18 Mar 2008 06:01 PM EDT

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!

Permalink | Comments (7) |

Comments  (Hide Comments)

One institution I use allows the end user to create their own security questions which I quite like. You can ask yourself very specific questions that only you are likely to know and are hard to forget. I think they had a template of set questions and the option to make your own, but it was so long ago I can't remember.

-Donovan 

Posted by Anonymous at Mar 18, 2008 23:26 | Reply To This

Donovan,

Good one - it would be very easy for me to concoct questions only I know the answer to, and then easily remember the answers.

Posted by Kate Brew at Mar 20, 2008 15:13 | Reply To This

"In lapidary inscriptions", said Dr.  Johnson,  "a man is not on oath".  That applies to these security questions too.  It is good practice to lie (if you are consistent).

Broadly speaking, questions are either fact-based or opinion-based.  The recall rate tends to be a bit better for fact-based questions than for opinion-based questions, as one might expect.  I've not seen any research on how lying affects recall.

Something else to watch for;  a surprising amount of information is public record.  In the UK, the price you pay for your house is public information.

Posted by Chris Mayers at Mar 26, 2008 12:47 | Reply To This

It's true about public record - you can find out the price paid for a house in US as well, for free.  Plus there are pay-for services to find out lots of (potentially nasty) things about a person.  So much for privacy!

 I've heard it's easier to remember the truth than lies (which is why detectives questioning a subject keep asking the same questions until the suspect's "made up" version starts to crumble and the story starts to change.)

Here's a thought: I could devise a set of answers that could be memorized.  Completely random answers.  Then I could use them whenever asked personal questions.  They would be unpredictable because the answers wouldn't match the questions.  The only problem is that if I use these for multiple credential sets (like my eTrade account, bank account, phone account, etc.), I would be potentially compromised - if someone finds out my answers for one of the accounts they could try them for other accounts.

Interesting point you make on fact-based versus opinion-based - makes perfect sense though, as opinions are likely related to mood at the time of answering.

Posted by Kate Brew at Mar 26, 2008 15:49 | Reply To This

Hi Kate or Chris,

 What is the proper way to communicate an advisory to Citrix.....?

Can you post contact information?

 thanks.

Posted by Anonymous at Mar 28, 2008 12:19 | Reply To This

All set .....

It is secure@citrix.com

Posted by Anonymous at Mar 28, 2008 14:00 | Reply To This

Your trusted source for personal security products. We strive to provide our customers with a comprehensive online resource for finding dependable personal, home and auto products at the best prices available anywhere.stun guns

Posted by Anonymous at Apr 18, 2008 07:56 | Reply To This