Things like this make me feel like I need to go get a degree in psychology to make any more headway with information security. It’s semi-well-known that idiotic password complexity/change requirements generally have the opposite of the intended effect. That is, people either write them down or choose predictable ones, and go to greater lengths to make them predictable. PayPal™ has taken this to the next level. (Screenshot after the jump since I can’t get my style sheet right for images here within the 5 minutes I’ve allocated for posting this…)

PayPal™'s poor selection of security questions

Running down the questions in order:

  1. More than one answer.
  2. Changes over time.
  3. Probably OK. Maybe.
  4. Changes over time.
  5. More than one answer.
  6. Possibly OK, but very nearly phone book info, honestly.
  7. I don’t remember.
  8. Not a well-defined answer at all.

Seriously? These are protecting access to my financial data? This is just one reason I don’t attach PayPal to any account I couldn’t close in a second.