I've never been a fan of the "prove your identity" questions that many web vendors use, particularly financial institutions. I had to answer some of these today, and thought I'd share a couple of doozies.

What year did you get your first job?
This seemed like a reasonable question. But then I realized that I have no idea. I know I started my first job in September, but I have no recollection of what year. I could probably figure it out, but I don't want to do that every time I have to answer the question. The other problem is that for a person of known age, there is a very limited number of values which this might take, roughly a bell curve with center at 18 and tails extending toward 14 and 23.

What is the first name of the funniest friend you know?
There is a problem with this general class of questions: one's habits and friends change over time. So, in this case, the answer today might be my co-worker "Jack." In five years, the answer is somewhat likely to have changed, because people change jobs all the time, and I'm unlikely to keep track of Jack just because he's a decent Leno impersonator.

What was your first sweetheart's last name?
Here's another one that has multiple problems of recall. First, will future me think that my "first sweetheart" was a grade-school crush, first kiss, or first steady girlfriend? Second, will future me think to spell "Hoopengardner" with or without that silent "D"?

In what city was your favorite Olympic games played? What was the year of your favorite soccer World Cup?
These two fit very well together. They require you to perform two exercises:
(a) think about all the (World Cups or Olympics) you can
(b) Rank them subjectively
Again, someone knowing my age has a huge advantage. Being in my 20s, I do not remember the 1992 Barcelona Olympics at all and have only vague recollections of the 1996 Atlanta Olympics. So, someone attempting access to this account would be able to guess with a one in eight chance. World Cups are even worse because there are only four that I would have any chance of remembering, and only one during which I watched a single match.

Even a middle-aged person is going to answer a question like this in a predictable fashion. Either they will pick a recent Olympics, or they will pick an especially famous Olympics (1980 with the "Miracle On Ice", 1992 with the "Dream Team" or 1996 because it was in the USA).

Here's why this is important:
Imagine you're a smartphone owner, who gets her purse stolen, phone and wallet included. Thief opens purse, finds phone with no passcode on it, and an email account logged in. Thief decides to play with your 401(k) which happens to be hosted at Fidelity. To reset a Fidelity password, you need only the last four digits of the victim's social security number (which many folks do not consider private information, including many employers who write it on pay stubs), the name of the victim, their date of birth, and access to their email or telephone.

Tell me what of that information is hard to find, given a purse? Maybe the last four digits of the social security number. Maybe. Some states in the past used the social security number as an identifier for issuing driver's licenses, so it isn't impossible that all of that information is on the driver's license.

Even after a password reset, the verification questions are still in the way. But what if the question is "What was the year of your favorite soccer World Cup," and the thief knows even a little bit about USA soccer?

I propose that perhaps using these security questions as additional passwords is a good idea, in place of actually answering the question. Even if you choose a common dictionary word, a 1 in 1000 chance of guessing a dictionary word is a whole lot better than the 1 in 8 chance of guessing which Olympics was my favorite.