Stupid Password Reset Questions

When I was at AOL we fought a constant battle between bad guys and executives who thought that customers should have easy access to their accounts. The bad guys loved “easy to guess” passwords and password reset questions which were used in case a customer forgot their password. One of my projects was to update the reset process for current vulnerabilities. AOL had the last 4-digits of the customers Social Security number. Two problems: a) If you know someone’s age and U.S. birthplace you can figure out the first five digits so the only random part was the last four digits. For an ID thief, this was the part they wanted the most. b) Many states were including partial SS#’s as PII in the definition for “data breach notification.” Other reset questions were easy to guess. If you have to guess someone’s favorite food, it is probably not brussel sprouts (although they are tasty). In five guesses you can probably figure out 98% of the U.S. populations favorite food (donuts, cake, ice cream, etc.).

Websites need to ensure that reset questions are not easy to guess. To shame websites, especially banking and financial institutions, to use reasonable steps to protect our data I am creating a list of real “stupid” password reset questions. Of course if a website asks me for my brothers middle name I’ll say “ju8klw#nq.”

THE QUESTIONS

What color was your first car? Would it be chartreuse or Lavender? How many car colors are there? Who cares if its your first car or your fifth car the color choices are the same.

What year were you born? Until people start living until age 1,000, the choice of birth years is 100 or less. Certainly few babies born last year of using banking sites and most people in the 90’s are unlikely also. The universe of birth years is about 50 numbers. Hackers like those odds.

Bravo to Google for Publicizing Their New Privacy Policy

Whether you like their new policy or not, Google deserves a huge credit for telling their customers about it at every touch. I started Gmail and there was a conspicuous notice to pay attention to their new privacy policy. Same thing when I did a search, used Google Voice, etc. Whether consumers read the summary notice, the full notice , or ignore it is something Google knows but I am glad they are doing it.