Resolutions to shake laziness, get organized and gain control of finances are ritually adopted each January and abandoned soon after. But there’s one common bad habit that consumers and billion-dollar businesses alike should have quit long ago and can’t afford to carry into 2018: the use of weak website security questions.
Your mother’s maiden name is not a secret. This should be obvious, yet this question and similarly flawed questions continue to be asked of us when we forget a password or log in from a new computer. Website security questions have been around since the dawn of the web but became ubiquitous after a 2005 recommendation
by the Federal Financial Institutions Examination Council that banks improve their security measures for online banking. The council did not specify what these improvements should be, and so banks chose security questions, something they had been using offline for decades anyway — the mother’s maiden name convention dates to 1882. Other types of businesses, perhaps assuming that the banks knew what they were doing, followed suit.
Security questions are astonishingly insecure: The answers to many of them are easily researched or guessed, yet they can be the sole barrier to someone gaining access to your account. The cryptology and security expert Bruce Schneier once described them as an “easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password.”
Still, this technology has persisted despite the availability of two-factor authentication, and on sites that we use frequently and that contain important, sensitive data — Facebook, Amazon, eBay, PayPal and many banks and airlines.
There has been no shortage of incidents demonstrating these questions’ vulnerabilities. In 2005, Paris Hilton’s T-Mobile account was hacked by a teenager who, like anyone who searched “Paris Hilton Chihuahua” on the internet, knew the answer to “What’s your favorite pet’s name?” In 2008, Sarah Palin’s Yahoo account was hacked by a college student who reset her password using her birth date, ZIP code and the place where she met her spouse. In 2014, after nude photos of several Hollywood actresses were leaked, Apple reported that their iCloud accounts had been hacked through “a very targeted attack on user names, passwords and security questions.”