Inspired by the passionate critiques I read at Authentical, here’s mine. Today, a horrific experience establishing an online account with a State of California website. Although creating a new account is almost an automatic activity at this point, I had to try 5 times to create both a username (which had to have letters and a number, and be between 8 and 12 characters) and a password (which had to have letters both capital and lowercase and a number, etc.) that would work. I’m not sure how that ended up being hard for me, but it did.
But the hysterical part was the security questions. This site required me to set up answers to four security questions. My use case for the security questions is for those situations where I can’t remember which particular configuration of password I used and I need to get a reminder or reset it. Isn’t that everyone‘s case? So we need the reminders to be unambiguous. Fact-y type things like the standby Mother’s Maiden Name, or first pet’s name, etc. are pretty common. Obviously, if they are unambiguous, they can be broken. Somewhere someone can find out your first pet’s name. It won’t change. It’s objective.
These questions are much more personal and I suppose thus are less easily divined by an intruder. But the answers are far from immutable. I had absolutely no confidence I could come up with four questions that I would answer the same way 100% of the time. Even if I could fake out my future password-forgetting self by agreeing with him that I would say the Rolling Stones are my favorite band despite regardless of any wavering in my fandom, I couldn’t successfully negotiate the dialog. What was my dream job as a kid? Well, at one point it was stuntman, then actor, then writer, and I think even director (let’s leave the armchair shrink out of this for now, shall we?). If I put stuntman now, what will I remember when I forget my password?
The Four Questions
Taking those sets of questions away from the context of the registration process, I find them quite creepy, evoking some intimacy that doesn’t exist between me and the government website, or those Facebook memes cum virii where your friends exhort you to answer a random set of personal questions and then get other people to do the same.
Note: there are some wonderful satirical examples of bad security questions on Twitter under #BankSecurityQuestionsIdLikeToSee.
Tags: account, citizen experience, invasive, login, password, personal, questions, reminder, security, usable
I had this at work the other day (setting up an internal account). They made me pick SIX questions. So I did the only sane thing that it’s possible to do—took a screenshot of the questions and my answers and put it somewhere obvious.
No where did I put it, exactly? Hmm.
Comment by Martin Polley 10.11.11 @ 12:31 amYeah, that’s a pretty good workaround. Six questions? Crazy.
Comment by Steve Portigal 10.11.11 @ 8:09 amOh, I can relate!! I’ve wasted hours on this stuff. I can’t even get my first car right – did I abbreviate it? Capitalize it? Use the nickname all my friends in high school gave it?? Same with my high school. Did I spell it out? Use the acronym? Sigh.
Comment by Julie 10.11.11 @ 8:39 amThe height of absurdity! The “or” questions are particularly befuddling – my favorite hang-out in high school or college? I already struggle with the simpler yet still highly-mutable versions of this such as the “Name of the street you grew up on.” Do I say Flamingo, or Flamingo Lane? “High school mascot?” Redwings or Benet Redwings? The above questions fall into the category of just-because-you-can-doesn’t-mean-you-should (like some of the nutty, pointless elevator designs we wrote about!)
Comment by Julie Norvaisas 10.11.11 @ 9:42 amJulie and Julie clarify this nicely – first you have to be consistent with the fact itself (where favorite might change depending on how you interpret the question) and you then have to be consistent with how you represent the answer. The questions have become more chatty and personal but in fact are still just doing exact text matching. The idea of a password is one we understand as exact, even learning that lowercase and uppercase are different, but a narrative fact about ourselves is not one that we consider the representation. Flamingo, Flamingo Ln. and Flamingo Lane are all the same fact of the nature they are asking about. So it’s an even worse cognitive mismatch.
Comment by Steve Portigal 10.11.11 @ 9:50 am