Search this site:


May 3, 2005 12:02 AM

Broken: "Secret question" error

Broken2Royce Holmes writes:

But this is my father's middle name! Is having a middle name that is less than 5 characters bad?


yes, give him a longer name.. like glenn

Posted by: Dragon at May 3, 2005 12:53 AM

Well, considering this is a security question, having an answer less than 5 characters is certainly a security risk. Perhaps the selection of questions is slightly broken (for example, if should be relatively easy to find your father's middle name, mother's maiden name, etc), but requiring an answer of at least 5 characters is a good safety requirement.

The only way this would be broken is if while entering your actual name it had a character requirement.

Posted by: Andrew Bakke at May 3, 2005 12:54 AM

All "security questions" are risks, ask Paris Hilton.

Posted by: Brian at May 3, 2005 01:47 AM

The buttons it's got there are "I Agree" and "Cancel". "I Agree" to what? I agree that your father's middle name is Glen? I agree that the secret answer should be at least 5 characters long? I agree to sell my first-born child to Bill Gates?

Posted by: Alden Bates at May 3, 2005 01:49 AM

Not if I sell my baby first!!!

Posted by: at May 3, 2005 03:52 AM

At least you dont have my middle name, DMV's computer wouldnt even accept it so its not on my drivers license! (BTW its the letter Q)

Posted by: AvAiL at May 3, 2005 06:44 AM

Ja, that is broken, but it's because you're using it as a password. Maybe they should explain 'for security reasons...' blabidy blabidy bla.

Posted by: Bob at May 3, 2005 07:04 AM

Oh God, that's rich.

Bill Gates strikes again. Ha ha ha!

This isn't broken, it's shattered.

Posted by: Kay at May 3, 2005 07:53 AM

It definitely is broken. Not just because it's dumb, but because it will fail.

Six months down the road, when asked for his password again, he won't know it, since, whatever it is, it's NOT his father's middle name!

Posted by: DaveC426913 at May 3, 2005 08:52 AM

Definitely broken. The page should inform you before you attempt to set the security word what its requirement is. Same with passwords. Also the "I Agree" button is inappropriate in this context.

Posted by: Jay at May 3, 2005 09:04 AM

Broken due to conflicting requirements that haven't been reconciled. The secret question is used to authenticate people who have forgotten their password. As such it needs to be something they can aswer with some certainty. Somebody decided that the fathers middle name was a resaonable question to use. So far, so good.

Because the secret question unlocks access to the account, it is functionally equivalent to a password. No doubt the security folks demand minimum password lengths to make brute force cracking harder. Unfortunately, this does not match up with the reality that names do not have minimum lengths imposed upon them.

I'm surprised that they aren't also insisting that the father's middle name also contain a numerical digit! ;)

Posted by: Carlos Gomez at May 3, 2005 09:13 AM

Who care's, get password software and you will never forget your passwords again.

I'm using about 200-250 (between 8 and 18 characters long) different passwords for everything and with *KeyPass* I only need to double click on a link.

Makes life a lot easier....

Posted by: MB at May 3, 2005 09:14 AM

Except that if you lose your key fob with keypass software on it, and someone knows the keypass password, they're on every account you have.

Posted by: sir_flexalot at May 3, 2005 09:20 AM

Well, if you stupid enough to tell some one you main password. Otherwise the software is encrypted using 448-bit blowfish algorithm. Good luck trying to open it.

Posted by: MB at May 3, 2005 09:29 AM

I forget which site I was trying to use that had a similar problem for me. My father's middle name has 5 letters, and the site insisted it should have six.

Posted by: Ginger Stampley at May 3, 2005 09:55 AM

Ah, generally all the Secret Question does is send the password to the registered e-mail account (if there is one) and if not, I don't believe it does much of anything, though Hotmail could be different from most.

Posted by: TheFarce at May 3, 2005 10:27 AM

It doesnt give access as if it were a password, entering the answer to the secret question will have the password sent to your email account, like thefarce said.

Posted by: Dragon at May 3, 2005 01:32 PM

what if your pop was the artist formally known as prince.... no middle name! or first name for that matter.

Posted by: me at May 3, 2005 03:28 PM

Artist formally known as prince.

well that would make his middle name "Known"

Posted by: Dragon at May 3, 2005 04:31 PM

what about 'Formerly' or 'As'? still btwn 1st and last name!

Posted by: Bob at May 3, 2005 04:50 PM

Actually, I don't even think it sends your password to the registered e-mail account, I think it makes a new password to send to the registered e-mail account, so your old password is safe.

Posted by: Shadow at May 3, 2005 04:57 PM

Why is everyone stuck on the "father's middle name" security question requiring a length? There are other questions.

Broken things:

-"I Agree / cancel" buttons instead on "ok / back"

Not broken things:

-Having a secret question (this is used to reset the password. The new password is sent to the user's e-mail, requiring both the answer and access to the user's e-mail be had before a hacker can gain access to the user's account. Please correct me if this is not how .NET handles this).

-Requiring a certain length answer (a minor increase in security).

Posted by: Andrew Bakke at May 3, 2005 06:05 PM

How can it send the password to your email account (and have this action be useful), if you're having problems remembering your password for your email account?

Posted by: anitsirK at May 3, 2005 09:56 PM

You need a non-hotmail account to register with. Same with Yahoo.

Posted by: Andrew Bakke at May 3, 2005 11:24 PM

One thing non of you mentioned is the fact that.. we know your fathers middle name now. We know his name. We are coming for you, bwhahaha, your secerity has been assimulated. resistance is futile!

Posted by: Picho at May 4, 2005 12:06 AM

In response to Andrew Bakke:

> Not broken things:

> -Requiring a certain length answer (a minor increase in security).

First, the requirement is not explicitly stated on the form. If it did, the poster might have chosen a different question or at least made a mental note of the length.

Second, this is not a password entry. It is a "secret answer." It is broken because it asks for the user's father's middle name, but does not allow him to put the correct answer.

My son's middle name has only 4 letters. If I was using that as my secret word, I would not be happy having to double the last letter or some other trick. Furthermore, as a previous poster mentioned, the user may noit remember in the future that he had to use a variation of the actual answer and would not be able to get in until he did remember.

Posted by: Jay at May 4, 2005 09:11 AM

Andrew Blake: No, you don't. It gives you the option of providing an alternate email address. It's not required:

Posted by: anitsirK at May 4, 2005 11:18 AM

Er.. sorry for the misspelling of your name, Andrew Bakke.

Posted by: anitsirK at May 4, 2005 11:21 AM

"It's Glen, idiots." is plenty long.

Posted by: jbrandt at May 4, 2005 02:36 PM

AUTHOR: glatzer
DATE: 05/04/2005 03:42:21 PM

Posted by: glatzer at May 4, 2005 03:42 PM

Yep, as jbrandt said, you could write "My father's m. name is Glen." Of course, then they'll probably just tell you it's too long.

Posted by: Ilan at May 4, 2005 07:16 PM

My solution was to pick a different question.

Easily fixed, but enough for a chuckle :-)

Posted by: Royce Holmes at May 4, 2005 07:49 PM

Gee, what about bob, art, tom, ken, abe etc etc ?

Posted by: MIke at May 5, 2005 03:13 PM

Microsoft Fingerprint reader...$35 delivered off ebay. Stores all your passwords, no hacking, no forgetting.

Posted by: Dan at May 5, 2005 03:56 PM

My father has no middle name. I can't even answer that question.

Posted by: Ophelia at May 6, 2005 03:32 PM

Yeah, password rules get obnoxious at times, especially when they put them on things that don't need much security. So what if someone cracks your registration to a newspaper or other such free & read only site?

I recently hit one of those that annoyed me. I have a standard response for such sites, password rejected. Ok, this must be a newspaper I haven't registered at. I try to register, rejected, e-mail address in use. At that point I realize what my problem is--the password was required to have a number in it and my standard one didn't. I tacked a 1 on the end and it took it.

Had they displayed the password rules at the time of asking for it I would have made the correct guess immediately.

Posted by: Loren Pechtel at May 8, 2005 03:37 PM


most of your middle names are abbrv. anyway.

Bob, Arthur, Thomas, Kenneth, Abraham.

this whole question is stupid. isn't your dad's middle name public record? if someone knows who the account belongs to, then they could just look it up.

Posted by: Bob at May 11, 2005 08:16 AM

Some people seem to be missing the point here... This was not a password he was trying to make. It was just the answer to the secret question, which would allow him to have his info emailed to his email account should he forget his password. There should not be any rules as to what or how many characters can be in the answer to your secret question.

Posted by: Chaos at May 11, 2005 09:17 AM

also, if you notice, there's a drop box. father's middle name not long enough? father has no middle name? father unknown? choose a different question.

and it's really been my experience that most passwords/"secret question answers" have a minimum character allowance.

Posted by: annamosity at June 13, 2005 05:34 AM

i hav an msn account which i hav jst split up from my ex he changed my secret question and password is there anyway i can get it bk

Posted by: tasha at June 21, 2006 07:29 AM

Comments on this entry are closed

Previous Posts: