Join 3,424 readers in helping fund MetaFilter (Hide)


"No, I've never seen a movie."
November 13, 2013 8:28 AM   Subscribe

A Man Has Trouble With His Security Questions - a sketch from The UCB show 'Small Men'
posted by The Whelk (36 comments total) 20 users marked this as a favorite

 
These guys are the best and you can't convince me otherwise.

Will Hines (the guy who can't answer any questions) wrote a kind of "making of" post about this sketch in particular for his great comedy based tumblr here.
posted by dogwalker at 8:33 AM on November 13, 2013 [1 favorite]


"What’s your girlfriend’s name?"
"A glyph: a bird-man carrying a pot."

FTW.

Also, the Interlaaken/Interlaäken joke.
posted by chavenet at 8:43 AM on November 13, 2013 [3 favorites]


I've genuinely had trouble with some of those that have a fixed set of questions. They either ask for things that are not actually secure, like where I was born, or things I don't have an answer to, like "favorite teacher". I've had lists of ten where I couldn't use any of them, and arbitrary answers have the problem of being forgotten.
posted by tavella at 8:57 AM on November 13, 2013 [4 favorites]


"A glyph: a bird-man carrying a pot."
     ⋃
  🐦 / 
   /|  
  /\ 
Should be pretty easy to remember.
posted by Valued Customer at 9:02 AM on November 13, 2013 [6 favorites]


I've had lists of ten where I couldn't use any of them, and arbitrary answers have the problem of being forgotten.

That's why it helps to have a system of phony but memorable answers. If the question is "What was the make and model of your first car" you can answer with "Super Great Car" and if the question is "In what city were you born" you could answer with "Super Great City", for example. Basically treat them more like passwords and less like honest answers to arbitrary questions.
posted by burnmp3s at 9:03 AM on November 13, 2013 [4 favorites]


Of course, then you run into the possibility that a certain number of people will have exactly the same joke answers to the same questions, opening up an avenue of attack for a sufficiently clever hacker.
posted by Strange Interlude at 9:06 AM on November 13, 2013


"Witty Spaceballs Quote"? That's amazing! I've got the same password on my laptop!
posted by filthy light thief at 9:09 AM on November 13, 2013 [3 favorites]


I've genuinely had trouble with some of those that have a fixed set of questions. They either ask for things that are not actually secure, like where I was born, or things I don't have an answer to...

Exactly! The ones that ask for your "favorite" this or that especially annoy / flummox me. I don't consistently have a favorite of any of those things! It's not like I'm all "above" having favorites, I just recognize that my favorite thing of whatever category has already shifted a couple times and, realistically, will certainly shift again over the course of my having this account. I feel like this is an overly metaphysical approach to these questions, but at the same time, if I'm supposed to remember, in 2+ years, what I picked today, it should be something that will stay consistent from one time to the next, yes?

And then the questions like "where did your uncle get married" or whatever - I mean, who actually knows that shit? Maybe I am officially not close enough to my extended family but if it's a family question beyond mother, father, and siblings, I likely do not know it. Unless it's like "who gets drunkest at family Thanksgivings." That should definitely be one, come to think of it.

In fact, it's quite unclear to me why you can't just enter your own. If they have enough database space for 5 free-form answers, they have enough space for 5 corresponding free-form questions.
posted by Joey Buttafoucault at 9:11 AM on November 13, 2013 [1 favorite]


After Palin's Yahoo account was hacked, I decided to just answer every single question with the name of my cat. High school mascot? Mother's maiden name? Paternal grandfather's middle name? Childhood friend? Make of first car? Why, Socks, of course.
posted by klarck at 9:13 AM on November 13, 2013 [2 favorites]


Of course, then you run into the possibility that a certain number of people will have exactly the same joke answers to the same questions, opening up an avenue of attack for a sufficiently clever hacker.

This is, in all seriousness, why I never use "purple monkey dishwasher" despite being sorely tempted.
posted by Joey Buttafoucault at 9:14 AM on November 13, 2013 [2 favorites]


This is great- I've always enjoyed imagining the people for whom none of the listed questions apply. One that drives me crazy is "the name of your first pet," because we got two cats at the same time...
posted by showbiz_liz at 9:18 AM on November 13, 2013


That's why it helps to have a system of phony but memorable answers.

Yup. I use colloquialisms, generic slang or abbreviations whenever possible. So instead of "City Born In = San Francisco", I might use "SFBay" or maybe "City By The Bay" (not a real answer btw and I am not from SF).

The general idea is that all these questions do not have to be truthful at all, you just have to remember them. Once you get a set of pat answers down that are derived from the true answers, it is really easy to remember.
posted by lampshade at 9:19 AM on November 13, 2013


I've had lists of ten where I couldn't use any of them, and arbitrary answers have the problem of being forgotten.

I just copy the question. My first pet was named "First Pet Name," and I loved him dearly.
posted by Etrigan at 9:30 AM on November 13, 2013 [3 favorites]


The answer to every question is, "It depends." Always.
posted by It's Raining Florence Henderson at 9:31 AM on November 13, 2013


The security question/answer paradigm seems to rely on a shared delusion of increased security, where the practical effect if used "correctly" is to instantly open your accounts up to social engineering attack vectors.
posted by odinsdream at 9:46 AM on November 13, 2013 [1 favorite]


I always fill these answers out with a simple SQL-injection script. That way, if anybody does guess it right, I own them.
posted by It's Raining Florence Henderson at 9:51 AM on November 13, 2013 [6 favorites]


Little Bobby Tables, my best friend in gradeschool.
posted by bonehead at 9:58 AM on November 13, 2013 [1 favorite]


I can never remember if the horse has the correct staple battery or if the staple has the correct battery horse or the battery has the correct horse staple or anyway permutations are good exercise I try to do at least two dozen a day
posted by ook at 10:19 AM on November 13, 2013


I had one of these few months ago where the answer to the question was red. It then told me that my answer had to have at least 4 letters. How can you ask people a question to which the only answer is red and then demand 4 letters? OK I could spell it read, or lie and say blue, but I'm never going to remember that.
posted by interplanetjanet at 10:49 AM on November 13, 2013 [2 favorites]


I actually had this problem with a banking site recently. None of their short list of possible security questions applied to me at all.
posted by 3.2.3 at 10:55 AM on November 13, 2013


burnmp3s: That's why it helps to have a system of phony but memorable answers. If the question is "What was the make and model of your first car" you can answer with "Super Great Car" and if the question is "In what city were you born" you could answer with "Super Great City", for example. Basically treat them more like passwords and less like honest answers to arbitrary questions.
I'm not a security expert, but it seems to me that this approach creates the same problem that re-using the same few passwords at many different web sites creates, assuming you're using the same "phony but memorable" answers everywhere. You've just moved the attack vector from the password to the password recovery service.
posted by Western Infidels at 11:30 AM on November 13, 2013 [1 favorite]


Sometimes the fact that all of my "password hint" answers are themselves random strings of gibberish characters generated by my password manager makes me feel like a robot. On the other hand, my first dog's name really was <%Npx$7xxq&.
posted by invitapriore at 11:34 AM on November 13, 2013 [1 favorite]


...seems to me that this approach creates the same problem that re-using the same few passwords at many different web sites creates...

For sites that force me to set up security question/answer pairs I create random answers using LastPass and store those in the Notes field within the Site record.
posted by odinsdream at 12:18 PM on November 13, 2013


One of my credit unions has multiple-choice answers to their set of ridiculous questions. So it's like, what is your favorite sea creature? And you have to remember which one you chose: sea urchin, starfish, fire worm, stingray, killer whale? It is so stupid and annoying. I always end up having to choose another at least once. What is the actual security of that?
posted by rabbitrabbit at 12:44 PM on November 13, 2013


I don't have a spouse or children or a favorite teacher, actor, or movie. So I barely exist, according to my bank.
posted by chowflap at 12:52 PM on November 13, 2013


My favorite broken-ness of these "security" questions is the "answers must be longer than 3 letters" requirement. So everyone whose mother's maiden name is Lee? Fuck you. First pet's name is Bo? Fuck you too. Favorite band is U2? Once again, fuck you. Hometown is Goa? You know what to do.
posted by mhum at 12:53 PM on November 13, 2013 [2 favorites]


I was trying to access a secure bridge, and it asked me the wing-speed velocity of an unladen swallow. I asked whether it meant an African or a European swallow, and then the whole bridge collapsed.
posted by It's Raining Florence Henderson at 12:54 PM on November 13, 2013 [5 favorites]


I doubt the IT guy has the ability to let the guy go. Endings are hard!
posted by John Shaft at 1:57 PM on November 13, 2013


Yes, you have cleverly caught the part of this that is unrealistic.
posted by kyrademon at 2:31 PM on November 13, 2013 [1 favorite]


Many of these "security questions" are genealogy related, like "what is your mother's maiden name" or "what city was your father born in". If you have access to a genealogy website this information is freely available. I have no idea why they think that it's better than a password.
posted by Joe in Australia at 2:35 PM on November 13, 2013 [4 favorites]


Since my password is in LastPass I just spew garbage into the security questions and don't store my answers. As long as I have access to my LastPass I can get the password; if I can't, then I'm not going to be able to get to my stored gobbledegook security questions either.
posted by BungaDunga at 4:18 PM on November 13, 2013


On the one hand, we have passwords, which are meant to be information that you know and other people don't

On the other hand, we have security questions which are meant to be information that... you know and other people don't.

except in the latter case the information is specifically designed to be easy to guess. Honest answers to security questions are canonical bad passwords.
posted by BungaDunga at 4:31 PM on November 13, 2013 [2 favorites]


My Mother's maiden name was Password123.
posted by It's Raining Florence Henderson at 4:34 PM on November 13, 2013 [1 favorite]


I have a standard "not actually the answer" way of answering security questions that I've gradually adopted, but then you get sites which force you to pick three, and it's just like - I don't want to engage in this much psychic effort just to sign up to your fuckin' newsletter. I'm not married, I don't have a favourite restaurant, I don't remember where my first god damn kiss was and thanks for reminding me.

I do acknowledge that this is probably the only time I ever have to even slightly experience the sensation of "the world is designed for the people who got there first" though.
posted by lucidium at 5:41 PM on November 13, 2013


Until I wrote this comment, chavenet's Interlaäken reference was the sole search result on Google for Interlaäken. Sorry for taking that away from you chavenet.
posted by bswinburn at 7:43 PM on November 13, 2013 [2 favorites]


I reject "security" questions on principle and enter randomly typed gibberish like "sod939adj93jq0d".
posted by neuron at 9:58 PM on November 14, 2013


« Older Behold the trailer for The Visitor, which is now b...  |  Game Theory - it's not just fo... Newer »


This thread has been archived and is closed to new comments