Why are security phrases a bad idea?

The title of this post was the security pass phrase question I chose when registering for online access to a financial services firm. I called aforementioned financial services firm today and when prompted for the answer by the customer service representative, I responded “because you can’t remember the questions or answers.” Unfortunately, that was not the correct response to this knowledge based authentication (KBA) question. However, this experience is another example of why static KBA systems are a bad idea – usability. I registered for access so long ago that I can’t remember the response (I usually include them in my password safe, but did not in this instance). Being an identity-privacy zealot, I did not enter one of the usual KBA questions like, what was the first car you owned or where did I go to high school.

Why are static KBA systems still in use? They are a very weak link in the security chain, but used by so many web sites including, supposedly, security conscious banking sites. In the age of Google and Facebook, the list of good KBA questions is effectively zero. I will be happy when my account is closed with this financial institution!

Explore posts in the same categories: KBA

2 Comments on “Why are security phrases a bad idea?”


  1. […] This type of static knowledge authentication is simply NOT suitable to authenticate any transaction that requires more than a very minimal level of assurance, and it is very naïve to use it for online banking (see also). […]

  2. James Says:

    Dynamic KBA while better than static has its own challenges including but not limited to:

    – Determining a credible source of data
    – Adding costs associated with procuring a credible source of data
    – Having to collect even more personally identifiable information such that you can query a credible source of data


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s