Security Questions Are a Terrible, Horrible, Bad Idea

Stop asking me for my mother’s maiden name

Meriam Kharbat
Feb 4 · 3 min read
Image for post
Image for post
Photo by vardan harutyunyan on Unsplash

As I was setting up my account at Deutsche Bahn, I was surprised to see the following UI:

Image for post
Image for post
Deutsche Bahn account UI

After the 2013 Yahoo security breach that compromised 3 billion user accounts, it should be common knowledge by now that security questions are a terrible idea. Why are they still a thing?

They Can Be Very Easily Guessed

The main idea behind security questions is they’re safe and memorable. But with today’s social media, anyone can scroll over my posts and figure out the name of my high school mascot, and if I can remember it, then probably a lot of people can too.

This 2015 Google study has confirmed that with only a single guess, an attacker would have a 19.7% chance of guessing an English-speaking user’s answer to the question “What is your favorite food?”.

With 10 guesses, an attacker would have a 24% chance of figuring out Arabic-speaking user’s answer to the question: “What was your first teacher’s name?” and a 39% chance of guessing a Korean-speaking user’s city of birth (and a 43% chance of guessing their favorite food).

Many different users also had identical answers to secret questions you’d typically expect to be unique, such as “What’s your phone number?” or “What’s your frequent flyer number?”.

Then, 37% of people deliberately provide false answers to their questions, thinking this would make them harder to guess, when, in fact, it made it even easier to figure out.

They Can Be Brute-Forced

We demand a user enters a password that contains lowercase and uppercase letters, numbers, and special characters.

But we hide the account recovery mechanism behind a silly question that can be brute-forced? This doesn’t make any sense to me!

They Make Wrong Assumptions About Your Users

Maybe in the Western world, people can find security questions relatable. But I didn’t have a pet, I’m not good at remembering people’s names, and I was never married, so I never went on honeymoon.

Growing up in North Africa, I didn’t even know what a maiden name meant because where I come from, women don't take their husband's names.

So that left me with what’s your favorite dish, and anyone who knows me can guess what that is.

That’s a terrible user experience that excludes anyone who isn't from the same cultural background as the person who developed the application. By doing so, we compromise their privacy because we narrow the questions that they might find relatable.

Conclusion

Today, many available services make authentication integration seamless.

Please implement a proper two-factor authentication flow instead of compromising your users’ privacy.

And next time someone asks me what my favorite dish is, it’ll be something like cOüs;Coū!68$!

Advice for programmers.

Thanks to Zack Shapiro

Meriam Kharbat

Written by

Senior Software Engineer @fieldintel prev. @crateio | Columnist @BuiltInChicago | Curating https://thetechlead.substack.com |Email me at kharbatmeriam@gmail.com

Better Programming

Advice for programmers.

Meriam Kharbat

Written by

Senior Software Engineer @fieldintel prev. @crateio | Columnist @BuiltInChicago | Curating https://thetechlead.substack.com |Email me at kharbatmeriam@gmail.com

Better Programming

Advice for programmers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store