But, what if?

Jared Spool

December 19th, 2008

The security challenge question on Bank of America’s site seems innocuous:

Bank of America Security Question

In what year (YYYY) did you graduate from high school?

But, what if the user didn’t graduate high school? (Little known fact: I didn’t graduate high school, so I’m a little sensitive to this question.)

Should the user enter the date they would’ve graduated high school? Should they make up a date? How will they remember something that didn’t actually happen?

It’s surprising how many security challenge questions are unanswerable like this. I doubt it leaves the user with a positive feeling about the experience.

Update: This is from the Vanguard web site:

Security Challenge Question on Vanguard

Where did you and your spouse meet for the first time? (Enter the full name of CITY only)

What about multiple marriages? Widows?

To add insult to injury, the design replaces every letter the user types with a dot, so they can’t see if they’re typing the city correctly. (Again, I grew up in a city named Schenectady. Not something I’d want to type in the dark.)

22 Responses to “But, what if?”

  1. Abi Jones Says:

    Wow, that’s potentially less answerable than questions like ‘What’s your favorite actor?’ or ‘What’s your favorite band?’. The company with the worst security questions: Virgin Mobile. They assume that a) you’re a teenage and b) you have unchanging tastes.

  2. xian Says:

    At least they didn’t ask you what year you “graduated high school.”

  3. erin malone Says:

    I feel the same way about the “What is your hometown” question. I grew up in a military family and have no hometown – we moved every 2-3 years. Is this where I live now? Where I was born? Where my grandparents lived until they died or where my parents live now even though I have never lived there?

    These questions are terrible over all because the edge cases create so many problems for a lot of people.

  4. Kyle Ridolfo Says:

    The questions they’ve defined for you can also be depressing: they want the name of your dead grandparent, your long lost first pet, and the date you last had a bangin’ body.

  5. Andrew Jaswa Says:

    Wow. Security questions always annoy me. I run into “What high school did you attend?” question a bit. I for one was home schooled all the way up to college and don’t have a “high school” so to speak. I tend to just enter “home” or something of the likes but it’s nothing I think about and can make it difficult if I choose “home” for one site and “home schooled” for another. It makes you wonder what is going on when they come up with the questions. Is it hard to come up with common questions that everyone can answer?

    On that note I’ve seen sites that allow you to enter your own questions and then answer them. Still annoying but better then un-answerable questions.

  6. Patricio Moschcovich Says:

    Gotta love the “(Not case sensitive)” part. The answer they expect is in YYYY format anyways.

  7. Char James-Tanny Says:

    I caught the “(Not case sensitive)” part, too…thought it was funny.

    And my husband and I met on the Internet 😉 What city should I enter? His at the time? Mine? The one where we live now?

    Of course, my favorite question is “What is your mother’s maiden name?”

  8. Cathy Says:

    Anyone who keeps any sort of personal blog is vulnerable to these kinds of “security” questions. I’m liable to have publicly disclosed many of the answers somewhere along the line, and it’s too hard to remember a lie.

  9. Develonizer › But, what if? (via Google Reader) Says:

    […] hengst shared an item on Google Reader But, what if? 1 hour ago – Comment – Like This was written by benh. Posted on Friday, December 19, 2008, […]

  10. Hung Runningbear Says:

    Security questions we’d like to see:

    What was the name of the person who first broke your heart?

    In what year did you finally accept that you were a passive-aggressive emotionally abusive control freak and that the breakup of your first marriage was in fact your fault?

    For what offense were you first taken into custody?

    What is your favorite single malt scotch?

    What is your favorite expletive?

  11. kirabug’s idea files » Blog Archive » But, what if? Says:

    […] recent UIE Brain Sparks sums it up nicely. Bonus is comment #10, with the security questions we’d like to […]

  12. Rahel Bailie Says:

    I have those same problems when filling out security questions, usually because my life isn’t as boring, er, predictable as the question writers assume. I can’t begin to tell you how many times I’ve locked myself out of some account or other because I forget which of my first dogs’ names used (parents ran a dog kennel), or whether I counted my grandmother’s dog (because we lived with them until I was 2).

    Like anything else, I found a workaround (thanks to a banking customer service person who obviously had enough to letting people back into their accounts). Pick all questions that are obviously unanswerable, then answer all three of them with a single secure password. If you’re not married, choose the question “who was your best man”, then answer fcUk0ft (for example). Should I have to do this? No. But it’s actually safer than answering correctly, because anyone with half a brain can find out where I was born and my birth date, for example.

  13. Ed Everett Says:

    Well, what’s worse is to allow people to create their own security question. A certain application dealing with personal information I’ve worked briefly on does this.

    People created questions that allowed access to their information like:


    “1 + 1 = ?”

    “1234” (answer being “5678”)

  14. Chris Pallé Says:

    So, the moral to the story is, when designing forms with a security q, give multiple questions from which to choose via a drop-down or something. 🙂

  15. Jared Spool Says:


    So, the moral to the story is, when designing forms with a security q, give multiple questions from which to choose via a drop-down or something.

    Except that can just add insult to injury when all the questions are equally as bad.

  16. Andrew Says:

    Also @Chris, then the problem also becomes: which question did I choose? My worst example is EdFinancial, the student loan servicing site. They ask you to choose 3 security questions–each of the “what was your favorite restaurant in high school” type–from three separate lists. So the first problem becomes: what were the three questions I chose? Mother’s maiden name, favorite pet, model of first car? Or paternal grandfather’s nickname, first company you worked for, mother’s birth city? Then you have to actually get the answers right. Case-sensitive, sucka.

  17. Peter, Raleigh, NC Says:

    “What is your father’s middle name?”

    Answer: Jay

    “Must be at least 4 letters long.”

    I had no opportunity to tell the system that my father’s middle name is legally J-A-Y. I think I changed it to “Homer.”

    Now that I use a stored password manager, these questions become less problematic for me.

  18. Janet V Says:

    My favorite was an early instance of the Vanguard site. They had several standard questions I could answer. I figured that I would use “Who was the best man at your wedding?”. Easy – Dick was the best man at our wedding.

    When I typed in Dick, the system came back with an error message (I forget the exact wording) that those kinds of words weren’t allowed on their site!

  19. Greg Says:

    I especially like it when sites let me choose my own security question. I like my question to be ‘What are you wearing?’ http://comedians.comedycentral.com/eugene-mirman/videos/eugene-mirman—security-question

  20. Naomi Says:

    I second what everyone else said – I think it’s pretty much the most insecure security measure ever invented. Any member of my family would know any detail of my childhood or my parents such as pets’ names or maiden names or schools. Any of my childhood friends, too! I actually prefer the write-your-own for that reason, but only because I write bloody good ones. Even so, it is hard to think of something that NOBODY else knows. My partner knows a lot about my life too – and what if we break up and he decides to hack my accounts? Yeah, security question haz noes security …

  21. Mike Says:

    Agreed, and I find some questions annoying because of the assumptions made (what if you’re single and don’t have a spouse??). But as much as I loathe them, what would be a suitable workaround?

  22. Chris Pallé Says:

    @Jarod odds are, they won’t all be bad. There’s also the “make up your own question” option as Naomi suggested.

    @andrew that’s a fail on the recovery side. Generally, we can’t prompt users to answer a security question without a username. The username is associated with the supplied questions…. and case-sensitive? ummm, yeah. 😉

    @mike a suitable work around? There are a few alternatives. We could get really crazy and have a voice-detection application that when establishing the account, requires a recorder that accepts the answer to the question that you’ve written out. Then a voice-matching application for recovery. Most computers have mics nowadays… I’m just sayin, if it’s _that_ important and they have the technical wherewithal, this could be a good way to go.

Add a Comment