Preferences as your Password?

You know the problem, you’ve seen it before.

You want to get into a website that you’ve already registered, but you’ve forgotten your password. In lieu of chatting with someone on the phone or offline, the website asks you a few predetermined questions that you answered when you registered to the website. You know the questions, because most websites have the same set of questions…

• What is your mother’s maiden name?
• What is your first pet’s name?
• Where did you grow up?
• Who did you lose your virginity to?

…ok… maybe not so much that last one, but you get the point.

The problem, though it may not be abundantly apparent, is that your mother’s maiden name is easily obtainable, as well as where you grew up. Most of the things asked to verify your password is a matter of public record, or otherwise obtainable by investigating you.  Essentially, what you know (your password) turns into something other people might find out (mother’s maiden name, high school mascot, etc), in the case you forget your password.

One proposed solution is that these types of questions to verify your identity is replaced by your preferences; in music, movies, colors, type of food, sports, etc.

Enter the Blue Moon Authentication system.

The question, here, is:  Can these things be learned, given a person’s name?

Granted, some things might be actually learned about a person.  A person’s last name denotes heritage and geneology, which might infer food preference, types of movies, etc.  Sites like last.fm actually track a person’s music preferences, and pairs it with  “neighbors” of similar preferences.

Parallel to this, some people answer these types of questions (mother’s maiden name, high school mascot, etc) with purposelly false information, such as “qwerty1234″.  Subsequently, when/if they forget the password and are presented with the question “What is your mother’s maiden name?” to recover the password, they believe they are protected from public records giving this away — qwerty1234 is the answer to all questions, and this is not public record, and therefore useless in attempts to learn the password.  This obfuscating strategy works in a question/answer scenario, but likely doesn’t work very well in the realm of preferences — if you purposefully choose falsely, you may not remember your purposeful false choices upon you forgetting your password.

Quite an interesting problem, indeed, with an interesting possible solution.

If only people could choose good passwords, and remember them…