stormbrew

So my bank has recently decided to start DEMANDING security question/answer pairs for their web page login system. In order to log in, you MUST answer one of your security questions in addition to your password.

They give you 5 sets of questions to choose from and a freeform field to put the answer into. Am I the only one who sees the gaping stupidity of this? If they could allow you your own questions, maybe that’d be ok. But since all their questions are easily discoverable (stuff like maiden names, high school mascots, pets, best friend names, etc. In fact, the very things that all these years password security policy has advised you to KEEP OUT OF YOUR PASSWORD, and for very good reason), change really often (favorite magazine, favorite chocolate bar, favorite restaurant), or are very gender selective (favorite fashion designer — and a big wtf to that one in general too).

If someone can take the time to find out your actual password, they can take the time to find these things out. There are only 5 questions, so at a minimum it’ll take 5 random attempts at login from different computers over a couple of months to find out what they are and do some research without setting off alarm bells with the bank.

When are companies going to realize that security questions are a serious regression in security?