It’s well-established that passwords are a flawed security system. Attackers can guess them, steal them from a database, or watch you type them in. But until we can get our smartphones to take our DNA to confirm our identities, we’re stuck with them.
The processes that let you recover your password if you forget it, though, can be much worse than passwords themselves.
Companies that take security seriously will ask you to authenticate your identity with a “second factor,” such as a code they send to a device they know you own. Companies that
don’t care are more casual about your privacy will ask you to answer “security questions” — which are typically questions that anyone could guess after a thorough stalking of your Facebook account: Oh, there’s a photo of you with your high school best friend. Oh, there’s a status update with your “porn star name,” combining your first pet’s name with the first street you lived on. (It’s possible the NSA invented that game.) And oh, there’s your mom commenting on everything you upload, and look, she’s divorced and using her maiden name. Pwned.
Disturbingly, security questions haven’t changed much over the last century. During a search for the inventor of the “one-time pad” (the only theoretically unbreakable code system), Columbia computer science professor Steven Bellovin came across a paper from 1882 in the Library of Congress about encrypting telegrams so they couldn’t be read in transit by snoops. He discovered that we were using “mother’s maiden name” as a security question over 130 years ago. From Bellovin’s 2011 paper on crypto history, in which he writes, “Mother’s maiden name, that old standby ‘secret,’ was used that way at least as early as 1882:”
Frank Miller, the author of the 19th Century paper, “Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams,” was a California banker. He was using telegrams for banking activity. “It would probably have been used when wiring money to someone,” said Bellovin by email. “The message would be from one bank to another, saying (via codewords): ‘Give $XXX to Joe Smith; he will authenticate himself by saying that his mother’s maiden name is Jones.'”
I’d like to say maiden names are still around as an identity authenticator because it’s “stood the test of time,” but really it’s just because we are a bit lazy and uncreative when it comes to security. The question was never a great one but certainly worked better in the 1800s when women were less likely to keep their maiden names after getting married, and in a time when no one’s mother was on Facebook.