Ask HN: Do security questions on a user account actually add security?

3 pointsaptsurdist15y ago3 comments

I'm not a security expert, but I just can't see how adding security questions to an online account on top of a password is anything but a nuisance that just weakens security. Especially when most answers to these questions are just names or single words that are easily researchable online. Why is there so much expert advice on strong passwords, yet the industry doesn't condemn security questions? What am I missing? Am I just wrong here, or should there be a clear message to just get rid of them? I hate it when sites make me add security questions to my account; isn't it so much better to just let me reset a forgotten password through my email?</rant>

3 comments

3 comments · 2 top-level

iwwr15y ago· 1 in thread

A pin number, entered through a mouseclick keyboard (with randomized key order) is an interesting anti-keylogger measure I've found so far.

duskwuff15y ago

Less effective than you'd hope, though. A lot of software keyloggers support taking a screenshot surrounding the cursor when the user clicks.

theDoug15y ago

We've gotten rid of ours and replaced it with a token/reset system (online) and human verification when the online methods can't be validated. We have 80+ years of customers, and many will never be comfortable with online verification.

One of the arguments used against keeping 'security' questions was one of asking if the fields had any business or even marketing purpose, if not security. We all know how easy it is to find out someone's mother's maiden name or high school, and letting someone set their own questions and answers isn't much better. "Do we need to keep a database of 900,000 people's favorite color to be more secure?" was a good thought to start the meme.

The security questions were doing us no favours and helped bring our 43-field registration system down to three fields (email, password, membership number). Users are then sent a token via the email, and don't exist in the online system until the token is redeemed. Resets work the same way, disallowing access to the site until the reset token is used, with Devise (Rails).