Columnist: When did logging in to a website turn into an exercise in self-reflection?
Some of the questions prompt more personal introspection than you expect when buying shoes.
You’re sitting down to some online shopping when the question arises: Who was your childhood best friend?
Well, that’s complicated. Are we talking about elementary school or high school? In junior high, you were close to Debbie. Or what about Jane? You wonder what Jane is up to these days. You look her up on Facebook.
An hour later, you remember the original question. But you’ve forgotten who wanted to know.
When a website requires you to create an account, often you’ll be confronted with a list of security questions. But whatever happened to “what is your mother’s maiden name?”?
That was so simple. And that was the problem.
Anyone can find out your mother’s maiden name using public records. And if the same security question is used by many websites, a breach on one site can spread to the rest, says Mark Burnett, a security consultant and password researcher. Your answer could quickly become a free pass to all your online accounts.
“So companies vary the questions, require more than one question, and let you pick which ones you get," he said. “Someone who wants to break into your account has to know all the answers to all your questions.”
And that’s how you find yourself facing the unanticipated plumbing of your memories – and sometimes even your soul.
What is your favorite childhood book? What food have you always liked? What street did you live on in grade school? What is the model of the car you took your first driver’s test in? How many bones have you broken?
It’s like a cross between a first date and an interrogation. What boundless curiosity, all aimed at you! It could be flattering – why, Amazon, I didn’t know you cared! – only Amazon doesn’t really care. Except about you buying those plat-form sneakers.
Who is your favorite historical character? What is your favorite TV show? The first movie you remember seeing in a theater? When you were young, what did you want to be when you grew up?
The strategy is to make the questions so personal that a hacker won’t be able to answer them. The problem is, sometimes neither can you. Take the name of my first pet, which was actually not a single pet but a herd of six turtles: Go, Go-Go, Go-Go-Go, Slow, Slow-Slow, and Slow-Slow-Slow. You see the problem.
Even seemingly simple questions turn out not to be. How many bones have I broken? Does that include fingers? Toes?
My favorite TV show? Also not simple. On the one hand, The Man from U.N.C.L.E. – duh. But how about all those classics of the 1970s, ’80s, and ’90s – The Mary Tyler Moore Show, St. Elsewhere, Hill Street Blues? How about Seinfeld? And hey, wasn’t Cheers great?
At this point I am on YouTube watching old episodes of Frasier, having forgotten platform sneakers and security questions entirely.
If nostalgic distraction weren’t enough, some of the questions prompt more personal introspection than you expect when buying shoes. “What is your most unique characteristic?” That isn’t a security question, it’s an evening with a good friend and a bottle of pinot grigio.
“What instrument did you play as a child?” I played piano, but not as well as I should have. I have regretted my shortcomings ever since. What pleasure playing better would give me today! Why didn’t I work harder? Why didn’t I learn to read music better? And why did I let my own daughters quit piano lessons? Was I a bad mother for that? Was I a bad mother for other reasons?
Other security questions can be almost too intriguing. “What event – past, present, or future – would you most like to witness?” What a great prompt for a college admission essay.
I was flummoxed by this oddity: “If you needed a new first name, what would it be?” Why would I need a new first name? What was this site implying?
Then there are the lying-awake-at-2-a.m. questions, which of course you love answering when all you’re trying to do is buy shoes. Take this conjurer of existential dread: “What are you most afraid of? ”
Does the site have a couch and charge $150 an hour? Or did it mean to ask what I was afraid of in the context of buying platform sneakers? In which case … twisting my ankle?
The worst part is that all this rummaging through the junk drawer of our memory doesn’t even work.
“It turns out that security questions are not very secure,” says Lorrie Faith Cranor, professor of computer science and engineering and public policy at Carnegie Mellon University and director of its CyLab Usable Privacy and Security Laboratory.
Many answers are things people can easily look up, Cranor says. A hacker can use public records to find out what school you went to, for instance, and the name of its mascot.
“And there isn’t a lot of diversity of answers,” she says. “A favorite sports team – there aren’t that many possibilities. A favorite movie of all time – a lot of people have the same favorite movies. So even if someone hasn’t researched you in particular, they can try the top 10 answers and see if it happens to be one of them.”
“The answers are just too easy to figure out,” agrees Burnett. “I saw one that asked for your favorite color. How many colors are there? And you had to enter at least five characters. That eliminates red and blue.”
What about your favorite football team? “That’s easy to figure out based on where you live,” he says. “Your dog’s name? People aren’t that creative.”
Fraudsters who research you personally can make even better guesses. That question about a favorite old TV show? All you have to know is my age and gender, and your chances are good with The Man from U.N.C.L.E. (Illya!)
Ditto for guessing the first movie you saw in a movie theater. If I know what year you were born and what major movies came out about 10 years later, I’ll have some good leads. “And the questions that are more personal – who was the first person you had a crush on, where did you go on your first plane trip – are things we have trouble remembering ourselves,” Cranor says. “Some of the ‘favorite’ questions – my favorite restaurant, my favorite book – may change next week.”
Burnett protects his accounts by answering security questions not with actual answers, but with the equivalents of strong passwords.
“I put a 10- to 20-character string of random characters in there,” he says. “I use a password manager, LastPass, and it saves it.”
That’s a good strategy. But in any case, we may not be subjected to these personal trivia tests much longer. In the current draft of its guidelines on digital identity, the National Institute of Standards and Technology, a nonregulatory agency of the U.S. Department of Commerce, recommends that websites not use security questions at all.
A better system, Cranor says, is one where you use a phone number or email address to register for a website. If you forget your password, you get a call, email, or text. And for sensitive financial websites or in cases where email or phone accounts have been hacked, she says, companies should – and many already do – use multifactor authentication. This requires you to provide several forms of identification – for instance, a password plus a code the website texts to your phone.
For now, however, we are stuck with regular enforced journeys into our psyches. So even if security questions don’t provide great security, we can appreciate them for other reasons.
Think of them as invitations to engage in introspection – opportunities to mull over “the most cherished item you own that could never be replaced” or whether a fractured hip and pelvis counts as one broken bone or two.
Enjoy them as mental calisthenics, or as permission to do some nostalgia-Googling. Consider them cut-rate, albeit one-sided, shrink sessions.
But don’t get too creative: You still have to come up with your answer the next time you want to buy shoes.
- Barbara Brotman is a freelancer and a former writer for the Chicago Tribune.
• Read more stories from The Rotarian