165

From time to time, some web sites asks to enter a security question and an answer for it. The question list is standard and it usually includes "What is your mother's maiden name?".

Some people use their mother's real maiden name so that they are sure they can remember what to provide when asked (e.g. as part of the process to recover the account). This means that this is information is fixed for a very long period of time. If it happens that some web application is hacked and such an answer is associated with an e-mail address (or worse, with personally identifiable information), it can potentially create a vulnerability for other web applications.

Also, mother's maiden name might be shared in public space.

Assuming above issues with this security question (or any other security question that relies on a constant within one's life):

Why is Mother’s Maiden Name still used as a security question?

Alexei
  • 2,183
  • 3
  • 10
  • 23
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/77755/discussion-on-question-by-alexei-why-is-mothers-maiden-name-still-used-as-a-sec). – Rory Alsop May 20 '18 at 07:30
  • 3
    A security question is just a question. We don't have to assume that everyone will answer with the actual maiden name. – papakias May 21 '18 at 12:46
  • 10
    @papakias Then you may as well replace the question with "please enter a string of characters and memorize it". Oh wait, that's what passwords are. The point of security questions are that you don't need to memorize them as they're things you already know, so you can't forget them like you forget a password. – Jonah May 22 '18 at 08:44
  • @Jonah Well it may be what you are saying, but it also may be an additional (more easy to remember) password for recovery. Just because they are asking for a mother's maiden name, it doesn't mean that I am going to give them the real one. That's my point – papakias May 22 '18 at 09:25
  • 5
    @papakias The idea behind security questions is that you will always be able to answer it even years later without the need to remember the text you had chosen when you created it. Otherwise instead of a security question they would use a second password. If you don't enter real answers in security questions then you are better off not entering anything at all if that's allowed, or enter something very long and random, just to "disable" the security question. Maybe this doesn't apply to you, but the vast majority of people will not remember what made up name they had entered years ago. – SantiBailors May 22 '18 at 14:26
  • @SantiBailors yes guys, I don't disagree with you. I'm just stressing that filling the real answers is not always the case. The security question is just a tool. And everyone may use it differently. – papakias May 22 '18 at 14:30
  • @Strawberry - Most of the people [do not use password managers](http://www.pewinternet.org/2017/01/26/2-password-management-and-mobile-security/) to keep their passwords, so I bet many use the real name, so that they do not forget it. – Alexei May 24 '18 at 08:50
  • @Strawberry - I fixed the post to be more accurate. – Alexei May 24 '18 at 08:52

8 Answers8

238

Because people are lazy and/or incompetent. And, well, you know, the Internet is full of chimpanzees.

I would argue that all security questions are bad, but using the mother's maiden name is exceptionally bad:

  • At least in Sweden, I can find out anyone's maiden name just with a simple call to the tax office. It is literally public information.
  • It's 2018, and fairly common for couples to adopt the bride's name when getting married. Your mothers maiden name is then your surname. Great.
  • Luis Casillas rightly adds:

    There are dozens of countries, with billions of inhabitants between them, where women don't change their legal name when they marry. The United States in particular has huge immigrant minorities of people from such countries.

Seriously, there are no excuses for this. It's just bad.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/77756/discussion-on-answer-by-anders-why-is-mothers-maiden-name-still-used-as-a-secur). – Rory Alsop May 20 '18 at 07:30
28

"Security questions" may be the only solution to a hard problem. You've got a customer, they've lost their password (and their email access) and you'd both like to get them back.

It may not be proportionate to have them perform in person verification at your offices or with a notary, which would really be the only totally secure solution (matching secure government id against their appearance/biometrics).

I think banks (just as a for instance) which use this kind of verification have pretty good statistics on the prevalence of every type of fraud and will know the risks and benefits (e.g. say my bank needs to identify me when travelling overseas, they can't and they lose me a customer along with tens of thousands in lifetime profit - versus they allow fraudulent use of a card and lose tens of thousands directly - but they know only 5% of flagged transactions are actually fraudulent).

Rich
  • 817
  • 6
  • 5
  • 8
    Exactly! Everyone bashes on how bad the approach is, but it should be acknowledged that this is a fundamentally difficult problem to solve without introducing additional identification elements. – Dennis Jaheruddin May 18 '18 at 13:45
  • 3
    +1 for a pragmatic answer which acknowledges the ever present need to balance security with convenience. – Jon Bentley May 18 '18 at 15:06
  • 12
    Actually, a bank that allowed access to my account to anyone knowing my mother's maiden name would lose me as a customer even faster – Hagen von Eitzen May 18 '18 at 20:13
  • 5
    "(matching secure government id against their appearance/biometrics)" ... Government IDs can be faked or lost. Appearance and biometrics can change. People can lose fingers or limbs or eyes; their face can be damaged beyond recognition; they can gain or lose large amounts of weight; even their skull shape can be damaged beyond what biometrics would recognize. Insisting on biometrics, [like insisting on having a last name](https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/), will work for lots of people, but will eventually fail. – Ross Presser May 19 '18 at 08:20
  • 6
    @HagenvonEitzen The bank doesn't care about you as an individual customer. They care about their overall profits. If they will on average make more profit out of the customers they retain through convenient security measures than the losses they incur on people who leave and/or fraudulent transactions that they have to cover, then such a policy makes sense. Also bear in mind that banks are generally liable (rather than you, the customer) when an account is used fraudulently. – Jon Bentley May 19 '18 at 13:40
  • @JonBentley _The bank doesn't care about you as an individual customer._ That's unfortunately right and the reason why such banks have no problems in exposing you to fraud for the sake of their overall profit. If their policy made that much sense, then when they offer you an internet banking account, among the clauses they make you subscribe they should have no problems in adding the information that your account will be accessible by anyone who knows your mother's maiden name; but for some reason they don't add that information; probably because it's not that normal after all, just common. – SantiBailors May 21 '18 at 07:24
  • @JonBentley That's comforting to know. So at least no-one has bad feelings when I leave a bank with extremely stupid forms of security theatre – Hagen von Eitzen May 21 '18 at 10:39
26

Lethargy and/or inertia

More seriously institutions relied on this information being essentially secret for a few decades. The age of mass publicised data breaches is very recent.

Most organisations are slow to react to change.

Simple as

ste-fu
  • 1,092
  • 6
  • 9
  • 9
    _More seriously institutions relied on this information being essentially secret for a few decades._ Do you have any reference for that, like examples of that or explanations that were given to justify doing that? Not because I doubt it, on the contrary I can't wait to read the excuses that we found for ourselves in the past to allow ourselves to think that that was ok. – SantiBailors May 17 '18 at 09:46
  • 2
    Sorry - no references, just personal recollection of being asked for this information to verify my identity pre-internet. – ste-fu May 17 '18 at 10:02
  • @ste-fu I was about to answer with the same thought. lot of secret questions are in the wild now. – elsadek May 20 '18 at 08:50
  • 2
    More seriously institutions *in the US* relied on this information being essentially secret for a few decades. Other countries, don't consider this kind of information secret. Sweden for example straight up publishes all of it online. – Rob Rose May 21 '18 at 17:32
  • @RobRose I'm in the UK...historically it was possible to find all sorts of things. You can still request a copy of anyone's birth certificate, but you have to pay. It wasn't convenient. – ste-fu May 21 '18 at 18:13
24

False assumptions.

Security questions, just like "complex" password requirements, are rooted in what is called best practice but actually isn't. Like an oral tradition, many of these practices are passed on from one security person to the next, and rarely questioned (whenever they are questioned, it often turns out they are bogus).

Security questions is one of these things. Someone came up with a reasonable idea, and very soon a fairly standard list of such questions evolved, and since then everyone has basically copied from there, without questioning.

So yes, you are right, this and almost every other "security question" is a danger and typically much, much easier to figure out than even a weak password (e.g. anything that's not on the top 20 list).

Tom
  • 10,201
  • 19
  • 51
11

Usability over security, sadly

The banks want to be secure, but face a clientele for which usability is mandatory.

This clientele is not made of our peers. It includes those who fear "the gub'mint", seniors who don't understand change and resist it, mentally disabled who took years to learn this system and just can't process another scheme, not to mention staff members e.g. someone acting with power of attorney for an estate or disabled person. Whatever system you devise has to be accessible to all those people, unless you want to have tiers of access. We are stuck with lowest common denominator, or convoying at the speed of the slowest ship.

Money over security: Liability shift

The banking system is built on trust far more than anyone would like to admit. Fraud is contained by very active security staff, who don't have to outrun the bear. If bank security is just good enough that attackers switch to some easier means of making money, the bank wins. That criminal who would've been attacking the bank, instead threatens to be an IRS agent and gets a retiree to voluntarily Western Union their life savings. That retiree can't come back to the bank and demand their money back, so the bank is in the clear.

This type of "liability shift" is a huge part of bank strategy. Anything they do is going to shift liability away from the bank. They have disincentive to install a stronger system which on failing creates more liability for the bank.

  • Great points,this is the area where to seek the answer. I just disagree that the clientele is not made of our peers. It is. The influence of the "seniors who don't understand change",mentally disabled etc. is minor; unless you mean "software developers' peers"; anyone else,regardless of education level,IQ or such,for the vast majority will go for usability over security right away,no need to be seniors etc,just need to think that the way we would like things to be is actually how they are (i.e.,that security is not lowered),and thinking so is dead easy when one is not familiar with a subject. – SantiBailors May 22 '18 at 08:06
3

"Security questions" in general are an incredibly stupid idea.

Any time you create a password, it's routine advice to say that you should not use personal information for a password, like where you went to high school or your favorite color or the make car you drive, because a hacker trying to break into your account might be able to discover or guess these things. Instead, you should use a meaningless string of letters and digits, that should be impossible for anyone to guess.

But ... we understand that meaningless strings of letters and digits are hard to remember. So let's create security questions, which function effectively as alternate passwords, and for these we'll use something easy to remember, like where you went to high school or your favorite color or the make car you drive. Because while a hacker might try to guess this kind of personal information for a password, it would never in a million years occur to a hacker to try to guess the answer to a security question.

At least if you used some personal information for a password, the hacker wouldn't know whether you used your high school or your favorite color or a car make. But with security questions, we TELL him which it is.

If someone knows you, many security questions would be easy to find or guess. Maybe you moved here from another city, but there's a fair chance you grew up where you live now, so guessing high schools in the area would have a fair chance of getting a hit. He might know what model car you drive. If not, there aren't all that many different car makes. If you ask people for their favorite color, most people will name one of a dozen or so. (Well, most men, anyway. Women tend to know the names of far more colors than men do.)

One system I just created an account on recently limited their security questions to things with a fairly small number of possibilities, and then provided drop downs for each of them! So tell the hacker, here are the 20 possible passwords someone was allowed to choose from! I've seen systems that make me choose a password that is at least 8 characters because if I just typed in 6 or 7, that's only a few billion possibilities, and a hacker might get it with a brute force attack. But then let's have an alternate password where we helpfully list the 20 choices. That saves the hacker from having to worry about being tripped up by capitalization or mis-spelling.

Jay
  • 859
  • 5
  • 5
3

The answer is same as: why do we have simple locks in real life, which is so easy to pick-lock or break.

It's always good to let user select his security level.

I bet password to launch nuclear bombs could not be recovered by mother's maiden name. But typical user has 2-3, maybe 10 really important accounts. And hundreds of other accounts. E.g. account in electronic online shop. I dont really care if someone will hack it and will know what I bought in 2011. I dont care about account on one DIY forum where I once asked for couple of advices.

For lot of such accounts people need 'simple locks'. Simple passwords (like '123456'), no requirement to change it often, and easy way to recover it. Usability over security. And thats not 'sadly', thats how it must be, if user wants usability more then security.

yaroslaff
  • 59
  • 3
2

The purpose of security question is long-term validity. You need to remember it when you forgot/lost the password. That's why an inherent piece of information you cannot easily loose fits well. This means the first assumption of the question does not fit.

As for the second part that it could get or already be public knowledge: a) Such security questions are typically (if correctly done) an option, you don't necessarily need them - and you can choose one of many. It is up to the user to decide how well publicly known each is in his/her context (in particular, whether an attacker likely know her normal name at the stage where the security question needs to be answered).
b) properly implemented, the security question should only be one part in a multi-way authentication, because they are always easier to break than a password,another might be access to the mail address you used to register an account with.

So, on the spectrum from convenience to secure the maiden question may be more on the convenient side for users, it's not necessarily always a bad choice. My favorite movie, name of my pet etc. are all not the strongest of secrets.

As for b) Paypal uses this approach to use a multi-way authentication approach when you try to reset your password. In their process you need to provide answers to multiple security questions of this kind. In addition you need to have access to your email address. Alternatively you can choose to get a call to a registered phone number and use the code you get as a second authentication method. It's a part in a mix of measures - the goal being to provide a compromise of convenience and security.

Frank Hopkins
  • 636
  • 3
  • 6
  • 6
    "My favorite movie, name of my pet etc. are all not the strongest of secrets." - Yes, offering those as security questions is **nearly as bad** as asking for mother's maiden name. All security questions are passwords dressed up with a fancy prompt. One of my banks has a particularly nonsensical field labelled "your memorable answer", without actually asking a question. I use the same password generator for this as I do for the field labelled "pass code". – IMSoP May 17 '18 at 15:32
  • @IMSoP My point is, the question as such is not bad, it fits its purpose. But rather sometimes the implementation of security questions as a fallback *component* is done wrong, ie. when they are used simply as a recovery password, not as one component to support authentication when the primary authentication method is not available anymore. – Frank Hopkins May 17 '18 at 16:04
  • 4
    What is the purpose that it fits? I have never seen such a question used in any way other than as an attempt at a "something you know" security factor - i.e. equivalent to a password. For that purpose, it is an extremely poor choice - it encourages users to select a password that attackers could trivially guess. Combining it with other factors might mitigate its awfulness if the other factors are better designed, but combining a piece of string with a padlock doesn't make the piece of string a good security measure. – IMSoP May 17 '18 at 16:17
  • 2
    Sure, it is a factor that you know, but in contrast to a password it should - and I've seen it that way in the wild - have other mechanisms to protect against misuse. Like a strict low amount of wrong answers until it is locked and a warning mail sent. Or used as an additional safeguard before sending out a new password via mail Or used in a telephone support hotline along with other indicators to authenticate you. It's purpose is to be an indicator of your identity when the primary authenticator (password) is not available. It shouldn't stand alone or give equivalent access as the password. – Frank Hopkins May 17 '18 at 20:48
  • 1
    @IMSoP As this answer says, whether or not it is a good security measure depends on how it is used. It is not uncommon for a bank to ask you for selected characters out of your password *and* to verify personal info such as date of birth, mother's maiden name, address etc. Whilst the latter are weak *by themselves*, when they are used in addition to a password they *add* a moderate amount of security. E.g. your password gets keylogged on a public computer; the attacker still doesn't know your personal info. Contrast that with a mother's maiden name that allows you to *bypass* the password – Jon Bentley May 19 '18 at 13:48