You’re reading Signal vs. Noise, a publication about the web by 37signals since 1999.

HSBC have recently revamped their “security”. Amongst the “memorable questions” they have on offer like “What is your favorite flower?”, is “What is your memorable answer?”

Charming, really.

I like it when they ask you to make up your own question and answer. I always create something embarrassing for the customer service rep to ask me.

The correct answer is of course **.

Oops, looks like there’s a problem with your comment form. That was supposed to be ten asterisks!

Requires a lot of trust, no? I am thinking about small or novel sites. I would instead give a chance to something like

“what was your fav pwd” , finding the right words.

hope could explain my point.

I like to use 1234567 since most people don’t expect the 7.

I always hate these things because the answers are rarely cut and dried. For instance, Pet name. Anyone with kids knows you go through pets like old socks and you rarely have less than 2. Which pet are we talking about here? Childhood hero? Well that depends on what age we’re talking abut and what movies were out at the time. Hometown? Well, I moved at least 8 times between the ages of 4 and 14. Which would be considered my hometown?

Then when they challenge you, I hate the sites that make you pick which question you answered before you can give the answer. I usually just stop using those sites because I can never remember.

DanL, that’s brilliant, I’m going to steal your idea if I ever run across one of those.

My favorite challenge Q ever: Previously, student loan provider Sallie Mae used to ask, buried amidst a large list of choices:

'What is your biggest fear?"

@DanL I saw one time a list of a bunch of really great custom questions that people came up with for just that purpose. Such as…

Q: Do you authorize us to transfer a free gift of $1M to your account?
A: Thank you, offer accepted.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.

Q: Would you like to go on a date with me?
A: Sure, Friday is free. Let me know where to pick you up.

Ha… I found the post and updated the quotes. :D http://www.schneier.com/blog/archives/2010/04/fun_with_secret.html

Looks like an example I remember seeing recently on the Sophos security blog. Huge security concern.

And for those of you complaining about all the passwords and password questions you have to remember, try an encrypted password database like: lastpass, 1password, or keepass. All three work on both mac’s and pcs (and probably whatever smartphone your prefer as well.)

If you have too many pets, you’re probably not going to remember that but usually these drop downs include too many options for things you will remember. But with sites like facebook or twitter people are posting the answers to these questions they will more likely remember and often publicly.

We had a case of a customer how had a login 123456 and once migrating his account we sent him an email informing him about the move. We included his name and the login shown above. He replied to us with complaints that we are sending his password in an email message!

So it came out that not only his login was 123456 but also a password. Can’t be less secure, can it?

correcthorsebatterystaple will do it.

And what time do you call this?

Get lost! You’re not my real dad anyway!

Does anyone else feels like 37signals has completely neglected this blog for the past few weeks?

Banana Republic uses something they call a ‘personalized image’: http://bit.ly/obcHRp

The images are pretty awesome.

Ben, sounds like you think you have a right to receive regular posts from them. That is a misconception.

Haha, that BR link was good Ryan! But wouldn’t it make you happier to look at delicious food while trying to remember your password? Love the customized questions too.

At what point of traffic flow is A/B testing valuable? I can see how it would work well for a largely trafficked site, but for a site that only receives 15-40 visits per week, it may not be as useful.

I am interested to hear insights regarding the need for testing vs. traffic flow size.