The Funniest Password Recovery Questions and Why Even These Don't Work

Unlock stock picks and a broker-level newsfeed that powers Wall Street.

Daniel Solove

Updated Mon, Oct 3, 2016, 2:38 AM

Originally published by Daniel Solove on LinkedIn: The Funniest Password Recovery Questions and Why Even These Don't Work

A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:

In what city were you born?

What is your mother's maiden name?

Where did you go to high school?

The article notes that the recent Yahoo breach "included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords."

Beyond answers getting leaked in breaches, another problem with recovery questions is that they are easy for hackers to guess. So you can create the world's best password, but a hacker can reset your password by using the recovery questions. Information such as mother's maiden name and the city of your birth are commonly available in public records. Other information, such as one's pet's name or high school can be readily figured out by looking at social media profiles or Twitter feeds.

The Funniest Password Recovery Questions

BB&T uses a very clever approach to password recovery questions -- they depart from the commonly-used questions. The results are some of the funniest and most bizarre password recovery questions I have seen. Here are some of my favorites:

What is the favorite road on which you most like to travel?

What is your biggest pet peeve?

If you could be a character out of any novel, who would you be?

Who was your least favorite boss?

What is the name of your favorite relative not in the immediate family?

What was your childhood phone number?

What is the name of your least favorite teacher?

Where do you want to retire?

What is your dream car?

Where were you New Years 2000?

If you won a million dollars, what is the most extravagant purchase you would make?

What is the name of your most memorable stuffed animal?

Some of the questions seem like they are better suited for a psychological profile test. Do people really remember where they were on New Years 2000? And is it any of BB&T's business?

Imagine what would happen if BB&T had a breach similar to Yahoo's. I'm sure hundreds of thousands of bosses will be none too pleased to learn that they are an employee's least favorite boss.

Although I admire the effort, there's still a problem with BB&T's unconventional questions: They are difficult for people to remember. Many years later, are you going to remember where you wanted to retire when you answered your recovery questions? Or your dream car? Recovery questions must be easy to remember -- easier than one's password -- because the questions are designed to help people who forgot their password.

Tell Me Lies, Tell Me Sweet Little Lies

One approach discussed in the Wired article is to answer the security questions with lies. But as the article notes, it is easy to forget the lies.

So there's a dilemma -- easy-to-remember questions that might readily be guessed by hackers, or more obscure questions or wrong answers that might readily be forgotten.

The Problem Is Passwords

As I have written earlier in an article and post with Professor Woodrow Hartzog, passwords alone are poor security. The problem is that long complex passwords are difficult to remember -- and people have so many different accounts (often hundreds of them) that it is demanding the impossible of human cognition to remember all of these passwords.

To make matters worse, sometimes people are made to change their passwords frequently, a practice that can undermine security. The FTC's security expert Lorrie Cranor has a terrific post recommending that mandatory password changes be rethought.

There is simply no way a person can remember hundreds of unique long and complex passwords. To make the impossible demand on human memory even more impossible, people are also told not to write their passwords down. Hence, they forget their passwords and have to revert to the password recovery questions.

The answer, as Professor Hartzog and I suggested is to look to two-factor authentication. Passwords are still used in this approach, but a password alone isn't enough to login. Something else is needed, typically a code sent to your smart phone. Two-factor authentication typically involves a factor you know (password) and a factor you have (device).

Minding the Human Factor

No matter what, we must not forget about the human factor. Data security involves people, and solutions must be built around human behavior. Until we account for the human factor, clever security measures might be good for a chuckle but not much else.

For more about passwords -- and for more cartoons -- see my Privacy+Security Blog at TeachPrivacy.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles. His
LinkedIn Influencer Blog has more than 1 million followers.