Why do companies insist on making our accounts less secure?
I just tried to log in to Lowes, and got the password wrong and they then asked me the stupid questions that they build into the system to try to avoid having to deal with lost passwords. Idiotic questions like “What was the name of your first pet?” and “Where did you go to high school?” When I’m forced to provide answers to these security risks I usually just enter 30 to 60 characters of gibberish. I figure if for some reason I cannot recover the password I can talk to a human being at the company and regain access that way.
The normal and professional way to handle lost passwords is:
- Send the lost password to the person’s registered email address. This is the most sensible way, as long as you give the password loser the chance to back out if they know their email account is compromised.
- Make them call and talk to a human being.
- Email them a new randomly-generated password.
Not at Lowes – if you don’t remember what you put down as your high school (I went to two) then you’re screwed. The idiots at Lowes make you re-register. Re-registering is bad enough, but my old account is still out there somewhere.
So, I guess the only sensible thing to do is just treat these stupid questions like a password prompt, and come up with a 20 character answer to give all of them. I’m sure as hell not going to tell the truth. Seriously – how hard would be to get anyone to give up the name of their high school or their first pet? If I wanted to break in to, say, a coworker’s account, all I’d do is try to get to find the questions, and then ask the coworker. Do you think anyone’s going to balk at talking about their first pet or their high school days?