they don't want anyone without a perfect memory. but you can get around it by being psychic.

Posted by: gmangw at January 6, 2006 12:17 AM

I supposed it is so anyone who knows you moderately can steal your account, but the problem with that is that oil supplies isn't the first thing that comments into someone's mind as either revenge to stealing, and they don't need to add protection for those you know, but rather for those you don't know.

That or they are just protecting your password from yourself, maybe if you don't remember your question you aren't fit to get oil supplies. Maybe you're a terrorist :P.

Posted by: Role at January 6, 2006 01:44 AM

I bet if you gave them your password they would give you your secret question again.

Posted by: Boris die Spinne at January 6, 2006 04:06 AM

You can't argue with the fact that it's secure :-)

Posted by: PhastPhrog at January 6, 2006 06:05 AM

So basically the "secret question" answer is now a second password, right? - Broken

Posted by: Tim at January 6, 2006 08:59 AM

I think it is a pretty good security. If they don’t show the security question no one can guess your security answer. If you don’t know your answer to an account you created you are stupid or to lazy to write it down or to use password software where you can store thousands of passwords and any information you would need to get in your account.

Posted by: mb at January 6, 2006 09:02 AM

Wow, ya'll are harsh.

The security question/answer was originally meant to be used in person (CSR asks your sequrity question, you reply with prearranged answer). Trying to apply it (badly) to a website is broken.

Calling someone too lazy to "write it down" is broken - papers can be stolen. Using password software is fine - if you carry your computer with you everywhere you go; not everyone has the technology.

Just because a security question is asked does not mean you have to answer it truthfully. For example, everyone you know knows your favorite color is blue. The answer to that security question should be anything BUT blue.

Posted by: cary at January 6, 2006 10:10 AM

It is totally broken that you don't know what the question is, but it's also broken that they have the secret question/answer to recover your password.

Think about what happened to Paris Hilton: if you pick a question that more than one person knows the answer to, you open yourself up to potential problems.

Are you the only person who knows what town you were born in? What about your childhood pet? Favorite colors are even worse because someone could run through the list of black, white, red, etc.

Posted by: Manni at January 6, 2006 11:28 AM

Cary - If you pick the favorite color as your question, and your answer is NOT your favorite color, then you now have to remember which one you picked. Isn't it just easier to remember your password?

Posted by: Manni at January 6, 2006 11:30 AM

And what if this is like some sites that ask you to pick a question of several and answer it. How do you know which question it is asking you? I just email my password to myself so I can look it up anytime I want and then I usually cut and paste the sign on name and password.

Posted by: JAC at January 6, 2006 12:28 PM

for the color secret qestion, I put it in hexadecimal... let's see someone try to hack it by putting in "yellow" to the answer when it should be #FFEF08

Posted by: Thunder_gryphoN at January 6, 2006 04:35 PM

OMG does this mean that ANYBODY can get into Paris Hilton's account at CPL Petroleum? We're doomed!

Posted by: Pat at January 6, 2006 08:16 PM

No that was te reference to her phone being hacked.. a little while later when details turned up it ended up being that her secret question answer or password was tinkerbell..

Almost everybody knows tinkerbell was her pet rat(chiuala) that she carried around almost everywhere till it got too big for her to do so

Posted by: infinity at January 7, 2006 10:41 PM

Most people here don't seem to understand exactly what a secret question is used for. Contrary to what many of you are saying, it is NOT a second password because it neither provides you with access to the site, nor does it provide the password. What it does is send the password to the email address of that user. For this reason, an easy question isn't a security list, unless the people who correctly answer it also happen to know the password to your email, which isn't the fault of the site and rather the fault of the user.

so... BROKEN!

Posted by: real_saddam at January 8, 2006 07:11 PM

Most people here don't seem to understand exactly what a secret question is used for. Contrary to what many of you are saying, it is NOT a second password because it neither provides you with access to the site, nor does it provide the password. What it does is send the password to the email address of that user. For this reason, an easy question isn't a security list, unless the people who correctly answer it also happen to know the password to your email, which isn't the fault of the site and rather the fault of the user.

so... BROKEN!

Posted by: real_saddam at January 8, 2006 07:11 PM

Merrill Lynch (ml.com) has a password hint option for users who have forgotten their passwords. Like CPL, it doesn't tell you what the question was, but it has a pulldown list of possible questions. So I spent a half hour going down the list, one by one, telling ml.com the name of my elementary school, mother's maiden name, favorite pet's name, etc.

Posted by: Tom Castle at January 9, 2006 02:54 PM

OK, let me try again.

"We're doomed!"

(Mock horror - think Macaulay Culkin "Home Alone" hands to cheeks, mouth open - AS IF Paris Hilton would HAVE an account at CPL Petroleum...)

Is that a little clearer?

Posted by: Pat at January 9, 2006 03:19 PM

This is easy. I thought everyone knew the answer is "42".

So, maybe not too broke. Dont Panic!

Posted by: Arthur Dent at January 10, 2006 03:43 PM

There's also a "handy" link labelled

"Forgotten your password? Click here for a reminder." that takes you to exactly the same page :-/

Posted by: peterg22 at January 11, 2006 12:15 PM

"What it does is send the password to the email address of that user."

Yes, and when it works that way, it is a pretty stupid design, don't you all agree? Most sites just have a button that says 'click here to mail password update directions to your registered email address'. That works well. I have also seen 'if you no longer have access to the email address you used to sign up with, please answer the following personal question.' That seems sort of OK as a back up for lost passwords AND invalid email addresses, which is a situation that comes up a lot. But it should be made very clear that such a design is totally inappropriate for a site with sensitive financial information. In such a case, passwords should only be changeable by making a phone call, preferably from a traceable phone whose caller-id matches that of the phone # you gave them before. Or do it through snail mail by sending an affidavit.

Posted by: J. Scott at January 14, 2006 03:21 PM

JAC> "I just email my password to myself so I can look it up anytime I want and then I usually cut and paste the sign on name and password."

...Thereby bypassing all the security safeguards and encryption that secure sites use, not to mention putting your password out in the clear on umpteen internet and mail servers and being freely readable to anyone intercepting the message. If you use Windows, it's even more vulnerable as you've just made your password available to any script kiddie who wants it.

So, yeah, you can look it up anytime you want, but so can a bazillion other people with minor computer chops, a library of exploit scripts, or specialized training and a nefarious motive (eg industrial espionage, etc). Heck, there are clubs in colleges and high schools across the country with ne'er-do-wells that try to outgeek each other doing exactly that sort of thing.

Which is all to say...I don't exactly recommend this method.

Posted by: Hoki at January 24, 2006 03:13 PM