
Ask HN: Why do so many companies use public information for security questions? - jacobwilliamroy
&quot;What was the first school you attended?&quot;
&quot;What is your spouses maiden name?&quot;<p>These things can be (usually) be retrieved just by asking the government to provide public records.
======
gry
In 2005, Bruce Schneier noted the purpose is to provide a fallback password[1]
if the primary password was forgotten, but the reality is, security questions
are a much less secure protocol than passwords themselves.

While on a personal level you can fix this by using a password manager and
generating another random string as an answer, other cute and terrible
implementations like United[2] (calling you guys out) obliterate it, making
yet another, terrible, horrible, no-good secondary protocol.

Why companies use them is because the Powers That Be(TM) _believe_ it to be a
secure protocol. They localize the problem to themselves and since they
haven't been exposed using their mother's maiden name, it's good enough. Also,
everybody else uses security questions, even our competitors, so we have to be
at least as secure as them, right? The key phrase is "at least". Then you are
equivalent in policy and protocol; certainly not more secure. :D

[1]
[https://www.schneier.com/blog/archives/2005/02/the_curse_of_...](https://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html)

[2]
[https://www.united.com/ual/en/us/account/enroll/default](https://www.united.com/ual/en/us/account/enroll/default)

~~~
zhte415
Many years ago as a teenager I was opening my first bank account.

Mother's maiden name was one of the fields. This seemed intrinsically
insecure. So I filled out 'banana' and made a mental note. The bank actually
called home, I was not home, said the field hadn't been filled out, and
requested the information from a family member.

I was stunned.

~~~
himlion
Those "mental notes" always work really well for me when lose my bank password
5 years later and try to restore the account.

~~~
zhte415
Me too. For things like password, you can cycle them. For fields like maiden
name, you can't.

------
marcus_holmes
I went into my insurance provider to talk to them. The nice lady asked me for
my name, address, date of birth as proof of identity.

I said "no need, I have my driver's licence on me which has my photo and is
much better proof of identity".

She refused to even look at my driver's licence, and insisted on me giving
them three pieces of publicly available information to "prove" my identity.
She got quite hostile about it.

I don't understand why this is a thing that companies do. But it clearly is.

------
5555624
Why answer them witch accurate information in the first place? It's not like
the company is going to check and see if you gave the "correct" answers. The
answer is what ever you provided the first time. As long as you remember the
answers you gave them, you're okay. (Recently, I did come across a site where
the four security questions could not have the same answer, so someone figured
out not every answers them accurately.)

------
lgas
Most people have no idea about security at all. Most developers, product
managers, etc are part of most people.

------
x0x0
Easy, cheap, and scalable.

There really is, as far as I know, no way to cheaply verify identify of
millions of people, particularly over the internet or the phone. These
questions don't actually do that, but they probably put up a good enough show
for regulators and the law. At the end of the day, that's all these companies
want.

Also, credit card companies are incompetent. I've have many variations of my
name on my credit reports. Infuriatingly, one of them is (my first name) NULL
(my last name). The credit reporting agencies refuse to remove it because some
creditor keeps reporting it. They also refuse to tell me _which_ creditor.

------
godot
In many cases, some of these answers can even be googled for fairly easily. In
other cases, like "What was the first car you had", can be guessed randomly
with a relatively high chance of success (Toyota Corolla or Honda Civic
probably cover a good amount of them).

Some have taken to use random gibberish as the answer of these questions.
Others have pointed out that that's also not great.

What really would be good security questions? Should security questions as a
concept even be a thing at all?

------
meric
When my bank calls me, they ask for my birthday, name, account number to
verify my ID. I always ask them back, "how do I know you are my bank?". The
caller always gets the idea. "Oh yeah, right!?!" I then tell them thanks for
the call and I'll go to the branch to sort it out.

------
yuhong
It probably made more sense in the olden days of the Internet, before Google
and Facebook for example.

~~~
dragonwriter
No, it didn't. The fundamental reason that it's a bad idea now was just as
true then.

It was a generalization of the “mother’s maiden name” confirmation often used
in banking, etc., pre-interview, but that _also_ had the same problem.

------
maltalex
> Why do so many companies use public information for security questions?

Why do so many companies store passwords in plain text, have an 8 character
password limit and/or don't bother patching their machines?

