Then there's the one that asks for "childhood phone number, including area code!" Mine was "BE 4381" (Yes, I knew that the BE was 23) That's 6 digits and was before area codes. At least it was a US number. My mother's home town only got telephones sometime after 1970.

"Pet's name" doesn't work with me either. I now have three cats. 5 years ago, I had four cats. Two of the original ones have died and I've gotten another one.

Another one that gets used is "Where did you attend high school?" I went to several high schools.

I absolutely agree with your notion of how to provide decent automated security

You seem to be confusing questions which you personally select the answers to with the automated questions like the example from the article of "What color was the car you registered in '94?"

Pet's name would be a very good choice for you. Other than yourself, how many people would remember the name of the long-since-departed cat you had 5 years ago? Same goes for the high school, though to protect yourself from being Googled, it'd be safer to go with one which you didn't graduate from.

I agree that the questions mined from mined data are far better then the standard "shared secret" questions. However, for me, the mined data questions ring privacy alarm bells, i.e. do I really want my Utility company to know my auto registration history? Maybe we're already too far down that road, but I don't think we should encourage it.

One "shared secret" question problem not mentioned in the article is concerning joint accounts. It's not usually a problem to find a single question that my wife and I know the answer to in a consistent manner (What city did you propose to your wife in?) but 3? Or in the case of my Insurance provider, 5? Not likely.

It's time for 2 factor authentication. You want to reset a password, ok, provide a shared secret answer *and* put your smart card into your card reader. I got my first commercial smart card no later then 2000 when I ordered an American Express Blue card strictly because it *was* a smart card (I wanted more secure Internet transactions). They even offered a free card reader with it (serial port connected back then). I guess this wouldn't so well for companies that aren't providing you a card already though, like Utility companies, due to the added expense.

Or use biometrics. Fingerprint readers are getting damn cheap these days, and if they were even more widely used I'm sure they'd be cheaper.

5 questions? Wow. I don't have more than 2 on any of my accounts and none are the random variety that are data-mined. Before reading this article I'd never heard of those and I agree those ring some alarm bells and are kind of freaky. Even if it is publicly available, you'd rather people not know that much about you.

Well, they never ask all 5 at once, they ask a random 2 out of the 5, but you better know the answer to all 5, because if you answer incorrectly 3 times they lock the account and you must contact them to reset it. This is for State Farm, BTW.

The worst, though is my state's Benefits website. They use an 8 digit numbers-only password that expires every 90 days. You can't repeat any of the previous numbers that you've used. Keep in mind that this is a site that I may log into maybe once per year. I have never actually successfully entered this password after using it for 1 day, I've had to call for a reset every time.

Actually your Utility company DOESN'T have the answers to those questions. They are fed to them interactively by a 3rd party provider that sends the information only when you are interacting with your utility company.

It's a common misperception that this information is held in one place, but it's not. Your Utility company doesn't want to store that information any more than you want them to have it.

Biometrics are not the panacea people seem to think they are - finger readers are notoriously prone to problems - when your finger is cold, when you put on hand lotion - and ususally require the recognition algorythm set so low that it permits false positives. That, and do you really want to drag around a USB finger reader with you to every computer you use on every PC you interact with? And, assuming you don't, are you prepared to not have your financial services company process a transaction for you because they can't verify you?

Re: storage of data for mined data questions, you make a good point, and are most likely correct, though obviously it could be exploited. Just having the ability to mine the data like they do, opens it up for abuse, unless they are precluded from ever seeing the answers (which is possible, I just don't know if they actually do that).

Biometrics isn't 100% effective, but we're not talking about everyday casual use here, only occasional use, and we're not talking about a system without a backup (all of these companies will do a reset manually over the phone if you can't do it online). And many companies already restrict where you can reset your account info from (for example, from your home phone number only).

The ultimate point is not that biometrics is perfect, only that it's less imperfect than shared secret questions which are either too easy to figure out, or too difficult to remember.