Password reset questions
Recently therewas some discussion about “self-service” password resets. The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer. You know: super-secret stuff like your pet’s name. (Yes, Paris Hilton, I’m talking about you.)
The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.
I would definitely allow custom questions. The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.
If I can make up my own question, I can ask myself what my favourite burial option would be. The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess. (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)
Go ahead: try and guess what is the only pain reliever that works for me.
What sits under my desk and keeps the computers running in the case of a power failure?
What is Gloria’s favourite ice cream flavour?
Finish the following sentence: Don’t treat Rob as your _______ ___. (This is a two-factor authentication: you also have to fill in the standard response to that statement.)
The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world. They rely on mistakes or quirks that have become “family phrases.” For example, what do you need before bed to get to sleep? Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.
Yeah, I like “custom questions” a lot.
(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)