Why is Mother’s Maiden Name still used as a security question?

Question

From time to time, some web sites asks to enter a security question and an answer for it. The question list is standard and it usually includes "What is your mother's maiden name?".

Some people use their mother's real maiden name so that they are sure they can remember what to provide when asked (e.g. as part of the process to recover the account). This means that this is information is fixed for a very long period of time. If it happens that some web application is hacked and such an answer is associated with an e-mail address (or worse, with personally identifiable information), it can potentially create a vulnerability for other web applications.

Also, mother's maiden name might be shared in public space.

Assuming above issues with this security question (or any other security question that relies on a constant within one's life):

Why is Mother’s Maiden Name still used as a security question?

Answer 1

Because people are lazy and/or incompetent. And, well, you know, the Internet is full of chimpanzees.

I would argue that all security questions are bad, but using the mother's maiden name is exceptionally bad:

• At least in Sweden, I can find out anyone's maiden name just with a simple call to the tax office. It is literally public information.
• It's 2018, and fairly common for couples to adopt the bride's name when getting married. Your mothers maiden name is then your surname. Great.

• Luis Casillas rightly adds:

  There are dozens of countries, with billions of inhabitants between them, where women don't change their legal name when they marry. The United States in particular has huge immigrant minorities of people from such countries.

Seriously, there are no excuses for this. It's just bad.

Answer 2

"Security questions" may be the only solution to a hard problem. You've got a customer, they've lost their password (and their email access) and you'd both like to get them back.

It may not be proportionate to have them perform in person verification at your offices or with a notary, which would really be the only totally secure solution (matching secure government id against their appearance/biometrics).

I think banks (just as a for instance) which use this kind of verification have pretty good statistics on the prevalence of every type of fraud and will know the risks and benefits (e.g. say my bank needs to identify me when travelling overseas, they can't and they lose me a customer along with tens of thousands in lifetime profit - versus they allow fraudulent use of a card and lose tens of thousands directly - but they know only 5% of flagged transactions are actually fraudulent).

Answer 3

Lethargy and/or inertia

More seriously institutions relied on this information being essentially secret for a few decades. The age of mass publicised data breaches is very recent.

Most organisations are slow to react to change.

Simple as

Answer 4

False assumptions.

Security questions, just like "complex" password requirements, are rooted in what is called best practice but actually isn't. Like an oral tradition, many of these practices are passed on from one security person to the next, and rarely questioned (whenever they are questioned, it often turns out they are bogus).

Security questions is one of these things. Someone came up with a reasonable idea, and very soon a fairly standard list of such questions evolved, and since then everyone has basically copied from there, without questioning.

So yes, you are right, this and almost every other "security question" is a danger and typically much, much easier to figure out than even a weak password (e.g. anything that's not on the top 20 list).

Answer 5

Usability over security, sadly

The banks want to be secure, but face a clientele for which usability is mandatory.

This clientele is not made of our peers. It includes those who fear "the gub'mint", seniors who don't understand change and resist it, mentally disabled who took years to learn this system and just can't process another scheme, not to mention staff members e.g. someone acting with power of attorney for an estate or disabled person. Whatever system you devise has to be accessible to all those people, unless you want to have tiers of access. We are stuck with lowest common denominator, or convoying at the speed of the slowest ship.

Money over security: Liability shift

The banking system is built on trust far more than anyone would like to admit. Fraud is contained by very active security staff, who don't have to outrun the bear. If bank security is just good enough that attackers switch to some easier means of making money, the bank wins. That criminal who would've been attacking the bank, instead threatens to be an IRS agent and gets a retiree to voluntarily Western Union their life savings. That retiree can't come back to the bank and demand their money back, so the bank is in the clear.

This type of "liability shift" is a huge part of bank strategy. Anything they do is going to shift liability away from the bank. They have disincentive to install a stronger system which on failing creates more liability for the bank.

Answer 6

"Security questions" in general are an incredibly stupid idea.

Any time you create a password, it's routine advice to say that you should not use personal information for a password, like where you went to high school or your favorite color or the make car you drive, because a hacker trying to break into your account might be able to discover or guess these things. Instead, you should use a meaningless string of letters and digits, that should be impossible for anyone to guess.

But ... we understand that meaningless strings of letters and digits are hard to remember. So let's create security questions, which function effectively as alternate passwords, and for these we'll use something easy to remember, like where you went to high school or your favorite color or the make car you drive. Because while a hacker might try to guess this kind of personal information for a password, it would never in a million years occur to a hacker to try to guess the answer to a security question.

At least if you used some personal information for a password, the hacker wouldn't know whether you used your high school or your favorite color or a car make. But with security questions, we TELL him which it is.

If someone knows you, many security questions would be easy to find or guess. Maybe you moved here from another city, but there's a fair chance you grew up where you live now, so guessing high schools in the area would have a fair chance of getting a hit. He might know what model car you drive. If not, there aren't all that many different car makes. If you ask people for their favorite color, most people will name one of a dozen or so. (Well, most men, anyway. Women tend to know the names of far more colors than men do.)

One system I just created an account on recently limited their security questions to things with a fairly small number of possibilities, and then provided drop downs for each of them! So tell the hacker, here are the 20 possible passwords someone was allowed to choose from! I've seen systems that make me choose a password that is at least 8 characters because if I just typed in 6 or 7, that's only a few billion possibilities, and a hacker might get it with a brute force attack. But then let's have an alternate password where we helpfully list the 20 choices. That saves the hacker from having to worry about being tripped up by capitalization or mis-spelling.

Answer 7

The answer is same as: why do we have simple locks in real life, which is so easy to pick-lock or break.

It's always good to let user select his security level.

I bet password to launch nuclear bombs could not be recovered by mother's maiden name. But typical user has 2-3, maybe 10 really important accounts. And hundreds of other accounts. E.g. account in electronic online shop. I dont really care if someone will hack it and will know what I bought in 2011. I dont care about account on one DIY forum where I once asked for couple of advices.

For lot of such accounts people need 'simple locks'. Simple passwords (like '123456'), no requirement to change it often, and easy way to recover it. Usability over security. And thats not 'sadly', thats how it must be, if user wants usability more then security.

Answer 8

The purpose of security question is long-term validity. You need to remember it when you forgot/lost the password. That's why an inherent piece of information you cannot easily loose fits well. This means the first assumption of the question does not fit.

As for the second part that it could get or already be public knowledge: a) Such security questions are typically (if correctly done) an option, you don't necessarily need them - and you can choose one of many. It is up to the user to decide how well publicly known each is in his/her context (in particular, whether an attacker likely know her normal name at the stage where the security question needs to be answered).
b) properly implemented, the security question should only be one part in a multi-way authentication, because they are always easier to break than a password,another might be access to the mail address you used to register an account with.

So, on the spectrum from convenience to secure the maiden question may be more on the convenient side for users, it's not necessarily always a bad choice. My favorite movie, name of my pet etc. are all not the strongest of secrets.

As for b) Paypal uses this approach to use a multi-way authentication approach when you try to reset your password. In their process you need to provide answers to multiple security questions of this kind. In addition you need to have access to your email address. Alternatively you can choose to get a call to a registered phone number and use the code you get as a second authentication method. It's a part in a mix of measures - the goal being to provide a compromise of convenience and security.