As a security professional (and as one whose wife had her identity stolen by a person with legitimate access to it), I've been harping on how wrong headed the approach is to fighting ID theft for some time.

The problem is not that PII (personally identifiable information) is too easy to obtain. The problem is that it is too easy for someone to use it to impersonate someone else.

That's the short version. I'll stop there as to not take over your blog. ;)

Trust, I know what you're talking about. I've developed a strategy: when I'm faced with having to select answers for "security questions" for something, I try to come up with a set of words that are related and that I will remember, but have nothing to do with the questions. For example:

What is your mother's maiden name? Tinker
What town were you born in? Evers
What high school did you go to? Chance

(no, I didn't use that one)

There are two problems here, not necessarily related.

The first problem is to design systems so that they can be secure. Fixed security questions with stupid answers are not secure.

The second problem is people. Whatever system you put in place has to account for realistic human behavior:

- On one extreme: lazy security people. Like the security guard who assumes that anyone wearing a badge must be authorized to enter. Security systems must not only look good on paper - they must actually be used.

- On the other hand: that loyal, valuable, but eternally confused customer who just cannot manage to remember their access information. Your personnel have to be able to make exceptions when appropriate.

Finding the right compromise is the real challenge of good security experts. But I'm only on the periphery - perhaps Trust can shed a bit more light on this...

Mom's dead, so she didn't do it, but my 8 siblings and 34 cousins all, unaccountably, know her last name. I haven't been hacked, yet, that I know of, but...

I should probably try a non-name, like fuselage or banana or Cinderella. Or use my Japanese Teacher's last name.

I have a couple URL's which want to know my favorite celebrity; my favorite movie, or my first pet, things like that. It rotates each time I log in. In addition to the password, of course.

And, one lets me make up my own question. I think that is best.

Point out to the requestor that the Social Security cards have "Not for identification" on the front.

This is quite the human factors issue...
I have users that can't successfully change their credentials ONCE in a row... so telling them to never write down what their words are or anything is worthless... but it is agreed that it isn't only strangers that are going to try and get into your stuff.

I think the best thing for PII questions is a series for 5, at least one of which is a user made up one. That should be the primary question. If you can't remember that you would need the other 4. But I am always telling my people to make stuff up, transpose things, do words from the inside out. Translate to other languages.

There are better ways of doing these things, but people are lazy and never take it seriously until they or someone they know get hacked...

My bank did that shit. I called them up and asked them to turn it off, they said "We can't do that, they are there for your protection."

Which is, of course, bullshit on stilts. They are there to give the bank plausible deniability if you you get hacked.

Those types of "security questions" are how Sarah Palin's Yahoo mail account got hacked.

So here's what I do (note - I use a secure password program on my phone with a cryptographically secure password that I will never forget):

Go to www.grc.com, and from the "Services" menu, select "Perfect Passwords", and use chunks from those (10-20 characters is sufficient) as the answers to your questions.

So my favorite movie is something like Al;sk9@j39S.

And it's different for every site.

Most people won't do this. Hell most people won't use a password more complex than "abc123".

It's only a matter of time until the banks start implementing something like SecurID, where you have a keyfob or an app on your phone that generates a PIN every minute so you can do real two-factor authentication.

But the systems now are asinine. Security Theater - makes you feel more secure if you don't know anything about security.

I have three levels of the passwords -- the generic logins for my "who cares accounts". I.e. forums, job/skill related sites that life is easier to do research logged in. My throwaway e-mail accounts, etc. It's still 8+ character AlphaNumeric (AN).

Then I have my financial passwords which are 9-10+ AN. These are short term data and I change on a semi-regular basis.

Then I have a 15 AN that is needed to break the document that I write anything I need to hold long term, but no one else would need without me knowing, like tax returns, medical records, etc.

The big thing is remember to be paranoid. And if someone calls or contacts you to logon into a website to verify your info -- do not use the link they provide. Google the company/link yourself and then go that way.

There was a website scam that was to Western Union a few years back. The link was to a vvesternUnion not westernUnion (two V's making the W). You wouldn't notice it except in a "Courier" type font.

I think the best thing for PII questions is a series for 5, at least one of which is a user made up one. That should be the primary question. If you can't remember that you would need the other 4. But I am always telling my people to make stuff up, transpose things, do words from the inside out. Translate to other languages.

There is an even better way that is completely foolproof, and unbreakable.

Pick one rule. For example, your answer to PII questions will be the first letter of each word in the question.

It is a simple thing to remember, makes the question irrelevant, and no one will ever be able to get the right answer, no matter how much they know about you.

The use of foreign languages, nonGregorian calendars (such as your birthday in the Muslim or Mayan calendars) or non-sequiturs seem to work

For example.

What was your mother-inlaw's name?

Too Hard to Spell

Alternatively, hit the caps lock key before typing an answer, such as

tHIS iS a tYPICAL aNSWER.