We’re all familiar with the traditional “mother’s maiden name” online account security question — one of the first I remember when security questions began to proliferate. To seemingly provide more secure, unguessable options, companies have added others, like “make and model of first car,” “street you lived on in 3rd grade,” and more questions whose answers don’t ever change. Of course, we also see examples of bad questions that DO change over time. These are mainly “favorites” types of questions: “favorite actor,” “favorite song,” “favorite movie,” “favorite teacher.” If you’re like me, my favorites change over time, rendering these types of questions useless. FYI, if you’ve ever had to reset your Apple ID password, you’ve noticed that Apple is among the biggest culprits of “favorites” questions.
Favorites aren’t the only questions whose answers can change. How about “youngest child’s middle name?” Well, what if I have more children? Am I going to remember that fact a couple years down the line when I have forgotten my password, but increased my family count? Heck, questions about where you met your spouse can have ephemeral answers if you’re the divorcing type. Even questions like “nickname as a child” become difficult to answer. I had at least 4 nicknames that family and friends called me by. Which one do I choose? And what is the likelihood that 6 months later, I’ll remember the right nickname. My oldest cousin’s name? Well, it works for now, but what happens if he or she dies? (I actually refuse to enter questions like this, out of some strange superstition I feel…but that’s a whole separate issue.)
Not only do fungible answers confound the process, but arbitrary syntax rules as well. What if the first concert I attended was “U2,” but the site demands at least 3 characters in the field? If the first concert was Bruce Springsteen, do I include the space between the names? Does upper or lower case matter? If next year, while recovering my password, I type “bruce springsteen” when the site was expecting “Bruce Springsteen,” will it give me an error? What if I spell it “Springstein”? After multiple errors, I may start to doubt my own memory of whether that was my first concert — and go down the “Barry Manilow” path. Hypothetically speaking. Of course.
Usability problems of security questions aside, every now and then, I come across some gems that are worth capturing. These more, um, personal questions are both usable — for their answers can never change — and amusing. Seeing “What is the first name of the boy or girl that you first kissed?” from an online bank was a shocker for its uniqueness — and its being from a bank, of all places. (OK, admittedly, I spent a few seconds pondering if the girl who kissed me in first grade counted, or if the site was really after my first, shall we say, real kiss.)
This got me wondering — in companies’ efforts to come up with ever-increasing unguessable security questions — how much more personal might these questions start to get? Like, substitute “kissed” with, you know, other activities. Or maybe secret moles or other bodily anomalies that only you know the answer to? Or “How old were you when you lost your ________?” You fill in the blank. (I was thinking “first tooth.” Get your mind out of the gutter.) Regardless, I’m sure I’d glance back over my shoulder to make sure no one was watching as I typed the answers. And I’d probably never forget the answers or enter them wrong. Unless, of course, your site expects me to spell out “forty” instead of “40.”
If you see any clever security questions in your web travels, please pass them along.