Keith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked.
Congratulations – you’ve addressed half the problem.
The server can now require that the server asks the user a complex question.
Because the correct answer is determined entirely by the user, though, the answer can be unnervingly simple.
I bet you can guess the last four digits of my driver’s licence, and the city in which I was born, too.
So, this clearly hasn’t started to solve the problem – the only complexity you’ve enforced is the public portion of the exchange.
Sadly, many of these complex questions raise a further concern – who else knows the answers?
My mother knows her maiden name, and the city in which I was born. My wife knows that, and also has access to documentation for the other keys to the castle. Suppose one day she becomes my ex-wife, and wants to have access to my online banking, my business, my health information – those questions are now the simple key to allowing her in.
Other elements of concern:
At work, we’re required to create the same sort of “three questions” to reset our password.
I’m tempted to enter the following:
What I do instead, is to enter: