So here I am signing on for the Australian Government's online Medicare thingy, which started out pretty secure. You do the first stage of the signup stuff, and then they send you a letter with your password for the next stage of the signup in it.
And then, after you log in using that password, you get this:
Make sure your Answers are only known to yourself! You know, like your mother's super secret maiden name that not even SHE knows!
(And yes, the missing apostrophe's the icing on the cake.)
Not only do they tell you to use the archetypal, perfect example of an appallingly insecure "secret question", but they also tell you to set up four more such questions. So even if your first question is quite a good one, like "What poster did I have on my bedroom door before I had the Van Halen one?", you're likely to come up with something a lot less secure as you add more and more of the bloody things and run out of ideas.
I came up with a properly obscure but memorable question for the first of the five on the Medicare form, then entered keyboard-mashing randomness for the other four. Then I wondered whether these "authentication" questions might be asked at some time other than when I'd forgotten my password - if they're used all the time, possibly even over the phone, then making one of them "Dummy question 3? / sdtrt45ruidhbioweyrvga34awe7du" is probably not a good idea.
So I tried duplicating my good first question and answer for the other four as well, despite the fact that the instructions tell you to record five different ones. That turned out to be fine.
(I've now discovered that the Medicare site uses the "security questions" when you want to change stuff like your contact details. It asks you two of the questions then, so it's a good thing I didn't just bang my face on the keyboard. Because all five of my questions are the same, the system of course just asked me the same question twice. It didn't seem to mind.)
It's possible to wring some security out of even a system that forces you to use mother's-maiden-name as an authentication question, by simply making up a novel answer for that question. But if you use the same oddball "maiden name" for authentication for every such site, then the first time the information that your mother's maiden name is "snorkel" gets out - which you should assume it's going to, because these people have demonstrated themselves to be idiots by their choice of this security system in the first place - you're just about as screwed as you would be if you'd used the real, matter-of-public-record maiden name.
To get around this, you have to come up with a different "maiden name" for every site that asks. You of course won't be able to remember them all unaided, so will need to store them along with your other passwords. Since the only time you're likely to need the "maiden names" is when you've lost the other passwords, though, this brings one face to face once again with the blatant stupidity of the whole concept.
And yes, the blithe suggestion of "maiden name" secret questions also skates over the issue of people whose family doesn't have a vanilla Western surname at all. Not to mention foundlings, people who had the hide to be born to unmarried parents, and that so-often-neglected portion of the information security marketplace, humaniform robots.
("My mother? Let me tell you about my mother.")
UPDATE: How did that guy "hack" Sarah Palin's Yahoo e-mail account?
That's right: By taking advantage of "secret questions" that were matters of public record, or otherwise trivially easy for anyone to guess.
(It's a shame that Palin didn't use that account to do anything very interesting. Wouldn't it have been awesome if it turned out that was the account she used to indulge her secret passion for Mythbusters slash stories?)