Why is Mother’s Maiden Name still used as a security question?

  • From time to time, some web sites asks to enter a security question and an answer for it. The question list is standard and it usually includes "What is your mother's maiden name?".

    Some people use their mother's real maiden name so that they are sure they can remember what to provide when asked (e.g. as part of the process to recover the account). This means that this is information is fixed for a very long period of time. If it happens that some web application is hacked and such an answer is associated with an e-mail address (or worse, with personally identifiable information), it can potentially create a vulnerability for other web applications.

    Also, mother's maiden name might be shared in public space.

    Assuming above issues with this security question (or any other security question that relies on a constant within one's life):

    Why is Mother’s Maiden Name still used as a security question?

    Comments are not for extended discussion; this conversation has been moved to chat.

    A security question is just a question. We don't have to assume that everyone will answer with the actual maiden name.

    @papakias Then you may as well replace the question with "please enter a string of characters and memorize it". Oh wait, that's what passwords are. The point of security questions are that you don't need to memorize them as they're things you already know, so you can't forget them like you forget a password.

    @Jonah Well it may be what you are saying, but it also may be an additional (more easy to remember) password for recovery. Just because they are asking for a mother's maiden name, it doesn't mean that I am going to give them the real one. That's my point

    @papakias The idea behind security questions is that you will always be able to answer it even years later without the need to remember the text you had chosen when you created it. Otherwise instead of a security question they would use a second password. If you don't enter real answers in security questions then you are better off not entering anything at all if that's allowed, or enter something very long and random, just to "disable" the security question. Maybe this doesn't apply to you, but the vast majority of people will not remember what made up name they had entered years ago.

    @SantiBailors yes guys, I don't disagree with you. I'm just stressing that filling the real answers is not always the case. The security question is just a tool. And everyone may use it differently.

    @Strawberry - Most of the people do not use password managers to keep their passwords, so I bet many use the real name, so that they do not forget it.

    @Strawberry - I fixed the post to be more accurate.

  • Anders

    Anders Correct answer

    3 years ago

    Because people are lazy and/or incompetent. And, well, you know, the Internet is full of chimpanzees.

    I would argue that all security questions are bad, but using the mother's maiden name is exceptionally bad:

    • At least in Sweden, I can find out anyone's maiden name just with a simple call to the tax office. It is literally public information.
    • It's 2018, and fairly common for couples to adopt the bride's name when getting married. Your mothers maiden name is then your surname. Great.
    • Luis Casillas rightly adds:

      There are dozens of countries, with billions of inhabitants between them, where women don't change their legal name when they marry. The United States in particular has huge immigrant minorities of people from such countries.

    Seriously, there are no excuses for this. It's just bad.

    Comments are not for extended discussion; this conversation has been moved to chat.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM