

Ask HN: Do security questions on a user account actually add security? - aptsurdist

I'm not a security expert, but I just can't see how adding security questions to an online account on top of a password is anything but a nuisance that just weakens security.  Especially when most answers to these questions are just names or single words that are easily researchable online.  Why is there so much expert advice on strong passwords, yet the industry doesn't condemn security questions?  What am I missing?  Am I just wrong here, or should there be a clear message to just get rid of them?  I hate it when sites make me add security questions to my account; isn't it so much better to just let me reset a forgotten password through my email?&#60;/rant&#62;
======
theDoug
We've gotten rid of ours and replaced it with a token/reset system (online)
and human verification when the online methods can't be validated. We have 80+
years of customers, and many will never be comfortable with online
verification.

One of the arguments used against keeping 'security' questions was one of
asking if the fields had any business or even marketing purpose, if not
security. We all know how easy it is to find out someone's mother's maiden
name or high school, and letting someone set their own questions and answers
isn't much better. "Do we need to keep a database of 900,000 people's favorite
color to be more secure?" was a good thought to start the meme.

The security questions were doing us no favours and helped bring our 43-field
registration system down to three fields (email, password, membership number).
Users are then sent a token via the email, and don't exist in the online
system until the token is redeemed. Resets work the same way, disallowing
access to the site until the reset token is used, with Devise (Rails).

------
iwwr
A pin number, entered through a mouseclick keyboard (with randomized key
order) is an interesting anti-keylogger measure I've found so far.

~~~
duskwuff
Less effective than you'd hope, though. A lot of software keyloggers support
taking a screenshot surrounding the cursor when the user clicks.

