feature article
Subscribe Now

Challenging Challenge Questions

Do They Really Provide the Best Security?

The developed world – particularly the US – is a complex environment replete with residents from diverse places and backgrounds with widely differing experiences. But it’s not a homogeneous mix: cities will be more diverse than rural areas, and, even within cities, you’re going to get clusters of people with shared characteristics.

Well, there appears to be a cluster of people – not sure where – that have the following traits:

  • They’ve lived in one place, and they went to one set of schools.
  • They’ve had one set of friends for their entire life.
  • They have clear favorites of everything. And those favorites never change, ever. By the time they’re 25, they have a favorite pet, movie, book, teacher, TV show, musician, song, everything. And even though they have 60 years ahead of them, those favorites will stick.

Who are these people? They’re the ones deciding the challenge questions for your secure log-in. The questions are mostly used for confirmation that you’re who you say you are if you need to change your password or do some other ultra-privileged thing.

Other sites use them more intrusively. With my credit union, if I log out and then log back in again within an hour (or some period), it wants confirmation that I’m still me. Or at random other times when trying to do something, it will interfere with a challenge question even though I’ve checked that box saying, “Yes, this is still my private computer, just like it was 10 minutes ago. No, I’m not being burgled.”

In theory, this would seem to be a reasonable idea. If you want to prove that you’re you, then provide some information that only you would know. It sounds good up until you’re provided with the opportunity to set up your personal questions and answers. That’s when the trouble starts.

I don’t want to come across like some emo goth who’s simply too complex to have his essence captured and reduced to three banal questions. But I always tense up when the time comes to find my personal questions: will I be able to find three with unambiguous, lasting, memorable answers? I always come away feeling like the question-selectors came from some small-town cluster where everyone was the same and life was uncomplicated by complex options.

You might as well have questions like,

  • What’s your favorite model of Mercedes?
  • Which is your favorite Shoney’s?
  • Who makes the best hot dish?
  • What’s your favorite breed of cattle?

If you’re not in a suitable population cluster from the Bay Area or Connecticut or the South or Minnesota or Nebraska or Texas, you’re not likely to find a suitable question in that mix.

There are three main weaknesses to most of the options.

  • They don’t reflect your life. “What’s your spouse’s favorite color?” – when you’re not married.
  • You can find a question for which you have a definite answer at that moment, but the answer will change according to your mood or after you read a book that’s even better than your last fave.
  • You don’t have an obvious answer, so you have to just pick one – and you may not remember your random selection when you need it.

For any individual, any given question might be irrelevant, of course, and so there’s a selection of questions – with the expectation that everyone will be able to find three that work. But each time, I barely skate by with three questions that I can use, and I’ve wondered when the time would come that I couldn’t find three questions with unambiguous answers.

My luck finally ran out the other day when an airline for which I’m a frequent flier – or, rather, used to be a frequent flier – suddenly needed me to upgrade my security. (As always, these things are “URGENT, MOST DO IMMEDIATELY!”) And this time there was a twist: no more having to come up with answers. They provided not only the question options, but the answer options too.

So even if I could find a question with a solid answer, if it wasn’t one of the answers they offered up, it wouldn’t work. And I needed not 3, but 5 questions. And each question drew from the same list (some sites have a different list for each question). It’s like their IT department got spanked for lax security and said, “OK, you want tight? I’ll give ya tight!” For the first time ever, I aborted the process.

I have to say, they did do some work trying to come up with exhaustive answer lists. Here are the questions:


Heavy on the favorites (something that doesn’t do well for me because of that changing-with-mood-and-context thing.  My favorite kind of food, for example, depends on whether I’m in Boston, Austin, or San Francisco).

If we look into the first question, it’s pretty unambiguous: we all had a first car. Unless, that is, we’ve never had a car. Yes, there are people leading totally carless lives. The list of automobile options is pretty extensive; I don’t know if everything is there, but this is one question I could go with.


(And no, I don’t have a Lancia.)

But what about the career dreams of children?


Really? Kids grow up dreaming of being ad execs? Go Mad Men! But what if I grew up wanting to be a bounty hunter? Or a bail bondsman? Not on the list… no can do.

Heck, I can just see it now:

  • What’s your mother’s maiden name?
    • Smith
    • Andrews
    • Jones
    • Taylor
    • [other Anglo names]

Up to this point, this is just me snarking and whining about how I’m too special to submit to such simplistic questions (and answers). But I’ve always thought there’s a better way to do this, even when you have only a question list to pick from. Even more so when you get an answer list as well.

If the whole idea here is to identify something that only you know uniquely, then the best questions and answers would be uncommon – ones that would not likely be on anyone’s list of obvious questions and answers.

I don’t specifically know how these things are stored, but if someone can hack the question options, then they’re part way to breaking the security. If they can now also hack the answer options, then they can, in theory, brute force their way through the answers until one works. A sophisticated system would notice such behavior, but are these systems sophisticated?

As it is, an intruder can learn the candidate questions (and answers) by creating a bogus account and capturing all of the question (and answer) options. From there, a determined soul could do some research about a target individual, toss in a dash of trial and error, and doors might open. That may not be a high-volume break-in, but it’s still a break-in. (And the low volume thing might reflect only my limited imagination.)

Here’s a better way: let us come up with our own questions and answers. I can’t say what my favorite pet was, but I can answer definitively, “What was the name of your pet that consistently pooped under the piano when you were around 9 years old?” Funny… I’ve never seen that question on any list.

And that’s just the point. If a would-be intruder has absolutely no knowledge of what the questions are going to be (much less the answers), then it’s going to be even less likely that they can break in. Granted, the way these work, you’re presented with a question, so, on the surface, hacking a question might not be an issue. Then again, I’m not a hacker, and I’m constantly amazed at the indirect and unobvious ways people break into things. Apparently, security folks are similarly amazed (as they rush to patch unobvious vulnerabilities).

I’ve actually thought this for years, but I wasn’t spurred to action (if you can call writing a rant “action”) until the answer list thing reared its head. And some of those thoughts consisted of wondering why the create-your-own-question thing wasn’t an obvious solution.

The only thing I’ve been able to come up with is that, with pick lists, you can store the answers as indexes. I don’t know if that’s how it’s done, but, since that uses little memory, you could envision that being the answer.

Saving a created question, of course, requires storing – and hashing – all that text. But in an era of big data, that amount of data officially qualifies as mice n…oses.

There is one possible other reason: perhaps lots of people don’t want to think hard enough to come up with questions. So, to cover this case, you could have a list of pre-canned questions with a “create your own” option at the end for those of us unsatisfied with our selections. Kind of like a pizza menu.

I don’t know if there’s some other barrier (please feel free to answer in comments if there’s more to this); seems pretty straightforward to me. I’ll even trot out the five deadliest words in business: “How hard can it be?”

OK, so I’ve finally gotten this off my chest. Have you had similar experiences? Do you belong to a population cluster that’s poorly represented in challenge questions? What’s your favorite challenge question? (Oo! Oo! That should be a challenge question! It’s so meta!) If you have some good challenge question stories, please do share them with us in the comments.

16 thoughts on “Challenging Challenge Questions”

  1. Pingback: Dungeon
  2. Pingback: fast seedbox
  3. Pingback: Togel Guangzhou
  4. Pingback: jeux de friv
  5. Pingback: friv 1
  6. Pingback: wiet
  7. Pingback: lose weight legs
  8. Pingback: Aws alkhazrajii

Leave a Reply

featured blogs
Sep 25, 2020
What do you think about earphone-style electroencephalography sensors that would allow your boss to monitor your brainwaves and collect your brain data while you are at work?...
Sep 25, 2020
Weird weather is one the things making 2020 memorable. As I look my home office window (WFH – yet another 2020 “thing”!), it feels like mid-summer in late September. In some places like Key West or Palm Springs, that is normal. In Pennsylvania, it is not. My...
Sep 25, 2020
[From the last episode: We looked at different ways of accessing a single bit in a memory, including the use of multiplexors.] Today we'€™re going to look more specifically at memory cells '€“ these things we'€™ve been calling bit cells. We mentioned that there are many...
Sep 25, 2020
Normally, in May, I'd have been off to Unterschleißheim, a suburb of Munich where historically we've held what used to be called CDNLive EMEA. We renamed this CadenceLIVE Europe and... [[ Click on the title to access the full blog on the Cadence Community site...

Featured Video

DesignWare MIPI C-PHY/D-PHY IP Performance at 24 Gbps

Sponsored by Synopsys

This video features the DesignWare MIPI C-PHY/D-PHY IP interoperating with an image sensor in C-PHY mode up to 3.5 Gsps per trio and D-PHY mode up to 4.5 Gbps per lane, available in FinFET processes for camera and display applications.

More information about Synopsys DesignWare MIPI C-PHY/D-PHY IP

Featured Paper

4 audio trends transforming the automotive industry

Sponsored by Texas Instruments

The automotive industry is focused on creating a comfortable driving experience – but without compromising fuel efficiency or manufacturing costs. The adoption of these new audio technologies in cars – while requiring major architecture changes – promise to bring a richer driving and in-car communication experience. Discover techniques using microphones, amplifiers, loudspeakers and advanced digital signal processing that help enable the newest trends in automotive audio applications.

Click here to download the whitepaper

Featured Chalk Talk

Series 2 Product Security

Sponsored by Mouser Electronics and Silicon Labs

Side channel attacks such as differential power analysis (DPA) present a serious threat to our embedded designs. If we want to defend our systems from DPA and similar attacks, it is critical that we have a secure boot and root of trust. In this episode of Chalk Talk, Amelia Dalton chats with Gregory Guez from Silicon Labs about DPA, secure debug, and the EFR32 Series 2 Platform.

Click here for more information about Silicon Labs xGM210P Wireless Module Starter Kit