Tag Archives: security passwords

algorithms for dumb security questions

I share David Weinberger’s irritation with dumb security questions, albeit for slightly different reasons. My irritation stems from the fact that they are often culturally insensitive, require brilliant memories, and assume that favorites don’t change. Maybe I’m not normal, but I have no foggy clue who my 1st grade teacher is, I couldn’t name a single sports team, and my favorite movie changes depending on who I’m talking to let alone how I’m feeling that day. (Today, I think that The Matrix will do.) David gripes about the fact that people’s favorite tastes are quite common; my problem is that we know damn well that people are dreadful at this, but that it works quite nicely as a way of marking identity on online dating sites. Which reminds me. Why are security questions the same as the information that you put on your public MySpace page? Dumb dumb dumb.

So you know that people write down their dumb answers and then lose them and then they’re screwed. I’ve decided to approach this from a different angle. I’ve instituted a consistent tactic for answering stupid security questions. It’s an algorithmic approach. The basic structure is:

[Snarky Bad Attitude Phrase] + [Core Noun Phrase] + [Unique Word]

Although these are not my actual phrases, let’s map them for example:

  • Snarky Bad Attitude Phrase = StupidQuestion
  • Unique Word = Booyah

Thus, when I’m asked the following question: What is your favorite sports team?

My answer would be: StupidQuestion SportsTeam Booyah

And when they ask: What was the first car you owned?

I’d respond: StupidQuestion Car Booyah

It’s easy to remember a snarky bad attitude phrase and a unique word that you use consistently. And then to make sure you’re answering the right question (cuz they do have scripts that check that you’re not answering all questions the same way), you just have to be able to pick out the noun phrase each time.

Of course, the fact that I have to do this just pisses me off to no end. And I still can’t figure out why they can’t ask me to write my own question, store that in cleartext, encrypt my answer, and then offer me back my cleartext question rather than a stupid list of 8 questions that boggle my mind and remind me of how heterogeneous the world is. I realize that it’s the difference between a byte and a string, but when we’re talking about security, is that really a big deal? Grumble grumble grumble.