On the Soapbox

It seems like more any more sites are using security questions. Forgot your password? Not to worry, we'll let you log if you can answer the question, "What was your mother's maiden name?" or "Where were you born?" or "What is the name of your dog?". So on one hand, people are being instructed to create better passwords that do not comprise of any personal Google-able information and on the other hand, more and more sites are offering these weak "back-door" logins that ask questions whose answers a Google search may reveal. But that isn't what bothers me; what bothers me is most of these places require that you provide these "security" questions (what a misnomer!). Great, so now my relatives (who will know my mother's maiden name, the city where I was born and that I have never owned a dog) can, if they wanted to snoop, request for a password reset? At least some sites are courteous enough to let you specify no security question or your own custom question (in which case, I use "What is your password?"). My solution has been to create a secondary secure password for use exclusively as security question answers and to use that as the security question answer regardless of what the actual question is. But it would be much easier if the idiots operating these sites respected user choice more (i.e., make the SQ optional) so that this wouldn't be a problem in the first place.

n.b.: Some places don't use the security question as a back door, but instead as a challenge that must be answered in addition to the password before one could log in. These are, I think, legitimate uses of security questions, but it is still rather patronizing because, while most people are idiots about creating secure passwords and thus such secondary authentication is necessary for them, for people who do practice "safe passwording", this is yet another nuisance.