I was just wondering about the Security Question asked while we create a mail account (or in general any online accounts).
First of all, why is it needed?
Well, Security Questions are more or less a second (backup) password to protect your account. Of course, our first password is the one which we select at the time we open an account, the same one we use to log in also. In that sense I will call security question as a “second password” because that’s the one which protects your account in case you forget your password. (in technical terms we call it password recovery)
Let’s understand why a frail method of protecting your account becomes the vulnerable point for any hacking attack. Let’s analyze how.
A typical Security Question is “Whats your mothers maiden name?” … Well, i think this is the weakest link in terms of security. At least some of my friends, relatives will know this. So it becomes easy to hack this without much effort or brilliance. You just need to know the individual. Oh, I forgot, that’s why we call it Social Engineering. Other questions include “Your pets name”, “Your first teacher in school”, “Whats your nick name” etc…
Do such questions really make any sense? Lets come to the difficult part, answering such questions. I know giving a legitimate answer to such question is suicidal. No matter how much effort I take in making my first password strong, i have kept a huge entry point there to be broken. Its more or less having a 10 feet fence around your house, with huge gates… But you have a very small lock with keys spread around. Why should some one jump the fence to get in, he can just push open the gates and enter in. Now, you understand why i mentioned its very tricky thing to answer such a question. What people does most of the times is, they just write some random answer and think that i can remember this or else just forget about it 
The funniest part is that, the basic necessity of having this security question is to recover your password, when you forget your real password. So the person choosing a funny answer to a secret question is likely to forget the answer when it’s really needed. Remember that, you are not going to forget the password the next day you created an account. So it is after some time, that you are in real need for recovering your password. Alas, boom you forgot your answer. Company’s makes it more difficult when they ask you to select the question as well as the answer . Man, now i am in trouble. The end result, you lost your account. If you are lucky, you may be able to get it unlocked through a customer support. But i don’t know, else you could have won a lottery every month.
There are some variations which are seen often in some cases. They are like, asking for your date of birth along with a combination of PIN CODE or Mobile Number. Well, this time i agree that you dont have to remember this. Because you know these things already… HANG ON…. Its not only me who know this, mostly every one knowing me, has this information. Even my resume posted on public sites has all this information 
So its more easy to break my password now.
Well, you might be thinking, i am having the solution to this. Well, i don’t have exactly (Else, i wouldn’t have been sitting here now ).
I can point out some solutions which others use in the market. It’s been observed that Yahoo and Google started with a new technique of asking security question. They will allow you to recover your password only if you hadn’t logged in for last 5 days. That’s a good thing to do. Tell me why you should recover your password, when you had logged in yesterday. Most probably you are supposed to remember that today also. Again it’s not a fool proof solution, since the problem is still not addressed. Its a security curtain raiser to make the life of an attacker a bit difficult.
Other way to do it, may be is to have an alternate account of a user and mail the new password when he tries for a password recovery, but i am not sure how practical it is and how user friendly it is.
If we talk about any other online accounts, other than mail accounts, they might be interested in doing something like what i mentioned above. I am sure they wont rely on the security question or DOB for password recovery. Instead they might be having another mail id or users correspondence address to which the new passphrase will be delivered. Well, that’s one thing which is much safe that whats being currently used. This ensures that the channel used to recover password and channel used to deliver/confirm a new password is different. In case of fraud also, user gets enough time to do the damage control (as well as the company)
Well, that’s it for now guys.. Meet you soon
