Schneier on Security

It’s a mystery to me why websites think “secret questions” are a good idea. We sign up for an online service, choose a hard-to-guess (and equally hard-to-remember) password, and are then presented with a “secret question” to answer.

Twenty years ago, there was just one secret question: what’s your mother’s maiden name? Today, there are several: what street did you grow up on? what’s the name of your favorite teacher? what’s your favorite colour? Often, you get to choose.

The idea is to give customers a backup password. If you forget your password, then the secret question is a way to verify your identity. It’s a great idea from a customer service perspective – users are less likely to forget their first pet’s name than some random password – but terrible for security…