee your kids' safety (but yourself an early retirement to the cheapest nursing home Szaquirah and Zchantalh can find).

;)

HJohnMarch 16, 2010 9:16 AM

I bet Facebook has made getting the answers to secret questions much easier.

My favorite 'secret question' moment was when a company asked me what month my mother was born in. The representative then listed 4 months for me to choose from. So my odds went from 1 in 12 to 1 in 4, better odds than rolling the dice.

Adam TMarch 16, 2010 9:16 AM

I've never used the recover password feature. I always put random nonsensical letters, expecting never to recover the account in this fashion. Granted, this might mean I have to contact the service personally and give info to reset it, but it hasn't happened yet since my passwords are well kept and secure.
Anyone using this kind of thing should remember the Palin Yahoo incident

HJohnMarch 16, 2010 9:22 AM

@Adam T: "I've never used the recover password feature. I always put random nonsensical letters, expecting never to recover the account in this fashion. "
____________

I'll recover it using this feature, but I put nonsense in it. For example, figuring out the maximum lenth and valid characters, and then using Password Safe or something similar to generate it. Using a tool now, on 10 text characters text only, I would imagine an attacker is unlikely to unlock my account with the secret "word": GqBxHIgLNg

Johannes BergMarch 16, 2010 9:43 AM

@HJohn: Yeah I do that too, but I find that some services actually force you to select a real question. When they don't, my recovery question looks like this:

"mahGhae0 eeC3goi6 oa3EeM8f Be3Eig4T Ohxo3cuo?"

BF SkinnerMarch 16, 2010 9:52 AM

What I hated about this when they first started was the case sensitivity of the question. you not Only had to remeMber the questions EXACTLY as you initially entered it you had to remember the case and any punctuation.

That's not using "easy to remember human natural language". It might as well be long strings of giberish that can be copied and pasted from password safe.

TimMarch 16, 2010 9:52 AM

My favorite way to deal with password recovery questions is to give the wrong answers. For example, I know what city I was born in, but I always put a -different- city in the box when asked. Mother's maiden name? Made up. First pet's name? Use some obscure Russian town name.

You don't get extra points for using the correct information. :)

HJohnMarch 16, 2010 10:03 AM

@Johannes Berg: "Yeah I do that too, but I find that some services actually force you to select a real question."
_______

I like your secret question, if they let me make my own I may try that too.

They may force us to select a real question, but they can't force one to select a coherent answer. I have no problem telling them my mother's maiden name is GqBxHIgLNg.

My favorite question is "what is your favorite sports team." I don't know, if they live in St. Louis i may try the Rams, Blues, or C(A's)rdinals.

JoeMarch 16, 2010 10:40 AM

I had to use my secret questions to unlock an account last week, and the resulting conversation was awkward:

Tech Support: "Um...what was your major in college?"

Me: "Bed-wetting."

Tech Support: "O-k-a-y...and your favourite color is...?

Me: "Strychnine and pigeon burgers with fried carpet for dessert."

Embarrassing, but the person on the phone was laughing by the end of it.

TSMarch 16, 2010 10:44 AM

@Tim

LoL, I use wrong answers as well. I mean, really, most of my close friends know the real answers, and anybody could SE the answers from them with a little effort.

MarkMarch 16, 2010 10:49 AM

@Clive Robinson
As I said to one of the researchers, as the designers of these systems are not going to replace them overnight (or possably at all) perhaps we should strengthen them by asking multiple questions to reduce the guess factor.

In many cases you "answer" dosn't have to be "correct" or even meaningful (to a human).

A computer probably isn't going to mind if you tell it that your mother's maiden name is "The Great Zodin", "James Blish" or even "Hg983dhdhfajjdeocn"

HJohnMarch 16, 2010 10:50 AM

@TS: "I mean, really, most of my close friends know the real answers, and anybody could SE the answers from them with a little effort. "
_____________

Not to mention, friends can be a big risk. They have access to one's home, know their personal information, could probably even get their SSN if they really wanted to.

RHMarch 16, 2010 11:06 AM

Can we gang up and try to guess who Shirley's mother's maiden name was? (and have a moderator nuke what looks, to me, like spam?)

I think it'd be an interesting exercise in human memory to try to design "secret questions" which allow far more bits of data by matching closer to how the brain works. I'm thinking something leveraging our ability to do shape recognition.

It'd also be interesting to have a bunch of photos and say "select which photos you uploaded." Prompt people to upload really odd things like a streetsign in their hometown.

ytMarch 16, 2010 11:07 AM

Moderator: Shirley is a spammer.

@Joe: I laughed out loud (much to the confusion of the people around me) imagining what your phone call must have been like. Well played.

In general, I think this is another case of "you don't have to be faster than the bear, just faster than your friends". The answer to your secret question doesn't have to be impossible to guess, just hard enough that it's not worth trying.

Mark RMarch 16, 2010 11:42 AM

As with everything else, an important question is what the secret questions protect. If it's the ability to reset the password, that's bad. If it's the ability to have a one-time password reset token sent to the e-mail address on record, that's not so bad.

So, for the e-mail account where these e-mails are sent, you need hard secret questions. For everyplace else, it's less important.

Carl "SAI" MitchellMarch 16, 2010 12:09 PM

I just answer the security questions with nonsense at least as secure as the password. I store the answers in a KeePass database, & back it up regularly.
Example:
My eldest sibling's first name is TH-Q*&&u,3&CrL My first employer was oD?dI{Q[d; My eldest sibling's middle name is $Qu.jp~)eP~\k&PSh:Fz'p.
The city I'd most like to visit is 6%MTg9tTiWc{P4[K$G[!H\.
My father lives in dgf_(f,071jbyd\4[r!qQZ.

annie nomousMarch 16, 2010 12:22 PM

I used to type random nonsense for the answers because I don't want the password recoverable. Recently I got burned when the final confirmation step required the answers to my secret questions (which I hadn't saved). So now I save the random answers too.

LesMarch 16, 2010 12:45 PM

One of the big vulnerabilities with secret questions is that your answer will almost always be consistent, even if it's "TH-Q*&&u,3&CrL

That's as bad as using the same password for everything.

Many people know not to use the same password for (i.e.) online banking as they would for some random website account, but how many realize that they shouldn't also use the same "secret" answers?

If I was in the phishing business (which I am not), I would make sure to ask for "secret" answers as well as other identifiers.

Clive RobinsonMarch 16, 2010 1:15 PM

@ Mark,

'In many cases you "answer" dosn't have to be "correct" or even meaningful (to a human).'

Agh no, the last bit is wrong, for most people the answer has to be "meaningful" or it's not memorable.

And that's the point of these questions they are the last resort when time has taken all else away (including the writing on Bruce's "bit of paper in your wallet"). And for most humans that means they have to be "correct" as well...

a.March 16, 2010 1:33 PM

My answers to those questions have never ever anything to do with the question - why should they? I should be able to recover my account or password, not any random person guessing the answer to the question asked...

HJohnMarch 16, 2010 1:34 PM

@Les: "One of the big vulnerabilities with secret questions is that your answer will almost always be consistent, even if it's "TH-Q*&&u,3&CrL

That's as bad as using the same password for everything."
________________

Not really. If you use a tool like password safe, they your mother's maiden name can be "THQ*&&u,3" one place and "CrL

John GordonMarch 16, 2010 1:36 PM

My favorites are the banking and mutual fund sites which belong to both my wife and I.

Does she know my high school mascot? (I don't either, but still.)

Sometimes I look at the secret question madness and I despair of humanity. If smart people are this stupid, then what hope do we have?

HJohnMarch 16, 2010 1:49 PM

@John Gordon: "Sometimes I look at the secret question madness and I despair of humanity. If smart people are this stupid, then what hope do we have?"
___________

On one hand, I agree. On the other hand, smart people have the impossible task of devising mechanisms that can be used by dumb people.

One of my more unpleasant tasks when I was in college was at work where I had to answer the phone for the receptionist during her lunch hour. Something worse than dealing with dumb people is dealing with dumb people who think they are smart, especially when they are argumentative and impatient.

DavidMarch 16, 2010 2:19 PM

@HJohn: It's worse than smart people devising mechanisms usable by dumb people. That can frequently be done.

It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult. Particularly when you can't get creative with the solution. Most people can handle physical keys, but we're limited to typed information passed back and forth.

SeiranMarch 16, 2010 2:23 PM

Most of the time I just type "123456" into both answer fields because, the fact is, nobody is REALLY that interested in that forum login you made to post one comment.

Like many users here, I have a small pool of words and numbers learned over time that I can pull from and reuse for these things. Most have meaning and some don't. A very common one to use is a library card number. It's easily accessible, but watch out, this one can actually change if your card is replaced. Likewise for your IMEI phone serial (dial *#06# on your phone). My favorites are student ID numbers.

Some particularly clever/proper implementations will use your frequent flier number, which is less likely to change but often not on hand. I would not use something random or something you could lose. The problem of not being able to regain access is an equally common, potentially worse issue, but that's probably a topic for another article.

If you're looking for something easy and strong, I use SHA1 to generate my answers. There's nothing to backup, write down or save, and the algorithm is easily accessible from any Unix machine and won't be lost. Just use >sha1 or >openssl dgst, type an optional secret that's easy to remember (e.g. "BabyOneMoreTime"), space, the 2nd-level TLD as a site-specific salt ("schneier.com"). To generate two answers add an index such as " 0" or " 1". Truncate to taste.

Sites and applications that let you specify the "question" make it especially easy, e.g.:
Q: "right(16,sha1(secret," schneier.com 0"))"
A: e44d6b4cb8dcbf54

This is only for credentials that might be important.

In the case of online-banking however and their very notorious, one-factor-times-two-authentication: I will almost always put some easy to remember or some generic answer because I hate trying to 1) remember what it is, 2) type it in, 3) check it's right, and 4) hope I don't get locked out because you only get three tries... every time I clean my cookies, disable the flash storage or use a public terminal.

So finally,
My Mother's Maiden Name is "abcdef"
My City of Birth is "abcdef"
The first street I lived on is "abcdef"

And Bank of America can take their ridiculous weekly "We don't recognize this computer" Site Key prompts and shove it up their PCI :P.

HJohnMarch 16, 2010 2:27 PM

@David: "It's worse than smart people devising mechanisms usable by dumb people. That can frequently be done.

It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult."
_________________

True. I also probably should have said "effective and secure mechanisms." Any smart person can make something a dumb person can use, the challenge is making something a dumb person can use that is effective and secure.

AppSecMarch 16, 2010 2:39 PM

So let's get this straight..

The average user is supposed to use different complex passwords. Put in fake answers for a recovery password scheme. Use a password management system (how many are going to do that?) which can get exposed when malware comes on from sites they visit get pwned. Make off site back-ups.


Yeah, the computer world has certainly made things easier to manage. There has got to be an easy way (and it has to be cheap) to use secondary mechanisms for authorization/authentication (oh wait, that might allow for tracking which would lead to privacy issues).

It's a no win situation.

HJohnMarch 16, 2010 2:44 PM

@AppSec: "It's a no win situation."
_______________

That pretty much sums it up.

reinkefjMarch 16, 2010 3:10 PM

I created a code book on Lulu.

http://stores.lulu.com/store.php?fAcctID=638039

Feel free to buy one. It's psuedo random.

And except for the special character you add, it's reasonably secure.

You keep it offline, so it's not a virus risk.

Works for me. Your mileage may vary.

And, it's "kool" to have your own secret "spy" book. Hope it doesn't wind me up in Gitmo.

rofl, maybe?

DavidMarch 16, 2010 3:38 PM

@AppSec: Yes, the computer world has made things easier. One thing that's easier is breaking into things. In order to get into my house, a burglar needs to physically come to my specific house and physically implement a way to enter. In order to get into my computer, a guy sitting in Romania can kick off a script that affects a few thousand or million computers in addition to mine.

Ideally, it would be possible to have an on-line identifier, a bit like OpenID, so it would be necessary to secure only one account. Of course, it's at this point that the dancing kitty malware installs a keyboard logger, and steals all the victim's authentication wholesale, unless there's a hardware gizmo or something the user has.

I'm not completely convinced it's a "no-win" situation, but I don't have any good ideas to the contrary.

HJohnMarch 16, 2010 3:43 PM

@David at March 16, 2010 3:38 PM

Good post. I might also add that the physical burglary example does not have the cascading effect that technology introduces. By that, I meant that if someone breaks into your house, they can't use that effectively to attack your neighbors and friends. When a computer is compromised, they can use the trust afforded the victim (as well as added processing power, etc.) to attack friends and neighbors.

Technology also makes impersonation easier. Someone can pose as a trusted friend, a child, a hottie looking to get busy, when their actual persona and motives are a bit more dubious.

MattIceMarch 16, 2010 4:52 PM

Of course, then people play games like this on facebook.

Example status message:

"Todays game - PLACE OF BIRTH! Everyone please play! You will find it interesting to know where your FB friends birth places are. Copy & paste this on your profile, then put your place of birth at the end of this sentence... Newport, Rhode Island :)"

Run enough games like these and you can get whatever information you want.

CraigMarch 16, 2010 7:17 PM

I find it interesting trying to manage all these usernames, passwords, secret questions, pin numbers, login numbers, email addresses on multiple accounts and websites.

SeiranMarch 16, 2010 8:43 PM

@MattIce

This type of attack has been used to social engineer users for a long time. Back when Yahoo! used Zip/Postal Code and Date of Birth as part of password reset, it was widely known that these could be obtained from their public (even Yahoo!) profile. Didn't Paris Hilton get hacked this way?

As for getting whatever information you want. I need to post this...

"Todays game - SOCIAL SECURITY NUMBER! Everyone please play! You will find it interesting to know what your MySpace friends SSN/ITIN is even or odd. Or maybe even a Mersenne prime. Copy & paste this on your profile, then put your SSN, SIN or equivalent at the end of this sentence... 141-59-2653 :)"

ChasmosaurMarch 16, 2010 8:43 PM

MattIce:

I saw that today - I couldn't believe how many of my friends are and answering it...because it's fun! That's a huge DUH to me.

Clive RobinsonMarch 16, 2010 9:16 PM

@ David,

"In order to get into my house, a burglar needs to physically come to my specific house and physically implement a way to enter. In order to get into my computer, a guy sitting in Romania can kick off a script that affects a few thousand or million computers in addition to mine."

That is the problem I've been going on about for a while.

"Tangable -v- Intangable worlds"

As we live mainly in the tangable world that is generaly how we think about things, as physical objects with mass/energy constrained by distance metrics and forces.

Computers deal with information that is an artifact of an intangable world, information has no mass/energy and is uneffected by time and thus not constrained by distance and forces (which is why we only have entropy as a measure for it...).

The only time information has physical form is when we have it as knowledge which we store or communicate. And the reality is that the mass/energy involved per bit of knowledge is well neigh meaningless in human terms and is only meaningfully constrained by bandwidth and the speed of light.

When it comes to security we have real issues with tangable -v- intangable as our perception is mainly of a tangable world, and thus we have fundermental but hidden assumptions based around the tangable.

These fundemental hidden assumptions cause real problems. Usually because we try to take a physicaly constrained metric and try to use it on intangable information and it does not work.

You raised two of three hidden security assumptions, "locality" and "force multiplication".

You did not mention the third "undetectable duplication" by which I can steal from you by copying your information. And you will well remain blissfully unaware of untill I chose to use the copy in an obvious way.

Thus if I steal your password to your email account unless "auditing" is made available to you in a secure way or via another channel you will be unaware I have read your private communications.

This ability to make an undetectable copy of information makes Man
In The Middle and relay attacks possible which brings me to your point,

"and steals all the victim's authentication wholesale, unless there's a hardware gizmo or something the user has."

A "hardware gizmo" will no stop relay attacks unless all the information is protected by it at all points at all times. Which although not impossible is very hard as you are using information to protect information...

Which is why you are correct to say,

'I'm not completely convinced it's a "no-win" situation, but I don't have any good ideas to the contrary."

I've had one or two but hidden assumptions always end up bitting you in th 455.

One way I originaly thought of doing it was with "capatchers" say the web site sent a random array of capatchers as buttons and you had to click on the correct sequence of letters or numbers.

The work involved with logging etc to get the information is quite large as computers are not good at that type of "visual recognition". And thus I thought it would put a high work factor in for the malware writers than the legitimate user and thus change the security tipping point in the users favour.

I was both right and wrong... What I had not factored in was the availability of "dirt cheap humans". The Malware writers simply hired people in third world countries to do the "visual recognition" for them...

The lesson is no matter how smart you and others think you are, there is always going to be somebody who has a different perspective and ends up making you look dumb 8(

DanielMarch 16, 2010 9:35 PM

Clive.

I remain convinced that the best security is simply not having anything of value to another person. This doesn't eliminate the problem because there are people out their who would like to see me die just for the hell of it. But it does make it much more manageable.

Zone TonikMarch 17, 2010 4:38 AM

We need to know the secret questions with respect to avoid the access from unrestricted persons to our data. This information is very helpful. Thank you.

Corey MutterMarch 17, 2010 9:31 AM

Supposedly this whole "secret question" thing got started by Bank Of America, who did it on their website, then pushed for it to be required for financial institutions, so as to hobble their competitors for a bit.

My credit union's online banking added it not too long ago. I have a business account (as well as personal accounts there), it's interesting to come up with answers like "who was my consultancy's prom date?"

Of course, like others in this thread, I use random stuff and a password safe. (This bit me in the butt when one place changed systems, and the new one didn't allow nonalphanumerics in the password or password-reset questions).

Treasury Direct does this more sanely; they issue you a physical card in the mail with a grid printed on it, then ask after you enter your password, "what's in A-3?"

AppSecMarch 17, 2010 9:38 AM

@HJohn: . By that, I meant that if someone breaks into your house, they can't use that effectively to attack your neighbors and friends.

That depends on if those friends had spare keys for neighbors lying around the house. You know, for those times that you get locked out or go away for the weekend and want someone to pick up your mail, take out your dog, or whatever.

I agree with the premise of scalability, though.

@David:
I think part of the issue isn't just from a user side, it's from a site side. I'm still conflicted on the whole "certification" for a site/developer. Some of the smartest people I know don't have college degrees, and some of the crumiest contractors are licensed. But at some point you almost have to agree wit hteh whole prinicple of inspections and signoff when everything is so interconnected.

AppSecMarch 17, 2010 9:42 AM

@Corey Mutter:

The whole snail mail out of band (or telephone) is part of the whole "it is not convienent" argument. Yes it is effective (to a degree), but it not necessarily easy for the average user.

DavidMarch 17, 2010 9:49 AM

@AppSec: There's a paper at http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf about the economic value, to the user, of dealing with security issues. Basically, the author claims that the direct and indirect costs to the individual of security processes are frequently way in excess of direct and indirect costs of security breaches, particularly when ignoring economic externalities. (Caveat: I haven't finished reading the paper yet.)

kangarooMarch 17, 2010 9:50 AM

@David: It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult.

----

That's the problem the US park service had once with anti-bear locks on trash bins.

They had to be simple enough that human beings could open them to throw out trash, yet complicated enough that bears couldn't open them to grab a snack. Apparently, there's significant overlap between the dumbest person and the smartest bear.

AppSecMarch 17, 2010 1:20 PM

@David:
I'd like to see the same comparison done with home security and auto security. I know I spend a few minutes every nice day opening and closing my car door windows/sunroof. How about those that set thier home alarm and car alarm?

Both of those items, when they are stolen, are covered by home owners or auto insurance policies. There is no real direct cost to the customer -- it's an indirect cost of finding a new car and deal with the emotional aspect.

My guess is that customers don't feel the emotional connection as much to "virtual data" and simply don't find dealing with the complexity worthwhile. I doubt there's any real thought at all into the risk -- from an average user.

Egregious NapalmMarch 17, 2010 2:44 PM

Do what I do, which is to use false answers to questions like pet names or mother's maiden names.

CGomezMarch 17, 2010 3:05 PM

I've learned that some firms are beginning to link up your online "secret answers" to their phone reps so they can ask you what your favorite color is over the phone.

The problem is I use Random Word Generation for these answers. That helps because I can give an answer that the operator can understand that isn't: "sdv9a8734h2l".

The downside is I have to go find my secured list of these stupid things. What a waste.

DavidMarch 18, 2010 4:48 PM

@AppSec: I've wondered about locking my car when at home. I never have anything valuable in it, and rather suspect that leaving it unlocked would have saved me one broken window. If it doesn't affect insurance claims it would seem to be a bad idea. The windows and sunroof I leave closed when parked, because I've left them open during a rainstorm before.

And, according to the paper I cited, it looks like the security risks are low enough that it may not be worth thinking about it. I have certain security practices for emotional reasons, because I'd feel deeply embarrassed if I got snared rather than because I'd feel out-of-pocket loss. Other people may not feel the same.

CassandraMarch 18, 2010 5:48 PM

Like many other people I use wrong answers for the 'secret' security questions.

One thing I've not found out, is if there is collusion on the answers between financial institutions. In the UK, for example, 'mother's maiden name' is used as a security question across many financial institutions, and I believe a new institution that you have never dealt with personally before may well check your answer against data shared amongst financial institutions, thus flagging you up if the answer varies. Does anyone know the truth or otherwise of this? Note that the DPA may well not apply in this instance (for several reasons).

PinusMarch 19, 2010 6:28 AM

@Cassandra

I signed up to a trial of one of these credit checking agencies (can't remember the name). I gave a fictitious mother's maiden name.

To cancel at the end of the trial period you have to give some security answers. They refused to cancel the account when I quoted the fictitious mother's name I'd entered but did accept the real name.

Make of that what you will.

MemVandalMarch 21, 2010 7:35 AM

And some stupid mail service (yahoo) dont allow you to change your secret question! Surprised? try to do it.

Firstly, you will be searching for that form in mail options then. Then you would need to go to help section and search in there. After that you will get one link to a form. Now that form asks you to fill up lot of information including your last secret question and answer, your name and other stupid things. Then when you think its done and submit the form, wait for some days just to realize, that the form was just submitted to /dev/null device on the server.

The RavenJuly 10, 2010 4:26 PM

& then someone steals your list of "secret" questions (two people can keep a secret, if one of them is dead), or the the various agencies involved share them, & you are worse off.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.