Yeah! Let me logon… Argh! I forgot the answer…

When it comes to creativity, I am a lousy person. Privately, I don’t care about passwords. It drives me nuts when I need to access websites through stupid security mechanisms like passport systems widely and commonly used.

We all know them: “Security” questions like

What was your first pet’s name?

or

What is the last name of your childhood best friend

Ok so what is the idea behind these questions? I mean – it has only three effects on me:

1. I think about everybody who knows me and could answer this questions.
2. It will make me think about stupid answers like “FuckThisQuestion” that I will remember exactly for two minutes.
3. When I try to logon one week later – guess what – I am frustrated because I don’t remember anything and I am not

able to reset my password because of the security questions.

The procedure is the same – every time, every system:

1. User does not remember his password, he clicks on “Forgot password”
2. He needs to enter his email address (or to make it even more “secure”: he is also forced to enter a username)
3. If he can remember his logon name (“nickname”), he is redirected to a page where he needs to enter the answer to a “security question” that he defined when he created his profile some time ago. To make it even more secure, some systems ask two questions instead of one. And you need to answer ALL of them.
4. If he can remember the answer to ALL security questions, he will get an email with either a link to a password reset page – or – if the company does not store his password encrypted, he get his original password via email – or - he gets a new password via email.
5. I normally not proceed step 2 if the system needs my email address and my username.
   In reality, this all does not provide any more or advanced security at all. It doubles the information, I need to write down on a piece of paper and put it under my keyboard.

If you are a guy who designs such a logon system – think about some facts:

• First of all: “Security” questions sucks! If I even cannot remember my logon name, what the hell you think makes me remembering my answers to your questions?
• Questions about common facts do not mean any security at all. Not even if I call them “security questions”.
• So called security questions are not even more secure if I ask two (or more) questions instead of one.
• If you need “Completely Automated Public Turing Test to tell Computers and Humans Apart” use CAPTCHA, not “security questions”. If you like to play with your users, implement Asirra or anything similar.
• Use KISS (“keep it simple, stupid!”): User forgot password > enter either username or email address > resend new password to users email