I was creating an online account for the Canadian government website recently, so I wasn’t surprised when I was asked a series of security questions; that’s normal. What surprised me was the validation that they seemed to be doing on the questions. 🤔
One of my preferred methods for maximizing security is to use nonsensical answers to security questions. A security question is only as strong as its answer. Due to data mining and phishing, someone could easily learn the name of your first pet, for example.
So what I do with these security questions is use answers that are essentially passwords unto themselves. Something that is unique, doesn’t exist anywhere online, and has no way to be reverse engineered through any kind of interaction with me (phishing proof). A true one of one answer.
Imagine my surprise then when I tried using this approach on the registration site for the My Services Canada account. It provided standard options to select from a variety of questions — note that the questions in the screenshot below are not the ones I selected — and rules to follow for the answers. Seems straightforward, right?
It was anything but. My first attempts at using nonsensical answers that met their character requirements were all rejected. Puzzled, I re-checked them all to confirm I was following their requirements and I was. I began changing one answer at a time, simplifying it into something close to a real answer — and that’s when it was accepted. There was a question involving a location, for example, and it wouldn’t accept any answer I gave until I entered the name of a real country. 😲 They also blocked anything with a number in the answer even though they don’t specify that numbers aren’t allowed.
This leads me to believe they are doing some kind of validation on a per-question basis that forces the answer to be a certain type of answer, such as having a real country name if the question involves a location. This stuns me, as it dramatically decreases the security of the questions by forcing the customer to use real answers. I’m not a security expert, but the best answer to a challenge question is one that no one can possibly know, not even the user without them looking it up in a password manager.
I managed to find a middle ground by creating answers that are rooted in their requirements, but as a nonsense mish-mash of near-gibberish that no one could possibly guess, which is just the way I like it. 🙃