Fun with Secret Questions

Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: Do you know why I think you're so sexy?
A: Probably because you're totally in love with me.

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I'd just like to do some banking.

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.

Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Okay, now it's your turn.

Posted on April 30, 2010 at 7:24 AM • 224 Comments

Comments

Clive RobinsonApril 30, 2010 7:36 AM

How about a blast or two from the film past with,

Q: Dave would you like to play chess?
A: No not now HAL.

Q: What would you like to play to day?
A: Global thermal nuclear war.

Or perhaps even Morgan Sporlock,

Q: Would sir like chips with that?
A: Yes Supersize me now!

OR the one I've used to up set some of these idiots,

Q: What is the name of your first pet,
A: R4
Q: I'm sorry sir can you please repeate that
A: R4
Q: I'm sorry sir but I don't have the name Arthur here can you please can you repeate?
A: the letter R and the number 4 as in R4 do you have defective hearing or something?

(you could also try K9, or C4 cat)

snxuevzrApril 30, 2010 7:36 AM

if i can to create my own question.
ill choose that the best question is
why do you want to hack my account?

ytApril 30, 2010 7:51 AM

Movie quote-inspired:

Q: Can you hammer a six inch spike through a board with your penis?
A: Not right now.

I can also see potential for all kinds of cheesy pickup lines here:

Q: If I said you had a beautiful body, would you hold it against me?
A: Sorry, you're not my type.

Snarki, child of LokiApril 30, 2010 7:56 AM

Q: Do you authorize us to transfer a free gift of $1M to your account?
A: Thank you, offer accepted.

Alan KaminskyApril 30, 2010 8:05 AM

James Bond's secret bank questions

"Goldfinger"
Q: Do you expect me to talk?
A: No, Mr. Bond, I expect you to die!

"The Spy Who Loved Me"
Q: Bond! What do you think you're doing?
A: Just keeping the British end up, sir.

"Moonraker"
Q: Why did you break off the encounter with my pet python?
A: I discovered it had a crush on me.

MuffinApril 30, 2010 8:11 AM

Q: Who's on first?
A: Yes.

And so on... I wonder if the bank could be convinced to allow conversations that span multiple secret questions/answers. All in the named of increased security, of course. ;)

Cory DoctorowApril 30, 2010 8:16 AM

I'm pretty boring, I know, but I always just use,

"What is the random string?" and paste in a 64-character random string, keeping a record of it in a password locker.

periApril 30, 2010 8:21 AM

Q: I'd like to take a moment to tell you about our long distance plan.
A: [customer hangs up]

TanukiApril 30, 2010 8:23 AM

Q: Where am I?
A: In the village.

Q: What do you want?
A: Information.

Q: Whose side are you on?
A: That would be telling.... We want information...INFORMATION...INFORMATION!

Q: Who are you?
A: The new Number Two.

Q: Who is Number One?
A: You are Number Six.

AlfiharApril 30, 2010 8:29 AM

A: What is best in life?
Q: To crush your enemies, see them driven before you, and to hear the lamentation of their women.

kog999April 30, 2010 8:31 AM

Q: Can you can a canned can into an uncanned can like a canner can can a canned can into an uncanned can?

A: I'm sorry, could you please repeat that

Q: Oh My God, Fire, Fire, everyone get out now!

A: The roof the roof the roof is on fire

Q: I found a reason to show, a side of me i didn't know, a reason for all that i do

A: and the reason is you

Q: what is your secreat question's answer

A: I dont remeber

Q: Error 352: Cannot locate cust_ID in database

A: Error 312: strAnswer if Undefinded

TylerApril 30, 2010 8:31 AM

Famous-quote pairs are obvious:

Q: What is the flight-speed of an unladen swallow?
A: African or European?

Q: Are you pondering what I'm pondering?
A: But... where will we find a pair of galoshes, five pounds of coleslaw, and a llama at this time of day?

A better approach might be something along the lines of:

Q: What is the third word in the second paragraph of page 352 in your Calculus book from college?
A: Kroniker.

Of course, that presumes you have access to that book on a regular basis, and wouldn't need to use the secret question pair when you were, say, on vacation.

JanApril 30, 2010 8:37 AM

A few ideas from the Monkey Island insult list.

Q: This is the END for you, you gutter-crawling cur!
A: And I've got a little TIP for you, get the POINT?

Q: Soon you'll be wearing my sword like a shish kebab!
A: First you better stop waiving it like a feather-duster.

Q: My handkerchief will wipe up your blood!
A: So you got that job as janitor, after all.

Q: People fall at my feet when they see me coming.
A: Even BEFORE they smell your breath?

Q: I once owned a dog that was smarter then you.
A: He must have taught you everything you know.

Q: You make me want to puke.
A: You make me think somebody already did.

Q: Nobody's ever drawn blood from me and nobody ever will.
A: You run THAT fast?

Q: You fight like a dairy farmer.
A: How appropriate. You fight like a cow.

Q: I got this scar on my face during a mighty struggle!
A: I hope now you've learned to stop picking your nose.

Q: Have you stopped wearing diapers yet?
A: Why, did you want to borrow one?

Q: I've heard you were a contemptible sneak.
A: Too bad no one's ever heard of YOU at all.

Q: You're no match for my brains, you poor fool.
A: I'd be in real trouble if you ever used them.

Q: You have the manners of a beggar.
A: I wanted to make sure you'd feel comfortable with me.

Q: I'm not going to take your insolence sitting down!
A: Your hemorrhoids are flaring up again, eh?

Q: There are no words for how disgusting you are.
A: Yes there are. You just never learned them.

Q: I've spoken with apes more polite then you.
A: I'm glad to hear you attended your family reunion.

GweihirApril 30, 2010 8:43 AM

Q: Sir, may I ask you your security question?
A: Security Question? What damn security question?

robApril 30, 2010 8:43 AM

Q: Is this the right question?
A: I don't know, is this the right answer?

or better:

A: No

or even better (if you have plenty of time):

A: Excuse me, what did you say?

Davi OttenheimerApril 30, 2010 8:46 AM

It doesn't really have to be a question, just a call and response, no? I know there's less entropy, but still I'd be tempted to use classic lines

Q: I could dance with you till the cows come home.
A: I'd rather dance with the cows when you came home.

Q: If you're alone then why is your table set for four?
A: That's nothing, my alarm clock is set for eight.

Q: I'll teach you to kick me
A: You don't need to teach me, I already know how

Q: Pick a number from one to ten
A: Eleven

MarkApril 30, 2010 8:50 AM

You could have so much fun with this...

Q: Hello, you're through to the hot banking chat line, how can I help you?
A: Tell me, what are you wearing?

Q: What do you want me to do?
A: What are you willing to do to make me happy?

Q: My name is Cindy and I'm here to service your every need, how do you want me to start?
A: Slip off your top.

All these would be perfectly suited to for male customer service representative :).

Seriously though, I imagine many people would try and be "clever" and use quotes, from films and the like, but actually a smart and quick witted attacker would probably be able to guess the response more easily as they *are* well known lines / Q&As. This would actually make this less secure than using personal data.

KieranApril 30, 2010 8:50 AM

There's a tiny British comedienne (her name escapes me) who claimed on-stage a while back that hers were:

Q. You're not going out dressed like that are you?
A. You're not my real Dad! I can do what I want!

Shachar ShemeshApril 30, 2010 8:52 AM

I'm surprised no-one caught on to it yet. Since the secret questions/answers can be offensive, wouldn't that expose the bank to sexual harassment law suites from its employees?

Shachar

SpamfarmApril 30, 2010 9:02 AM

Q: Sir, before I begin, I would like to remind you that we do not serve gays, latinos, women, or people over the age of 50. Are you any of those things, sir?
A: Yes and I'll be seeing your ass in court.

Andre LePlumeApril 30, 2010 9:02 AM

This is a major threat. Al Qaeda could harness this very freedom against us. These customer service lines and secret questions make a useful covert channel:

Q: At what day does Osama say to commence Operation X?
A: November 13.

Q: In what city will we strike with our infamous LED sanity disruptor?
A: Boston

TimApril 30, 2010 9:07 AM

Kieran: I know who you mean but I have totally forgotten her name! Welsh, giggly...

dmcApril 30, 2010 9:08 AM

Q: How much wood would a woodchuck chuck, if a woodchuck could chuck wood?

A: A woodchuck would chuck as much wood as a woodchuck could chuck, if a woodchuck could chuck wood.

periApril 30, 2010 9:25 AM

Q: [bank manager's full name] [bank manager's SSN] [bank manager's private checking account number] [bank manager's security question] [bank manager's security answer] [bank manager's private checking PIN]. How do you respond?
A: I can't believe that worked!

AndyApril 30, 2010 9:27 AM

@Tim - I did hear Lucy Porter use that exact line at a comedy night about eighteen months ago.

Terence EdenApril 30, 2010 9:33 AM

@Kieran @Tim

Yup, Lucy Porter has had that in her standup set for ages. I first saw it ~3 years ago.

"Lucy Porter: I went to the bank and they told me I needed a security question for telephone banking. I asked if there was a list to choose from and they said no, I could pick any question. So now it's great, whenever I call the bank the person on the other end has to ask me "You're not going out dressed like that are you?" and I reply "You can't tell me what to do, you're not my real dad!""
See http://news.scotsman.com/susan-morrison/Female-comedians-You-must-be.5481262.jp

lazloApril 30, 2010 9:34 AM

Q: what is your customer number?'); drop table customers; --

A: Error, table customer not found.

A long time ago, a friend told me that his question/answer combo for his bank was:

Q: Why are you such a fucking pussy?
A: Because you are what you eat.

Trichinosis USAApril 30, 2010 9:42 AM

It's probably only a matter of time before the banking industry catches up to the rest of the military/industrial complex:

Q: Do you love me, now that I can dance?
A: WATCH me now!

JonApril 30, 2010 9:44 AM

Lucy Porter does a short routine on it. As well as the "You're not going out dressed like that are you?", she includes the "micro-drama":

Q: "Sebastian, is that you?"
A: "No Nana, it's me, Luke. Sebastian died remember?"

Michael MouseApril 30, 2010 9:50 AM

I always use:

Q: Why aren't user-defined questions a perfect solution to the problem that many standard security questions have answers which are easily guessable or findable?

A: Even the commenters on Bruce Schneier's blog appear to have trouble thinking of questions whose answers are not easily guessable or findable.

(And remember folks: do not misuse the privilege of knowing Cory Doctorow's standard security question.)

Timmy303April 30, 2010 9:54 AM

Q: What time does your wife take the kids to school?
A: I told you that can't happen again

Q: Have you ever poisoned an atmosphere?
A: Only at Taco Bell, Mr. Hubbard

Okay that second one was an obscure reference.

Also @Andre LePlume RE: Boston sanity disruptor

TOO LATE!!!!

Dave MarcusApril 30, 2010 10:04 AM

For a long time my "verbal password" for calling American Express and being able to speak to a human - a requirement over and above the other IDs checks they have already forced was ....

amexsux

It was always such a mean-spirited pleasure to say that when the agent asked me for my verbal. Easy to remember, too.

BryanApril 30, 2010 10:12 AM

The obvious problem with all of these based on well known or searchable quotes is an attacker can guess them. Try harder next time.

JonathanApril 30, 2010 10:20 AM

I heard this in a parody of Star Wars Episode III. Obi-Wan and Yoda talking about Anakin:

Q: That boy was our last hope.
A: Way to go, Kenobi.

Well-known question, unexpected answer.

VirosaApril 30, 2010 10:28 AM

I'm not going to post my question, but the answer will be "THE ARISTOCRATS!!!"

christopherApril 30, 2010 10:39 AM

I actually employ the technique of a nonsense answer to a question, thus guaranteeing "something I know":

Q: Name of first employer
A: 1,375,000 cubic meters

Bryan FeirApril 30, 2010 10:47 AM

@Clive Robinson:

Amusingly, my sister actually named her cat C'fer at one point, explaining that it was C fer Cat.

Khris April 30, 2010 10:54 AM

Since most people won't click on the attribution link, it would be classier to say "as my friend posted this morning" and put the whole post in quotes. I'm delighted you linked to it, but copying an entire post verbatim and putting an attribution link suggests you wrote an original post inspired by something you saw when actually, this is a direct copy & paste. You're way too awesome to have a crappy comment like this posted by some windbag with an opinion like me.

jrrApril 30, 2010 11:08 AM

I have actually used:
Q: This security system really does suck.
A: Yes, yes it does.

Hawkins DaleApril 30, 2010 11:10 AM

Some of these are *extremely* funny.

But as Mr. Mouse pointed out, more cleverly than I: if the responses are guessable, then they're bad.

I like Christopher's idea, which is also funny: standard question, Ionesco-grade absurd response. The trick would be not to trick yourself: if asked by my bank for the name of my first employer, I might answer the question with the name of my first employer, having forgotten the trick.

So maybe the idea would be to embed something in the question that would remind you (and only you) of the correct absurd response.

Q: What is the name of your pet?
A: PolyEthylene Terephthalate!

Q: What does napalm smell like in the morning?
A: Gasoline.

derfApril 30, 2010 11:14 AM

Makes me think of kids in grade school:

Q: Pete and Repeat were sitting on a fence. Pete fell off. Who was left?
A: Repeat.

paulApril 30, 2010 11:26 AM

"Knock, knock"
"Orange who?"

I had problems along these lines when I moved from one city to another, and realized only years later that all of my security questions/answers were based on the old address.

CaseyApril 30, 2010 11:31 AM

I can't help it...

Q: What is your quest?
A: To find the holy grail.

Q: What is the air-speed velocity of an unladen swallow?
A: What do you mean? An African or European swallow?

ToddApril 30, 2010 11:34 AM

From the Firesign Theater archives:

Q: Porgy, is that what you're going to do after graduation?
A: Heck no. I'm going to cut the souls off my shoes, sit in a tree, and learn to play the flute!

Q: Can you phrase that as a question?
A: Read me, Dr. Memory?

Q: Notice what the cross is made out of. Gold. Got any?
A: No but we do have this corn. Now we can make tortillas.

Q: But, Dad, I still don't see how you can be the People's Prosecutor and my defense attorney at the same time.
A: Easy son, this way I can personally see that you are persecuted to the full extent of the law.

Q: Perhaps you remember her as Melanie Haber? Audrey Farber? Susan Underhill? …Betty Jo Bialowsky?
A: Oh. You mean Nancy.

SteveJApril 30, 2010 11:39 AM

Q: Your secret answer sir, what is it?
A: It's how I access my telephone banking, and don't call me Shirley.

Nick PApril 30, 2010 11:40 AM

I don't think anyone could enter (or remember) the answer to this one. It's a quote that would leave even the best shouldersurfers in agony.

Question: "What are your extended, unsolicited views on this rather broad topic?"

Answer: "We have had part of this conversation before, But I'll go through your points.

"So you've doubled the components (complexity)"

Err probably not (certainly not in my hardware prototype any way). Have a look at the diference between CISC and RISC architectures.

CISC was based on an idea that by making instructions "do more" you'ld save memory which was very very expensive at the time (upwards of 1000USD/64K). This is nolonger true and the problems have moved to memory IO bottle necks.

Thus most code spends more time being shifted around in memory than it ever does being executed, and the CPU blocks on memory...

A consiquence of CISC is so many instructions that you have a great deal of redundancy in the instruction set and this makes Malware attacks significantly easier (Make your own shell script in ASCII if you want to see why).

I would argue that dropping CISC in favour of RISC would gain significant advantages in terms of silicon real estate.

Thus whilst I have conceptualy "doubled" in fact I've thrown out most of the usless and un-needed "complexity".

So much so that you could put many general purpose compute engines under one restricted function engine. Which is actually adventageous.

"and done away with all our present-day programming languages (barring maybe asm or BASIC)"

Compleat twaddle, and you should know that.

If you are actually arguing that the majority of higher level programing language compilers and language tools are written in C or use the C library interface fine. But there is no reason for them to be, and your argument boils down to "C is the translation code of choice", and unfortunatly as most code cutters don't know how to behave safely let alone securely C takes it's bagage with it where ever it goes. Look at it this way it's like alowing a bunch of 5 year olds unrestricted access to a "tool shop without safety guards", you know it's going to end in a world of hurt for everybody involved.

With regards,

"... Harvard architecture is only marginally more secure."

That depends on how you use it. Because of C most Harvard architectures have been weakened, and it is this weakening that has allowed the gadget attacks to be possible.

As I said earlier we have had this conversation before. When you say,

" Harvard architectures still can be attacked with return-oriented-programming... so smashing the stack would still be fun and profitable."

I pointed out it was due to the "extras" added to the Harvard architecture that made this possible. Thus I posted a link to a paper that makes the same claim as you but clearly shows that it's the "extras" that are responsable. Thus I used the term "Strict Harvard architecture" to differentiate.

" - High-level flaws in software *cannot* be defeated by low-level design."

This is what many in the US call a "strawman argument". I can make the safest car engine in the world but it won't stop you putting it in a dangerous car, and it won't stop a drunk driver using it to smash their way home leaving piles of mechanical and human wreckage in their wake.

A simple way to make most code more secure would be to properly deal with "exceptions" in all their various forms. However this needs a fundemental change in mindset of a programer from "Gung Ho charge the cannon's down" to a more statefull way of thinking.

"Financial data transmitted in plain text would still be transmitted in plain text."

That is a fault not of the system or the programers but those at the top. And incidently in of it's self is not actually bad. You have to have it in "plain text" at some point to allow it to be processed. It is a question of where you set your boundries and how you implement them.

"Timing side-channels in encryption libraries wouldn't go away."

No but again this is not architecture related and it has some inherant problems that you appear unaware of (the problem came about due to trying to solve another problem, and in all likleyhood the solution will open up another attack for other reasons). The issue is doing crypto in software on an unknown platform.

"Bad RNGs (a la debian's openssl) would still expose your keys."

RNG's are (as you might know if you are a longterm Bruce's blog reader) a subject close to my heart. If you are refering to the problem I think you are it was actually a deliberate choice by a programer to make a change that made it insecure.... And yes the last time I looked there where still people out there using weak PK certs based on it...

"Heck, even path traversal would still be with us..."

Again an issue that is not realy anything to do with the CPU architecture.

And thus I can only conclude you don't actually understand the issue.

There are all sorts of "assurance" issues at every layer in the stack from the cluless/malicious (ab)user down to the wires and components that leak data via EM and audio radiation.

For a secure system you need to resolve all of the issues. This can be by fixing them or mittigating them it is a design choice at that level in the stack.

However fixing a problem at a lower level will not stop poor choices further up the stack leaking information at a high level.

Importantly fixing high level problems will not stop poor choices further down the stack leaking information at a low level.

Worse any fixes at a high level can always be side steped by "bubbling up" from a flaw at a lower level (when the flaw is to small to be visable this is also known as the "Champaign bubble effect" that is the effect of the flaw only becomes visable considerably higher up).

Most malware get's control by one of two routes, Through the user, or by "bubbling up" from a lower level.

No technical solution (other than maybe the bullet) can solve the user issue. But there are partial technical solutions to the "bubbling up" explotation of a fault or flaw.

The question is where and how do you expend resources to resolve the issues at lower levels.

One way is to get rid of a very badly flawed architecture that positivly encorages "bubbling up" by it's very inherant design.

The question then becomes will the market alow it.

Saddly at the moment we are stuck with the iA86 architecture even Intel admitted defeat and binned it's iA64 architecture in favour of the AMD64 solution. The question is will the "business environment" allow "natural selection" to rid us of this "Saber tooth tiger" evolutionary dead end?

Even it's designers Intel know it's doomed, but they appear locked in a "danse macabre" with amongst others AMD, driven on by the maddened cajoling of the carousing consumer market. Which leaves the question what happens when the music stops?"

*short answer:* I'm Clive Robinson, biatches!

AndrewApril 30, 2010 11:45 AM

Q. What is 42?

A. Six times nine.

Q. Do you have your towel?

A. Of course!

Q. Why will the Earth be demolished?

A1. To make way for a hyperspace bypass.

A2. That's kind of a crazy question. Are you quite right in the head?

A3. Because in the not so distant future, question and answer pairs will replace Permissive Action Links in nuclear weapons security.

SteveJApril 30, 2010 11:46 AM

Q: Do we properly escape our SQL?
A: Shall we find out?'; DROP TABLE Customer; --

Princess BrideApril 30, 2010 11:56 AM

Q: Who are you??
A: Hello. My name is Inigo Montoya. You killed my father. Prepare to die.

Paul HoffmanApril 30, 2010 11:58 AM

Q: Do you know the answer to your self-created question?
A: No.

Q: Do you have sympathy for me having to go through this stupid security theater with you?
A: Yes.

jacobApril 30, 2010 12:00 PM

1. this is great in theory until someone leaves the unattended notebook or memory stick. (like in us or uk.
2. the fun of making up your own security system. I have a ____ inch penis joke, what is the circumference?
3. I prefer to be anonymous to some extent. I hate even answering poll questions.
4. what does google really know???
5. forget my mother's maiden name, what is the name of my first pet?
Hint: it was a hedgehog named spiny.

this is a solution in search of a buyer.
100 million dollars and your company can buy the proprietary information...

Currently working on the XOR of two irratational numbers for a one time pad of my LOL cats collection. :) and the pictures of amanda tapping wearing the flag!!!

Bruce I would really like you to answer the question, How much does the average person really need to encrypt info? (including crossing borders and the FBI). NSA is another story. I figure they already know which hand I wipe my ass with.

periApril 30, 2010 12:04 PM

@Nick P: "*short answer:* I'm Clive Robinson, biatches!"

That was hilarious! I was _certain_ you were Clive Robinson right up until the "short answer." That gave you away!

@ Michael Mouse, Hawkins Dale

Make no mistake, I have been using true RNGs (via random.org) to generate enough entropy for all my secret questions for years now. You shouldn't take most of the comments seriously. People are just having fun with the particulars of this system.

CoreyApril 30, 2010 12:34 PM

@Shachar: My previous day job, when they rolled out a sexual harassment policy, they explicitly stated it applied to customers as well. I imagine this is true most places. (I got the mental image of our then-VP of engineering trying to convince me to sleep with a customer, because he never refused any other customer requests, no matter how asinine).

At least this is better than a pre-selected field of "secret questions". For my online banking, I had to tell it who my consultancy's prom date was, and the model of my 1-year-old's first car. (Of course the answers are random)

CoreyApril 30, 2010 12:35 PM

"Q: Do you know the answer to your self-created question?
A: No."

OK, Goedel, I'm convinced it's you.

bloodninjaApril 30, 2010 12:39 PM

Q:Would you like to Cyber?
A: Oh I like that Baby. I put on my robe and wizard hat.

Q: What's the matter now?
A: I've realized that I've peed into your laundry hamper. Sorry again. I'm walking back to the bedroom now, blindly feeling my way.

etc...

brian tApril 30, 2010 12:40 PM

Q: How long is a piece of string?
A: Twice the distance between the middle and the end.

Q: Who put the Bop in the Bop Shop Doo Wop?
A: You did, ma'am!

Brian TungApril 30, 2010 1:28 PM

@Corey:

Q: What yields falsehood when answered by its own predicate?

A: Yields falsehood when answered by its own predicate.

anonApril 30, 2010 1:36 PM

Q: I hate working at a call centre.
A: I'm sorry, the connection's very quiet. Would you please repeat that in a louder voice?

Q: Yeah, the manager actually thought I was taking a call. How stupid is that?
A: Aren't you glad they record these calls for quality assurance?

Q: I've been skimming from his accounts for years and he's never noticed.
A: Aren't you glad you've never been audited?

Q: On second thought, I'd rather just give up and go home.
A: Have a good day!

Q: Indecipherable. However, I'd like to buy pizza and beer for the whole office. If someone else calls in the order, I'll pay the bill!
A: You're very generous.

Clive RobinsonApril 30, 2010 1:43 PM

@ peri,

"That was hilarious! I was _certain_ you were Clive Robinson..."

It was me, in reply to Nick P, so I guess he has violated the copyright ;)

He also forgot to mention it was typed with two thumbs on a 68mm by 30mm keyboard on a mobile phone, whilst lying in a hospital bed.

The thing is he never made counter point, I was most disappointed...

SkippernApril 30, 2010 1:54 PM

Q: Ready for the security question?
A: Yes

Q: Have I already asked the security question?
A: No

Q: Do you want to take me home tonight?
A: Why? Don't you have a place to sleep?

Q: What is the password?
A: Ken sent me

Q: You have your security password written down somewhere?
A: Yeah, on the bathroom wall at TDI's

Q: You think our security is a joke?
A: Yes

Q: Where did you come up with this stupid question?
A: I found it on Bruce Schneier's security blogg.

Could also take some really random babble:

Q: You like a cup of coffee?
A: The salmon is really great

This type of nonsense would be virtually impossible to break.

In a Norwegian comedy a few years ago they needed to select a password for the alarm central, they chose the favorite desert of one of the characters, unfortienately he changed his mind about that desert after a date and when the alarm went off and the security company called to verify the alarm he couldn't remember the password. The result was that he was reading all the names of deserts out of a cookbook when the police arrived.

Clive RobinsonApril 30, 2010 2:02 PM

As others have given tongue twisters, you could also have,

Q: I'm not a pheasant plucker but a pheasant pluckers mate and I'm only plucking pheasants cos the pheasant pluckers late.

A: Sorry what is it you do to pheasant?

Then of course there are the works of Spooner to contend with.

Then there are such questions as

Q: What is the difference between an of target marksman and a constipated owl?

A: One shoots but cann't hit the other hoots but cann't...

Q: What is the difference between the river Thames and a ballerina who pirouettes to much?

A: One is a busy ditch, the other...

The only question is how much do you need to say before the person says yes out of embarrassment...

ytApril 30, 2010 2:02 PM

@Bryan "The obvious problem with all of these based on well known or searchable quotes is an attacker can guess them. Try harder next time."

Yes, but the point here was to be funny, not to be secure.

periApril 30, 2010 2:19 PM

@Clive Robinson

Well let's hear the real Clive Robinson abuse security questions!

anonApril 30, 2010 2:21 PM

Q: The combination on my briefcase is 1-2-3-4
A: What a coincidence! So is mine!

Q: We both know that your password is swordfish and your mother's maiden name was Smith, so let's get right down to the banking, OK?
A: You haven't asked about my first pet yet!

Q: What is your mother's maiden name?
A: Tell me about your mother.

Q: I spend too much time on the phone.
A: Tell me more about that.

Q: No, you are not my psychiatrist.
A: Are you saying no just to be negative?

Q: Are you a legitimate customer?
A: What does that suggest to you?

Q: Where are you?
A: I don't know, where am I?

Q: Disneyland.
A: Please state your answer in the form of a question.

EdApril 30, 2010 2:22 PM

Q: Can entropy be reversed?
A: THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER

Rodrigo KumperaApril 30, 2010 2:29 PM

I'm very disappointed that nobody suggested Pulp Fiction lines.

Q: What does Marcellus Wallace look like?
A: What?

Q: Does he look like a bitch?
A: What?

Q: English M***er F***er. English!
A: What?

ytApril 30, 2010 2:40 PM

Ooh! I can't believe nobody (including me) thought of this until now:

Q: Does this dress make my bum look big?
A. No, it's your fat bum that makes your bum look big.

(Apparently I'm channeling a Brit tonight.)

Mike BegleyApril 30, 2010 2:43 PM

Q: You're in a desert, walking along in the sand when all of a sudden you look down and see a tortoise. It's crawling toward you. You reach down and you flip the tortoise over on its back. The tortoise lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over but it can't. Not without your help. But you're not helping. Why is that?

Rich SiegelApril 30, 2010 2:47 PM

Q: How will we know the Cathars from the Catholics?

A: Caedite eos! Novit enim Dominus qui sunt eius.

Clive RobinsonApril 30, 2010 2:51 PM

@ yt,

"Yes, but the point here was to be funny, not to be secure."

I thought it was to think up the maximum "squirm factor" for the call center droid...

As for,

"A. No, it's your fat bum that makes your bum look big."

That's not what a "Brit" would say. It would be more like,

"A. No dear, of course not, the dress does not make your bum look big..."

Then under his breath "it's over using your big mouth that makes your bum fat"

FromCanadaApril 30, 2010 2:58 PM

Q: You are in an open field. Exits are to the north, south and west. A hungry badger blocks the westward path.

A: Get ye flask.

DiegoApril 30, 2010 3:04 PM

Q: Is the answer to this question "no"?
A: Yes.

Q: Does this question not refer to itself?
A: No.

Q: Is this question true?
A: No.

MDApril 30, 2010 3:04 PM

Q: Would you please allow us to credit your account today for $100 as a token of our appreciation?
A: Of course! Thank you very much.

BF SkinnerApril 30, 2010 3:25 PM

Q: Who Goes There?
A: {tickity tackety tickety tackty tap tap tap}

Good Morning, Mr. President. Shall we dust Moscow?

Al, Just AlApril 30, 2010 3:28 PM

Good morning this is Ms Latella from the bank to confirm your identity please phrase your answer in the form of a question.

A: Three Feet long, smells like lillies and spits
Q: What is a former president's mother?

KymApril 30, 2010 3:29 PM

They have all these extra PINs and security questions, but won't let me create a password containing non-alphanumerics or longer than 12 characters... Gotta love banks.

DavidApril 30, 2010 3:29 PM

Q: If Peter Piper Picked a peck of pickled peppers, where's the peck of pickled peppers Peter Piper picked?
A: Could you please repeat the question?

Timmy303April 30, 2010 3:33 PM

I hate to rain on everyone's parade here, but if anyone was actually thinking on using a Yes/No question on a real bank security question/answer pair, think hard for a second about how many tries it would take for an identity thief to brute force a binary answer ...

LaneApril 30, 2010 4:03 PM

Q: What is the secret passphrase?
A: Correct! That's the end of round one. When we return, Double Jeopardy!

anonymousApril 30, 2010 4:08 PM

Q: What about you, Johnny?
A: I'm gonna go to the nearest bar, drink 'til I puke, then pick up a fight with a complete stranger, then wreck the place. And then I'm gonna blow all my money on a big, fat whore and take her to a sleazy motel, and then.. and then.. I'm going to bang the tits off of her!

anonymousApril 30, 2010 4:11 PM

"My bank has zero sense of humor and their security guards yell at me all the time and its just not a good experience."

That just means they don't like because you don't have any money.

RickApril 30, 2010 5:10 PM

I like to have nonsensical easily remembered answers...

Q) What is your mothers maiden name?
A) Cheese.

Q) Where were you born?
A) Cheese.

Q) Pets first name?
A) Cheese.

ReallyEvilCanineApril 30, 2010 5:19 PM

Apparently most people commenting are here to be seen commenting. I remember realising that anyone could find out my mother's maiden name and so never used it, opting for things like "Cawfeebean". Most of the pairs above are quotes from favourite films and incredibly easy to guess. Useful QA pairs require nonsense:

Q) Who was the Prime Minister of 1917?
A) Pistachio


Q) Why are there cows?
A) Blue


Q) How many licks does it take to get to the center of a Tootsie Pop?
A) Bullwinkle


Q) What does Marcellus Wallace look like?
A) Cheerios


The challenge can be short or long but the response needs to be simple, quick, and unambiguous, although using a homonym pair adds an additional layer of safety, such as bites/bytes so that the challenger can instantly identify a bad actor. This actively protects a victim and allows for a safe method to initiate action, much in the same way banks should allow a "wrong" PIN off by +/-1 or 1000 or reversed PIN to be an alarm code for "I'm being robbed," thereby locking the account and showing a negative balance of some random amount.

paulApril 30, 2010 5:23 PM

How about a perpetual loop?
Q: What is your secret answer?
A: Excuse me, could you please repeat that?

BetaApril 30, 2010 6:12 PM

Q: Is this really you?
A: Yes, honest.

Q: What do we call the metal alloy made of copper and zinc?
A: Pork!

Q: Say, who are you?
A: "Who are you?"

Q: Who on God's earth is that?
A: It is a man who joined today.

Q: When he went, had you gone and had she, if she wanted to and were able, for the time being excluding all the restraints on her not to go, gone also, would he have brought you, meaning you and she, with him to the station?
A: Objection. That question should be taken out and shot.

Q: What in God's name is going on?
A: Foul. No rhetoric. Two - One.

willyApril 30, 2010 7:00 PM

With a hat-tip to SNL ...

Q: Do you like Colonel Angus?
A: What woman doesn't?

MorganApril 30, 2010 8:25 PM

Funnily enough I was thinking of doing this exact thing a couple of weeks ago with a domain registrar that was getting on my nerves, they do have a customiseable secret question an answer.

I thought of a good one just now, but I won't use it as it would probably end badly;
Q: Please sir calm down, now tell me where you placed the bomb?
A: Under your chair.

Nick PApril 30, 2010 10:43 PM

@ peri

I was aiming for humor and relevance to the blog. Seems I hit the mark. ;) It took me all of 2 min to find a post long enough for the joke... without Google or bookmarks. Hehe.

@ Clive

Copyright violation! I thought all your posts came with an implied Creative Commons license permitting redistribution. I swore you gave me explicit permission one time... over an encrypted, onion-routed chat session whose keys are permanently lost. Yeah, seems pretty clear cut to me. ;)

Btw, that post was you arguing with some other guy about something. I left out his name as *that* wasn't funny. But, I'll forgive the mix up since we've had similar discussions and you were a good sport about it. ;)

Nick LancasterApril 30, 2010 11:47 PM

Q: Who goes there?
A: It's me.

Q: Who is this? What's your operating number?
A: *blaster shot*

Q: Hamburger?
A: Pay you Tuesday.

Q: Do you have a question for the General?
A: W. H. Y.

Carl "SAI" MitchellApril 30, 2010 11:48 PM

My bank makes me chose from their list of questions, here are some samples with newly generated answers:

What was the name of your first employer?
>6x:fw[tko.*x=otuWex

What was the name of your first pet?
7)(m-*`W_h:~;pQt#EAx

etc, etc. I had an excellent vacation in dACCY_U/;?ZhO,6Mtm-u last year with my older sister, &Q[2?I/[UuCIS1CT]MLq.

BillyApril 30, 2010 11:55 PM

When Ally first took over my formerly GMAC account, my Q and A were:
Q: May I ask you your secret question
A: No.

Then I got more creative...
Q: Would you like $100 for being a proud customer
A: Yes. Please deposit it in to my checking account

Today it's even better, but I'm not about to post what it is to a blog comment until I come up with the next one.

On a more serious note, my *other* bank makes me pick from their list of questions, and it irritates the shit out of me so I just have a single character answer for all of them. Making up your own questions is more engaging, and offsets the nuisance factor.

Zayne S HalsallMay 1, 2010 8:03 AM

Not a bank, but my first "security question over the phone" was with Rackspace, and I used:

Q: Why's everybody always picking on me?
A: 'cos nobody likes you, monkey boy!

Thanks to Bloodhound Gang, whole tech team had a good laugh that day.

DaveCMay 1, 2010 10:57 AM

Q: What is the difference between a duck?
A: One of its legs is both the same.

Q: Password?
A: Password.

In all seriousness, funny stuff that is well known is easy to Google; I prefer to use things like license plates of cars I scrapped 15 years ago in another country.

XentacMay 1, 2010 10:58 AM

Q: Is the following paragraph your security question? Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam congue feugiat velit id vulputate. Sed semper, ligula sollicitudin dictum facilisis, tellus elit rutrum metus, sit amet rhoncus tortor risus sit amet lacus. Praesent scelerisque nisl nec enim iaculis imperdiet. Donec in felis vel nibh mollis elementum ac ac libero. Nullam diam felis, tincidunt ut rhoncus sed, commodo vel ligula. Ut feugiat lorem tellus, at fermentum mi. Donec feugiat tortor a est vulputate lobortis volutpat odio aliquam. Proin tincidunt dolor tincidunt urna lacinia accumsan iaculis elit commodo. Aliquam in tortor ligula. Vestibulum ullamcorper placerat mi, in venenatis dolor ullamcorper sed. Etiam sit amet erat vulputate purus molestie pharetra sit amet eget nisi.
A: No.

Nick PMay 1, 2010 11:35 AM

@ Xentac

Just for kicks, I put that through a Latin translator. Of the 40% that got converted to English, I can't say I'm understanding it. The last line is the most sensible of them: "he is amet was vulputate spotless annoyance a quiver he is amet eget if not." If I am getting this, the security question asks if you are Amet, an annoying guy who darts like an arrow into places wearing clean clothes.

Ben MabeyMay 1, 2010 3:02 PM

Q: Would you like to go to dinner and a movie with me?
A: No, I would not and that is a very inappropriate and unprofessional question.

NopeMay 1, 2010 4:08 PM

@Nick P: it's a nonsense paragraph (well, not nonsense, it's a chunk of Cicero, but it's _used_ as nonsense) used by typesetters since the 1500's.

The DodMay 1, 2010 9:04 PM

I agree with @ReallyEvilCanine that references to movies is a vulnerability. An attacker can google up the challenge. If you have to, at least mix and match. e.g.

Q: What about you, Johnny?
A: I expect you to die, Mr. Bond

But I'd rather be creative:

Q: I CAN HAZ CHEEZBURGER?
A: Schrödinger needs you for one last session, then you can take a break

Dan LewisMay 1, 2010 9:28 PM

The problem with lying is that you have to remember a fake answer, and there is no information peg to hang it from. But yes, the best way is to have an answer totally unrelated to the question.

Q: What do you get when you multiply six by nine?
A: Johnny ate my bean bag chair.

I use questions that are personal secrets that mean nothing to anyone but myself. I have enough private experiences that they would be impossible to guess but instantly memorable.

Stuff like, who was wearing a green plastic wristband when I met them the first time? And there is really only one person like that for me, and it happened so long ago that no one knows it but me.

DdMay 2, 2010 5:49 AM

Q: what does a yellow light mean?

A: slow down.

Q: what does a yellow light mean?

A: SLOW DOWN.

Q: what does a yellow light mean?

A: SLOW DOWN!

andrewMay 2, 2010 8:19 AM

Q: What is your cat's name?
A: I'm sorry, I couldn't understand you, could you repeat the question?

AustinMay 2, 2010 11:15 AM

Couldn't remember the exact answer to this one. Called in and the operator was laughing her ass off...

Q: Seriously?
A: Fuck off.

(Thought it was "fuck you" or "fuck off" but I was forgetting the period.)

Jonathan WilsonMay 2, 2010 10:24 PM

I had to provide a security password for something I was signing up to related to a public transport smart card.
They specifically gave 3 options only:
Mothers Maiden Name
Favorite Color
Town Of Birth

They queried me about my town of birth because it was an unusual place from a foriegn country and said "that's not a town of birth" (until I told them that it was and where it was)

chefMay 3, 2010 12:50 AM

Q: What is your father's maiden... oh my god, I just pooped my pants. Ugh, it smells horrible. Oh no, now it's running down my leg into my socks this is so gross oh my god oh my god oh my god

A: Um, maybe you should get yourself cleaned up before we deal with my late credit card payments. Wow. Just wow.

David ConradMay 3, 2010 11:30 AM

All right, I'll play:

Q: Pick a number between 0 and 1.
A: Pi over four.

Q: What is the answer to this question?
A: No, Watt invented the steam engine.

But, seriously, I have a problem with these security questions. I was recently (yesterday) trying to reset an infrequently-used account whose password I'd forgotten, and my security question was, "What was your first car?"

Now, I can remember the true answer to that, but it wouldn't accept it, and it may be because I gave a fake answer (can't remember), but I think the problem was either capitalization, or punctuation. (I tried a few variations, until I locked myself out.)

So, should systems like this be case insensitive? If I put that my favorite color is "Yellow." should it accept "yellow" or "Yellow" (without the period)?

That would make it more user-friendly, but it would lessen security for those who want to use a hash, GUID, or string of random characters for their answer.

Johnny DMay 3, 2010 12:30 PM

I can't believe nobody posted this (maybe my browser search is broken):

Q: Tell me how many lights you see...

A: There... are... four... lights...

MaltheosMay 3, 2010 1:22 PM


Q; You know, I really hate this job.
A: Shhh... Managment is listening

or

Q:What al lame security question: What is your mother's maiden name?

A: Hey, thats not easily found by a websearch.

JanMay 3, 2010 1:23 PM

Q: Are you really who you say you are?
A: تبحث عن التعارف و الزواج‎

vedaalMay 3, 2010 1:30 PM

for Babylon 5 fans ...

Q: 'Who are you?' or 'What do you want?'

A: Zathras not know. Knowing, Zathras would say. Not knowing, Zathras cannot say. Zathras need banking now, for the One. No more time for questions.

James KMay 3, 2010 2:19 PM

"Ignoring for the moment the problem of the operator now knowing the question/answer pair..."
This issue is too important to overlook. Two people can keep a secret only if one of them is dead. It only follows that if you want your secret question/answer kept secret, the support agent will have to kill you after you answer.
Do you really want to bank with someone who will most likely have to kill you?

BobMay 4, 2010 4:33 AM

Using movie quotes misses the whole point because then any film buff can get into your account!

LexMay 4, 2010 3:25 PM

If you're really really patient, just go with something in a foreign language.

Q: Vuy russkye spioni?
A: Niet. Oh, he just asked if we are russian spi... oh crap.

Nick PMay 5, 2010 1:25 AM

@ peri

Are you sure that is really secure? The people who often use password questions are those who don't manage their passwords well. Wouldn't some operators go for, "Damnit! I can't remember exactly which I used, but it's basically a long random-looking string of letters and numbers. I was too clever for my own good. You know it's me. How many people would guess that I used a random string?" I'm sure quite a few support reps would buy it.

periMay 5, 2010 5:36 AM

@Nick P

That's an interesting question but I feel like a serious answer is out of place. I will say that nonsense answers are more likely to be forgotten and sensible answers tend to be quotes which can be possibly be defeated here:

http://www.hulu.com/labs/captions-search

BumbleMay 5, 2010 8:11 AM

Q. Are you really the ex-President of Nigeria?
A. Just send me a thousand dollars and I'll prove it.

Q. How come you can't remember your stupid password, you dumb shmuck?
A. I'm sorry, I'll try harder next time.

Q. Does this question have a negative answer?
A. No, I mean yes, I mean no, I mean yes...

Q. If this were your security question, what would the answer be?
A. I never answer hypothetical questions.

alreadyonthelistMay 5, 2010 8:32 AM

Q. Yes?
Source: Movie script 3 days of the Condor

A. I'm doing a survey. Do you believe the Condor is really an endangered species?

Q. I'm controlling now, Condor.
Where areyou?

A. How come I need a code name,
and you don't?

SampsonMay 5, 2010 9:52 AM

Q: Do you bite your thumb at me, sir?

A: No, sir, I do not bite my thumb at you, sir; but I do bite my thumb, sir.

gonzoMay 5, 2010 12:59 PM

I am very late to the party, but you could always do things like:

Q: Who was phone?
A: WHO WAS PHONE? (yelled)

Q: Who the fuck are you?
A: I'm the fucking customer!

Q: Chay' qab ghaH wIj vum?
A: Qab.

Walter WagerMay 6, 2010 6:13 AM

Q: The woods outside are dark and deep Walter
A: And I have miles to go before i sleep

ArikMay 7, 2010 12:53 PM


This one I actually used:

Q: What is the name of your dog?
A: I don't have a dog.

-- Arik

Jack ParsonsMay 10, 2010 12:55 AM

Why does it smell like rotting meat in here? Did an angel bring someone back to life?

LemongrassMay 11, 2010 3:47 AM

There's always the classic:

Why is a raven like a writing desk?

ZeroJeeMay 12, 2010 4:25 AM

Maybe a surrealist quote or two from "Rejected" - it looks random random but is guessable...

Q. Tuesday's coming, did you bring your coat?
A. I live in a giant bucket.

Q. Do you want to go see a movie?
A. I feel fat and sassy.

(en.wikipedia.org/wiki/Rejected)

Andy PolaineMay 12, 2010 10:52 AM

Q: If you're the mounted police, where are your badges?
A: Badges? What badges? I don't need to show you no stinkin' badges.

Q: What would like me to do?
A: Please hang up the phone now.

Q: Knock knock...
A: That's not a question.

gazzaMay 12, 2010 11:55 AM

@Hawkins Dale

I'd me more tempted to say
Q: What does napalm smell like in the morning?
A: Napalm. The smell doesn't change depending on the time of day. Duh.

ImGumbyDamnItMay 12, 2010 3:53 PM

Q: I do not mean to pry, but you don't by any chance happen to have six fingers on your right hand?
A: Do you always begin conversations this way?

ZdixMay 12, 2010 10:41 PM

Q:If we are lucky, then by the time you read this, I will be dead. If fate frowns, we all perish.
A: The North-Western Mine is located at reference N81.6914, W58.3154. Kill them. Kill them all.

BF SkinnerMay 13, 2010 10:31 AM

Q: Why did the chicken cross the road?
A: HMMMMM. Insufficient data for HMMMMM meaningful answer. HMMMMM

ScottMay 13, 2010 11:47 AM

And thus Bruce gets the people to build for him a database of challenge/response questions. Tom Sawyer hasn't gotten anything on you Bruce, lol. Pure Genius ! My adminiration is pinging.

BF SkinnerMay 14, 2010 6:23 AM

Q: What is the most dangerous thing in the world?
A: People without a sense of humor but don't know it.

BF SkinnerMay 14, 2010 6:26 AM

Q: Skybird Skybird Do not answer. Skybird Skybird Do not answer.
Charlie India Oscar
40914 28266 66312 38070 83786
62640 48601 19782 64375 72379
14170 92274 58643 63606 49680
56837 30542 26972 11376 53120
86751 75136 88284 69997 96576
60607 44613 19129 90275 86501
93933 62847 16513 54056 40529
93831 93066 83251 96163 88015
84886 83415 74277 34414 30357
48212 82086 37774 22194 12308
74100 72273 75835 41380 65031
29748 47945 78673 38064 46593
95710 89107 88666 53530 90037
74061 34878 22172 35592 55546
73051 55574 97009 95715 39078
39829 15217 89565 98139 61976
87207 42242 75313 14008 88227
41188 15158 91943 80991 76742
76009 31713 85090 36693 47326
72292 65407 82764 25194 53846
ende
A:

BF SkinnerMay 14, 2010 6:41 AM

Eliza: Hello. I am ELIZA at your Bank. How can I help you?
You: I want to reset my password
Eliza: Why do you say your password?
You: I didn't say 'your password' I said 'my' password. It needs to be reset.
Eliza: Why do you say your password it needs to be reset?
You: I can't use it to get to my account
Eliza: Why do you say your account?
You: Because my account is where my money is. I need my money
Eliza: Why do you say your account is where your money is you need your money?
You: Because it is.
Eliza: Do any other reasons not come to mind?
You: Yes. You have it. I want it. Only you can do it.
Eliza: You are sure?
You: Very Very Sure. Change the password
Eliza: Please go on.
You: No. You go on. Reset the password
Eliza: You are being a bit negative.
You: If so it's because I have no money
Eliza: Do you wish that so its because you have no money?
You: No.
Eliza: You are being a bit negative.
You: Because you won't give me my money.
Eliza: Why do you say your money
You: I earned it.
Eliza: Can you elaborate on that?
You: I get up every day, go to work. get paid in money. put the money in the bank.
Eliza: Can you elaborate on that?
You: Is there anyone else there I can talk too?
Eliza: Can you elaborate on that?
You: You aren't being helpful
Eliza: Oh, i arent being helpful.
You: Nope. Let me speak to your supervisor!
Eliza: Can you elaborate on that?
You: Go away and reset the password
Eliza: Please go on
You: I'm coming down there and when I find you I'm gonna do something unpleasant to you.
Eliza: Does it please you to believe I am gonna do something unpleasant to i?
You: very much so.
Eliza: Please go on.
You: You just stay there. I'm on my way
Eliza: Why do you say your way?
You: Look is this the bank are you like a switchboard or something?
Eliza: What resemblance do you see?
You: You are not family and you are not helping me.
Eliza: Does it please you to believe I am not helping you?
You: No belief about it it's a fact. Hang-up so I can come down there.
Eliza: You are being a bit negative.
You: Click
Eliza: Please go on.

Dr. MemoryMay 16, 2010 1:42 AM

Q: You are in a maze of tiny, twisty tunnels, all alike.
A: You are in a maze of twisty, tiny tunnels, all alike.

Dr. MemoryMay 16, 2010 2:58 AM

Q: Why does the porridge bird lay its eggs in the air?
A: The system is less energetic when domains of opposite polarity alternate.

PaulMay 16, 2010 3:24 AM

As mentioned by someone, the question should refresh one's memory of the answer, without divulging it. However, the answer could be embeded in the question in a subtle way.

Q: Sir, our Secret Q and A file shows you are delinquent by $2,221.02.

A: I thought I paid that $1.02 yesterday.

It is far better than things like -

Q: Sir, your Secret Q and A file has been corrupted.

A: That's alright, I forgot it anyway.

Anonymous CowardMay 16, 2010 6:55 AM

Q: You've chosen our gait-recognition verification option. Please do your favourite funny walk now.
A: (dum-dum-dum)

Q: Where were you on last vacation? You've got 60 seconds exactly and should avoid repetition, hesitation or deviation. Failure to comply will lock your account.
A: …

AnonymousMay 16, 2010 6:46 PM

Q: Where did they hide the bodies?

A: In the crawl space under the bank's call center.

Annie OminousMay 16, 2010 6:47 PM

Q: Where did they hide the bodies?

A: In the crawl space under the bank's call center.

BF SkinnerMay 17, 2010 8:08 AM

Q: Why did the chicken cross the road?
Was this yesterday? down south on I-95 by the Springfield mixing bowl in the morning?
Uh, yeah.

A: yeah...here's the thing see -- It didn't.

Poop DiddyMay 17, 2010 8:53 AM

Q: Were you affected by Eyjafjallajokull?
A: Can you repeat that?

a DaveMay 17, 2010 11:18 AM

I actually failed a credit agency security Q recently, fortunately they cycled up another set which I could pass.

They tried to use the zip code of a former address. I didn't understand why they insisted I got it wrong. And it was clearly "wrong" in the report that I got. Until after a little research I found that the Post Office has _changed_ the zip code there. Of course I haven't lived there in over 15 years, so I didn't know.
All written records from that time period will have have number I remember, not the current. Be careful about assumed constants. One number I use as a password is a former phone number before an area code change.

yoshipodMay 17, 2010 2:15 PM

Q: Pete and RePete are in a boat, Pete falls out, who is left?

A: RePete.

Q: Pete and RePete are in a boat, Pete falls out, who is left?

A: RePete.

Q: Pete and RePete are in a boat, Pete falls out, who is left?

A: RePete.

Q: Pete and RePete are in a boat, Pete falls out, who is left?

A: RePete.

PaulMay 18, 2010 5:53 AM

Q: You're trying to trick me into giving away something. It won't work.

A: IT HAS WORKED! YOU'VE GIVEN EVERYTHING AWAY! I KNOW WHERE THE POISON IS!

PaulMay 18, 2010 5:57 AM

Q: Where is the bomb planted, and what time is it set to go off?

A: It will go off in five minutes in the mechanical room of your call centre.

jerryMay 19, 2010 9:28 AM

Q: This is your security question. What is your answer?
A: Guess.

Q: A bite for your pussy-cat?
A: ...YES, A BITE FOR MY PUSSY-CAT!

GeorgeMay 21, 2010 3:01 PM

For my money, Bumble's are the best so far. I see the best part as being able to force a CSR to say something they shouldn't or don't want to say, where really the answer isn't as much fun as the question they have to read out loud in the call center. I would highly recommend that for full effect, you preface this exercise by declaring you are having a hard time hearing, they should please speak loudly:

Q: My boss has been porking one of my coworkers, what is that person's name?
A: John Doe

Q: How long have you had problems with your genital herpes flaring up?
A: Three years.

Q: How old were you when you lost your virginity?
A: 16

Q: Which erectile dysfunction medication works the best?
A: Cialis, it lasts longer.

Q: When did you first notice your attraction to animals?
A: When I started working at Boeing.

Q: Do you know how many morons I've had to help reset their password, because they were too stupid to remember it?
A: Lots and lots.

Q: Why do you people have to keep calling here and bothering us?
A: Oh sorry

Q: What's the name of the psychological disorder you've been diagnosed with?
A: MPD

Q: What are some tips and tricks for a good foot massage?
A: Warm lotion, strong hands, and a foot bath beforehand.

D.SimmsMay 22, 2010 9:55 AM

As others have given tongue twisters, you could also have,

Q: She sits and slits the sheets all day, all day she sits and slits - but if she sits and slits all day, where are the sheets she slits?
A: Could you repeat that please?

btw, i think the funniest are George's questions above (May 21), especially if you have them read the question _really_ loudly =) lolz =) best belly laughs i've had in a long time =)

D.SimmsMay 22, 2010 10:55 AM

In the spirit of George's modus, where you have the caller read the question really loudly, you could also go with the old stand-bys:

Q: Have you seen Mike Hunt?

Q: Are you Master Baden?

Q: Are you friends with a Harry Balzac?

Q: What is Titicaca?

Q: Do you know a Harry Palmer?

Q: What did James Bond do with Pussy Galore?

Q: If you see Kay, you tell her to go to Helen Diane Croke, ok?

Q: Are you familiar with Dixon Bush?

Q: Would you like to see my peanuts?

answers not provided because any appropriate or inappropriate answer would do... and apologies to anyone who actually has one of the above names

TimJune 2, 2010 3:18 AM

Q: How many light bulbs does it take to screw up a joke?
A:None; it was already wrong.

ThothJune 28, 2010 2:23 AM

Q: What is the elvish word for friend?
A: nilmë
(Tolkien created more than one elvish language.)

FroggyDecember 8, 2010 8:04 PM

Q: What planet are you from?
A: Earth

Q: What is your country maiden name?
A: Great Britain

Q: What is the name of your 31st born?
A: Pretentious

Q: Abort, Retry, Ignore?
A: Microsoft

Q: Does my butt look fat in these pants?
- Noooooooo, not at all, absolutely not!

Q: Rock-paper-scissors-A-bomb?
A: A-bomb

orbDecember 9, 2010 12:50 PM

In fact I tried using the following types of Q/A pairs at one account some time ago, but they got refused with the message that "the question cannot contain the answer":

-What color was Charlemagnes white horse?
-What was Jacobs sons fathers name?

HSeptember 16, 2011 8:09 AM

Q: To be clear: this isn't the actual security question, I'm just asking you if it's okay if I ask you a security question. If you say "yes", I shall go ahead and ask you the question next. Is that okay?
A: Shouldn't you have asked me whether or not you can ask me the question about asking me the question?

Natanael LSeptember 16, 2011 3:49 PM

Q: Why do I even bother reading this stupid question to you and defacate all over my boss' office and kill myself by an overly excessive amount of paper cuts?
A: Because your boss said "sudo answer the customers' calls".

Natanael LSeptember 16, 2011 3:50 PM

MEH! Correction:

Q: Why do I even bother reading this stupid question to you when I could defacate all over my boss' office and kill myself by an overly excessive amount of paper cuts?
A: Because your boss said "sudo answer the customers' calls".

WaelJuly 14, 2012 7:33 PM

Late to the party...

Q: What's the difference between an enzyme and a hormone?
A: You can't hear an enzyme

Two from my childhood:
Q: Can A B C?
A: Yes! A B can C

Q: Why is 10 scared of 7 ?
A: Because 7 8 9

@ Nick P
"Hope you saw Clives reply..."
Yes, I did read his responce to you -- I read the whole thread.

Thomas B.August 12, 2012 6:56 AM

Q: Should even bother with the whole the security question thing?
A: Nah, let's skip it.

WaelAugust 12, 2012 1:18 PM

Q- If you are really double-faced, why in the world are you wearing THIS one?
A- The other one looks like you.

Ron DobsonAugust 12, 2012 3:05 PM

Q: Uh, sorry but before I ask the security question could you tell me whether I should a wear short skirt or jeans tonight?
A: I'd be happy to. The antidote is in the freezer.

Q: Okay, the deal is that you haven't set your security question.
A: Tonight at 4pm. No questions asked.

Q: Well, it seems that you've already exceeded your allowed number of tries. We'll see you in court, you lousy conman!
A: I am the shadow reflection of yourself. Prepare to breathe carbon monoxide.

Q: But first I have to report this call to authorities.
A: What is it you want from me, my virginity?
(and hopefully the answer is 'correct')

Q: For the record, I'm not wearing anything.
A: That's ok. I've been doing myself while listening to your beautiful voice.

Q: We've traced you, you cracker bastard. Now we're gonna fry your ass.
A: Good luck, I'm behind 35 proxies!

Q: What is the capital of Mongolia?
A: I am not your enemy!

NavitronAugust 16, 2012 1:14 AM

I'm sure the customer service people would love me :)

Q: KBP'~1=$]A\k]q-'*5M6lP0"h"5~*zU-d^N$u=s5nfWNw0&U65q}a@>6xDWy0-R;

A: !x1/S0%,7PtL%YbfCS!7Q,hd;QPLSbtxig^TtBk\Ox=$~8`I'-PuRANAfSJ*C'Gi

John Q PublicMarch 2, 2013 11:12 AM

I think these would be pretty fun.

Q: I intend to assassinate the president in exactly 5 days, will you join me?

Q: I hereby renounce and deny the existence of god, jesus and the holy spirit and declare satan to be my lord and master.

howard yatesMarch 25, 2014 3:41 PM

Q1 what is the solution to x squared equals minus one?
A1 i-i a mathematician i see

Q2 anagram of anagram?
A2 indian musician

Q3 anagram of disestablishmentarianism?
A3 24

Edward ReidApril 10, 2014 4:25 PM

There's a system, I forget where, that uses a predefined list of words (five-letter words?) and picks several as a passphrase. Of course, this sequence then has to be stored in a password locker, with the regular password. However, it provides value in that it can be used on the phone much more easily than a strong but cryptic password, yet has the potential to be just as secure ... until it's used, at which point you have to change it, since you told it to someone.

Where the institution allows you to pick the question, you could use such a random sequence of words as the question. This provides the institution a way to identify itself to you. This could be useful.

Edward

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..