Entertaining (though I've already read this one...).
I have a more interesting game I play with bank security questions that's more useful, though -- and applies to the most common usage (where the bank provides the question to you).
Simply this -- for each question, imagine how easily you could guess the answer even knowing nothing about the account owner. I'm not talking about real analysis here, just roughly mapping out the answer space.
For example, "In what city/town did ___?" is a common question. Well, if it's a US bank, probably you're dealing with US cities, and there are fewer than 20K. (Already, whoa: a three character alphanumeric password has 10 times the possibilities). Then of course cities should be weighted by population, so since NYC is biggest... well, New York has 8.3 million of the USA's 311.6 million population, the answer to this question will be New York City about 2.6% of the time.
"What's the first name of your [specified grandparent]?" is another good one. How diverse are first names, generally, particularly a few generations back? Of course there's a long tail, but otherwise... not that diverse, and it's trivial to find stats on most common names in the early 1900s. I've never chosen this question even before I started thinking hard about security, because it was blazingly obviously a bad question -- the banks would ask for my maternal grandfather's name, and I was named after him.
The number of relatively common car makers is really low, and when you factor in the fact that most people don't get a really high-end car as their first car, 5 or 6 makers are going to cover a really high percentage (Ford, Chevrolet, Toyota, and Honda would cover most, I'd guess). If you factor in make AND model, we're still talking in the low hundreds of possibilities.
Good security questions are really, really hard to come up with and should, IMHO, really only be used as an addition to a password - not as a way around one.
If you're clued in on security, you can certainly use the fields to enter unrelated answers. A random 20 characters would be better than Winston Churchill.
But it probably goes without saying that if following the instructions (and putting in an actual answer...) makes you insecure, the model is broken.
I almost always pick something like "What's your favorite color?" and answer with random noise (say "a3tcuh487wchaowiudh23doch3298ahraui"). The rationale is that if I forget my password, I'll likely forget the secret question as well. I only want the secret question to be as hard, or harder, to guess than my password.
I wonder though, if the human at the other end will accept "just a bunch of letters and numbers" as a correct answer.
Call centre: Can you please provide the answer to the secret question.
Social engineer: sigh, I know this is going to sound really strange, but I just pick random words when I set up secret questions, and I'm not sure what I used with you. If it helps, it will just be a set of random words that make no sense...
Call centre: Ok, I've spoken to my supervisor and he said that, seeing as you kind of know what it's like, and seeing as you have the name and address, I can reset your password. What number would you like me to SMS it to?
Why the hell is anyone answering "What was your mother's grandfather's maiden/first name" or "What city were you born in" with real answers, or even real names/cities??
That applies to many of them. It's clearly just for fun. Quotes are no good. If it's a quote from media like music, movies, book, or TV, the response can usually be googled, if it's not known already. If it's a personal quote, someone who knows you might know it.
While I have a hard time imagining Bruce just lifted someone else's blog post without crediting (more likely it was passed on to him in conversation?), this post predates Schneier's by over a year: http://tcoverride.blogspot.com/2011/05/security-questions.ht....
I have a more interesting game I play with bank security questions that's more useful, though -- and applies to the most common usage (where the bank provides the question to you).
Simply this -- for each question, imagine how easily you could guess the answer even knowing nothing about the account owner. I'm not talking about real analysis here, just roughly mapping out the answer space.
For example, "In what city/town did ___?" is a common question. Well, if it's a US bank, probably you're dealing with US cities, and there are fewer than 20K. (Already, whoa: a three character alphanumeric password has 10 times the possibilities). Then of course cities should be weighted by population, so since NYC is biggest... well, New York has 8.3 million of the USA's 311.6 million population, the answer to this question will be New York City about 2.6% of the time.
"What's the first name of your [specified grandparent]?" is another good one. How diverse are first names, generally, particularly a few generations back? Of course there's a long tail, but otherwise... not that diverse, and it's trivial to find stats on most common names in the early 1900s. I've never chosen this question even before I started thinking hard about security, because it was blazingly obviously a bad question -- the banks would ask for my maternal grandfather's name, and I was named after him.
Fun, no?