The Effective CIO

Say The Secret Word! January 19, 2009

It has become fairly common for sites to enhance their security by asking you to answer a few “secret questions” to confirm that you are, in fact, you when updating account information or even just logging in.  As a result, users now have the opportunity to forget several bits of information for each web site they visit, instead of just forgetting their password on a regular basis.

We use this approach at my company, where users can reset their passwords by answering special questions.  The system we use even lets people pose their own questions, which led to one user to create this question:

Question 1: How do you feel today?
Answer 1: Good

So far so good.  Here is their second question:

Question 2: How do you feel today?
Answer 2: Bad

I kid you not.  Not surprising, this user eventually forgot their password, and it took quite a while for us to figure out why they could never access the automatic password reset system.

Here’s my helpful usability tip for the day: No matter what the secret question, use the same answer every time.  Choose something different from your password, but use it consistently.

People are astounded when I suggest this.  It never occurs to them that the system cannot check to make sure that “groucho” really is the name of the first person you kissed, or your first pet, or your second grade teacher.  It just wants a string of characters that only you know.

Before all the security people reading this freak out, I’ll concede that this is not a security best practice.  It leaves you vulnerable to some tiny chance of a security breach.  You assume all the risk if you choose to go this route.  Et cetera.

But in reality, this is much better than the approach most people take, which is to write all this stuff down on a Post-It note and stick it on the monitor.  (Security-conscious users put the Post-It under the keyboard, or in their desk drawer.  Thanks for incorporating physical barriers into your security practices!)

Security breaks down when security systems are too complicated. People revert to simple solutions just because they want the computer to get out of the way and let them accomplish the task at hand. We need to stop creating complicated, unusable systems and focus on simple, usable ones. With security, as with everything else on earth, it is tough to make things foolproof because fools are so ingenious.

Brownie points to readers who know why I chose “groucho” as my answer!