Security questions

[shewhomust]

I've just activated a new on-line savings account. I've never been asked to set up so many security checks: a memorable date, a memorable place, a memorable person, a memorable book or film, not to mention a memorable question and answer - and of course when I'm asked to think of these things, my mind goes blank.

The book or film gave the most trouble. It wasn't actually hard to think of a book, because what could be more memorable than a book that is dedicated to me (I have to share it with durham_rambler)? Only the system didn't like it; it told me sternly that the title could contain only letters and numbers, and must not contain the words 'book' or 'film' (I don't think I used the apostrophe...) My first choice of memorable film was too long (the title, not the film, although actually...). Third time lucky.

Now all I have to do is remember all these memorable things.

Comments

[anef.livejournal.com]

I'm pretty sure I have that account. I wrote all those things down. That doesn't make me a bad person, does it?

[cellio]

For me, security questions fall into two groups: the ones that are insufficiently private (mother's maiden name? I'm sure you can get that in 30 seconds... fortunately, I lie in that case), and the ones that are so lame I don't have an answer (favorite food? you really think it'll be the same next week?). It is a rare, rare site that lets me write my own.

I've been trying to come up with a transformation scheme that I can do in my head that would be sufficiently secure, that I could apply to the question itself to yield my answer. It doesn't have to make sense, after all; I just have to be able to generate it. If I say my mother's maiden name is ARdajs31#, that should be no concern of the bank's, right?

[shewhomust.livejournal.com]

As with health advice, I suspect much of this security rigmarole is about deniability; the banks know we won't be able to comply with their instructions, and when things go wrong it will be our fault (http://shewhomust.livejournal.com/129371.html).

[shewhomust.livejournal.com]

That's very clever; could you generate a different key term for each bank (or whoever) that asked the same question?

[durham-rambler.livejournal.com]

(For all you Tom Lehrer fans out there):
The 3 is silent, right? As in Hen3ry?

[durham-rambler.livejournal.com]

Why do banks continue to ask Mother's maiden name? given that many mothers do not have a husband whose surname they could take if they were so minded? (Over 50% of the children born in Sunderland are to unmarried mothers.)

[cellio]

Sure -- your mom's maiden name may as well be DollarBank!jdahr35, right? :-)

[shewhomust.livejournal.com]

How did you guess?

But what I meant was, would your scheme allow me to take my mother's (actual) maiden name, apply the appropriate and obvious key for that service, and come up with a unique answer?

[cellio]

Well, at a minimum, DollarBankSmith has to be more secure than Smith, right? From there, if you wanted you could do something like shift the whole thing one letter (CnkkzqAzmjRlhsg), but that's hard to do on the fly and especially if you have to answer these questions verbally (like on the phone). Or you could distill the institution down to initials and render as numbers, so (e.g.) DB -> 42 -> Smith42. (But in both cases, watch out for institutions that get acquired and renamed...) Whatever you do, so long as you consistently use (and can remember) a pattern, you can improve on using publicly-available information.

[shewhomust.livejournal.com]

Ah, sorry, I see what you mean - I was being stupidly literal minded, and failing to Insert Name Here, so to speak. Yes, clever, that'd do it.

Particularly as they do issue stern warnings against using the same password for everything...