
Why my mother’s maiden name is nonsense - mintone
http://www.technicalchops.com/blog/why-my-mothers-maiden-name-is-nonsense-and-yours-should-be-too/
======
tzs
For sites that let you make up both the question and the answer, Bruce
Schneier has suggested having some fun with it [1] to make your conversations
with support more amusing. Examples:

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a
plague of men.

A: Go forth, and kill. Zardoz has spoken.

Q: What the hell is your fucking problem, sir?

A: This is completely inappropriate and I'd like to speak to your supervisor.

Q: I've been embezzling hundreds of thousands of dollars from my employer, and
I don't care who knows it.

A: It's a good thing they're recording this call, because I'm going to have to
report you.

While you don't have as much flexibility when you do not get to write the
question, I'm sure there are still plenty of amusing answers you could pick.

[1]
[https://www.schneier.com/blog/archives/2010/04/fun_with_secr...](https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html)

~~~
darkr
This is all well and good until you call your bank, and taking a look in your
password database you discover that your first pet's name is Adolf Hitler.

The conversation that follows becomes somewhat awkward..

~~~
tzs
Adolf Hitler can certainly be an interesting answer to certain questions. He
got me out of being on a jury once (although I wasn't _trying_ to get out).

I was called to jury duty in Pasadena, California.

One of the panels I was on was for a drug case. The prosecutor was a 30-ish
white woman. The defense attorney was a 40-50 or so white man who had a
ponytail and beard, and gave off an ex-hippy vibe. The defendant was a black
man probably in his early to mid 20's.

One of the questions the prosecutor asked the panel members was something
like, "If aliens from space landed on Earth, and asked you to explain our drug
problem to them, what would you tell them?".

A major component of my answer was something along the lines of most of the
problem is self-inflicted due to stupid laws that make drugs like alcohol and
tobacco legal, but make drugs like marijuana illegal even though it is at
worst as bad as alcohol. Furthermore, I said I'd tell the aliens that because
we outright lie to children about this, not really distinguishing between
marijuana and other drugs that can be used safely and responsibly and drugs
that actually are very very harmful and dangerous like heroin, when those
children discover that we lied about marijuana they are naturally going to
assume we lied about heroin too.

I pretty much accused her and people like her of being part of the problem
(and remember, this is in open court). She tried to debate with me for a while
and then moved on.

(I did say, when asked if I could vote to convict if the evidence proved
beyond a reasonable doubt that the defendant violated the law, that I could
even if the law was as stupid as the one being charged here).

I was sure I'd be her #1 target for her first peremptory challenge.

Oh, I, like the defense attorney, had a long ponytail and a beard, and looked
like an ex-hippy. Actually, not so ex...I was also wearing a rather loud tie
dyed t-shirt. I basically looked like someone who was probably missing his
afternoon joint by being stuck in court.

Then the defense attorney asked his questions. One of his was if you could
have dinner that evening with anyone you wanted, from the present or past,
living or now dead, who would you pick? (The purpose of a question like this,
which does not seem to have anything to do with the case at hand, is to try to
get to know more about the prospective juror. There are many possible
arguments that a lawyer might raise at trail, but he does not have time for
all of them. He's got to pick the ones that work best with the particular jury
he has, and to do that he has to know something about their personalities).

The half dozen people he asked before me said things like their deceased
mother, or Richard Feynman, or Magic Johnson, and other normal answers like
that. Then he got to me.

"Adolf Hitler".

The potential jurors who were waiting in the spectator area to replace panel
members who were dismissed, and had largely been nodding off in the hot
Pasadena summer heat, snapped to attention. There were a few gasps.

The attorney asked why. I explained that almost everyone breaks the law now
and then, on purpose. I myself, I said, had purposefully exceeded the speed
limit that morning in order to get to court at the appointed time. We all have
a couple lines we do not cross, though. One is where the punishment if we get
caught is too big, and the other is where we think the crime is too evil for
us to commit. I'll speed occasionally because I'm willing to accept a ticket
every few years, and I don't feel I'm being evil. Some people are willing to
accept bigger punishment or are sure they won't get caught, and some people
have a higher bar for evil.

Hitlers lines were so far out they were off the map. He killed millions. And
he apparently either did not fear punishment or was confident that he would
not get caught. And he almost succeeded.

Even stranger, he convinced a hell of a lot of Germans who had seemed to be
normal, decent people to go along with him! How? Did he have supernatural
charisma? Did he have some kind of compelling logical argument that could
convince people that what he was doing was sane and rational?

Someone so clearly evil, yet so massively persuasive, would certainly be a
very very interesting dinner companion for an evening.

After the questioning was done, the lawyers got to make their peremptory
challenges. To my surprise, the prosecutor was not throwing me off the panel.
As they alternated, first the prosector then the defense attorney using their
challenges, it got down to the final challenge, which belonged to the defense
attorney.

He used it to get rid of me.

I suspect that the Hitler answer had something to do with it. (Although it
could be that since I had a math degree from Caltech and was working as a
software engineer, he might have thought that I would not be swayed by
emotional arguments and would just relentlessly apply the law--even though I
had said the law was stupid--to the facts and convict).

~~~
developer2
> stupid laws that make drugs like alcohol and tobacco legal, but make drugs
> like marijuana illegal

> I explained that almost everyone breaks the law now and then, on purpose.

Forget the Hitler thing, which doesn't really affect your judgement. I'm
surprised the prosecution didn't dismiss you for statements like these. While
you did say you'd convict based on the law, you're clearly sympathetic to
people being tried for bullshit - which the prosecution obviously doesn't
want.

Either way, no jury for you. :)

~~~
dennisgorelik
Do not forget that what is bad for defense attorney is good for prosecutor.

~~~
developer2
Not sure how this would be bad for the defense and good for the prosecution?

Defense attorneys would appreciate jury members refusing to convict their
clients for ridiculous laws. I imagine every defense out there would
absolutely love to have the possibility of jury nullification laid out on the
table.

------
tnash
Here's what I do: random long strings as answers for each question, and save
them with the credentials in KeePass. That way I keep track of each one, and
they can't be used against me.

~~~
zorked
May you never have to call someone to give them your mother's maiden name to
unlock your account.

~~~
daveguy
That works out pretty well with a "just tell me when you've heard enough" j q
r p z v ! ? / b ... They usually say enough about 8-10 chars in and it really
isn't that difficult to read off 8-10 chars.

------
ComputerGuru
I blogged about this last year; the sad reality is that the security of these
"security questions" are _more_ important than that of your password since
they can be used to reset both your password for this site and everywhere else
(as well as gain access to your bank, obtain credit cards in your ID, and
more).

We need to obscure these in the database. You can't risk losing your ID
entirely just because some random site didn't bother securing these details
and fixated solely on "best practices" for password storage in the DB.

[https://neosmart.net/blog/2015/never-store-answers-to-
securi...](https://neosmart.net/blog/2015/never-store-answers-to-security-
questions-in-plain-text/)

------
cballard
This question is also misogynist. My mother does not have a "maiden name" she
has a "last name", which has always been the same. It's not the 1950s, women
don't have to subjugate themselves to their husbands name anymore.

Oh, and gay people exist. Get with the times.

~~~
msellout
And many countries have never had the the culture of changing family names on
marriage.

~~~
AnimalMuppet
No. But in those countries, one's mother still had a family name at birth that
is different from one's own (in almost all cases), whether she changed it at
marriage or not.

~~~
msellout
And therefore one's mother's last name is even more public than a "maiden
name".

------
notahacker
Other security questions are often even worse. "What high school did you
attend?", for example, is something many friends and acquaintances will know
and most others can trivially obtain via LinkedIn or Facebook. "Where were you
born?" and "What is the first school you attended?" can be reasonably reliably
guessed from the high school as well.

~~~
amyjess
This is why you lie.

"Where were you born?" "In the fires of Mount Doom."

"What high school did you attend?" "Methamphetamine High"

~~~
saturdayplace
This is a good idea, if you remember to always tell the same lie. Being
required to remember which website I told which lie to can only lead to
trouble.

~~~
PuffinBlue
Just stick the question and it's answer in the notes section of your password
manager.

Some password managers will generate a pronounceable string for you too, saves
coming up with anything witty...

~~~
dragonwriter
> Just stick the question and it's answer in the notes section of your
> password manager.

Since security questions are typically used for things like password recovery,
you probably shouldn't manage them with the same tool you use to manage
passwords. After all, if you need them, it is likely to indicate a critical
failure of your access to (or your data held in) that tool.

~~~
PuffinBlue
Gotta stop somewhere.

------
thowawy3116
It's helpful to know that on most services the maiden name can be thought of
as a second password. Only on some credit-related services does the answer
actually matter, it seems.

And then there are those of us who have hyphenated surnames, where the maiden
name is there for all to see. I wish my name weren't hyphenated, but I'm stuck
with it. It's always silly when someone asks for maiden name: I've already
given it to you...

Hyphenated names are also longer, making it a perpetual challenge to fit my
name on forms. On standardized tests I was always penalized a minute or more
as I spent time scratching in all of the letters of my name. Then there are
the fields where the hyphen is not allowed, so I have to enter something that
is not my legal name, or even worse are the services that accept the
hypthenated name but then transparently change it for storage on the backend.
This can make verification fun since there's no telling whether the hyphen was
removed, replaced with a space, or some other character entirely. Better hope
that you don't have a limited number of attempts to access something. It
doesn't fit on credit cards either, making the name field of web payment forms
a best guess (I usually put my full name regardless of what is actually on my
card).

Future parents out there: consider expressing your family pride or sense of
nonconformity in a different way. Hyphenated names are a nice gesture, but
they're totally impractical in a world where data entry matters. I'm only
thankful that I don't also have a unicode character in my name...

~~~
emodendroket
What I've always wondered is what happens when two people with hyphenated
names marry.

~~~
AndrewOMartin
They both take the surname which made from the full concatenation of each
original surname with all punctuation stripped, but with a single trailing
space for an unknown reason.

Any offspring have a surname composed entirely of hyphens.

------
stordoff
> I’ve decided to leave the website link out in the interest of discouraging
> abuse of the tool.

I appreciate the sentiment, but I suspect this would be a more powerful demo
if people actually found their own mother's maiden name. Anyone wanting to
abuse it could find it trivially anyway (Google for "type your details below
so we can start tracing your family", and you only get a single result).

I do wonder how complete the site's records are. I can find most of my family,
but it doesn't seem to think I exist.

Edit: seems to be a weird search issue - given name + family name + year of
birth returns multiple people who aren't me (with different given names /
years of birth), but given name + middle name + family name + year of birth
finds my details. Personally not too worried about it, as I use a random name
in place of my mother's maiden name for banks etc., and have recommended to
family that they do the same.

------
emodendroket
One of the most frustrating things is that many banks and other financial
services seem to have the most antiquated security practices (nothing above
twenty characters and no special charcters, for instance). It should be the
other way around and yet here we are.

That said, I've mostly seen these used as an in-addition question when you
want to do something like reset your password. Who's out there using these
security questions as the primary mode of authentication?

~~~
lallysingh
They value stability highly. So they often go with mainframes and software
that was written in decades past. When the software was written, that stuff
was often pretty good.

~~~
emodendroket
Sure; I don't want my bank getting too creative either, but that surely has to
be balanced with security.

------
kazinator
> _Inevitably, I quite consistently can’t remember the word for each service –
> a fact that surprised this particular rep, “How do you forget your Mother’s
> maiden name?”._

The rep is _looking_ at the string that you gave them as your maiden's name
(so that he or she can compare that with whatever you utter), and what's on
the screen is obviously not anyone's maiden's name, being "nonsense", and all.

These jobs don't always go to the brightest bulbs in the chandelier, do they.

Gee, how on God's green Earth could anyone forget that your mother's maiden
name is Z3xYFrd9.

It's rude too, implying that the customer is incredibly forgetful; in a
customer service role, we should refrain from making such a comment even if
the string does look like a viable maiden name.

Even some harmless, utterly non-sarcastic comment about anything could be
taken the wrong way or take a surprising direction.

"Nice tattoo, where did you get that done?"

"It's a birthmark, which made me the target of bullying throughout elementary
school."

Oops!

------
jakub_g
Talking about password recovery: Google has an interesting attitude. I
recently lost password to a dev account on gmail I created few weeks earlier
so had to reset password.

I went through a process in which they asked questions "when more or less was
account created", "when did you last log in successfully", "what last password
do you remember", "what google services did you use with this account" etc.
which, mixed with some other data they possess (I believe), like IP addresses,
made me successfully recover the account without any "maiden name" questions.

~~~
cballard
All of those seem fine, except for "what last password do you remember", which
is horrifying.

~~~
Diederich
Why? I suspect that just means that they keep the various versions of your
hashed password. Some regulatory requirements mandate that passwords not be
re-used for a period of time; that would be enforced the same way.

~~~
Nadya
You're thinking of the wrong attack vector/issue with this.

Imagine your account was compromised. You reclaim your account. The previous
cracker _recovers your account from you_ because they knew your previous
password and went through the recovery process.

The above happens more often than you might think.

------
mhurron
This really is a retelling of the advice 'Your passwords should not be
something that could be guessed by knowing just a little bit about you.'

------
AstroJetson
This isn't news, I've done this for decades. I have a fake family that I use
for Mom, pet's name, fathers birthplace, etc. But unlike the OP, I only have
one fake family to track.

It's not hard to do, just pretend you are an undercover KBG agent. Alternate
plan is to just rotate family by one, so Dad moves to Mom, Mom moves to older
sibling, etc and the pet rolls to the top (Dad).

------
xlayn
I had a related issue with this kind of security measures:

I can't remember them after... is your favorite book "ABC" or "A B C"? first
car Nissan Fairlady or 350Z?

So what I do is that you take the question, put it on an email with the key,
put the key into a password generator [0] that creates the answer with a
Master key just you know.

[0] Password generator pro, FOSS, grab it on FDroid

~~~
ajford
I generate random answers that fit the question (i.e. best friend: Steven
Austin, 1st Car: Hummer H3) and store them in Last Pass (or Keepass). Can use
password generator too.

------
Nadya
Worse is that these answers are stored often in plaintext because they aren't
the users "password". I'd argue having them _at all_ puts one at greater risk
of being hacked.

What I'll never understand is why I can answer these questions with 64-128
characters (typically) but my password is limited to 16-32 characters.

------
makecheck
I’m not sure which is worse, that so many sites require “security” questions
(emphasize on quotation marks) or that the questions are frequently paired
with asinine password restrictions that prevent the construction of a strong-
enough password in the first place.

------
amyjess
It's particularly dangerous for people who actually use their mother's maiden
names.

Some people were born to unknown fathers, and some people deliberately changed
their names to their mothers' maiden names later in life.

------
m3andros
The site in question is:
[http://www.genesreunited.co.uk/discover/index?stage=1](http://www.genesreunited.co.uk/discover/index?stage=1)

------
Chefkoochooloo
I thought this to be really interesting. I found this article making good
points and it is incredible that the maiden name is more important that the
password itself. Seems backwards in my opinion.

------
chei0aiV
Just use a diceware password for both those question and answers, like you do
for your actual passwords.

------
gonyea
Personally, I wouldn't give up the name Mrs. Nonsense.

