Why does my pension provider want to know about my first kiss?

Accessing my account felt like being interrogated by my mother
Image of Serious Money
© iStock

Listen to this article

00:00
00:00

This is an experimental feature. Give us your feedback. Thank you for your feedback.

What do you think?

Setting up a new pension is more likely to get your head aching than your heart racing. Or so I’d thought. For it turns out that my pension provider wants to know all about my first kiss.

I was expecting to answer questions about default funds and my anticipated retirement age when I logged on to the whizzy online portal offered by the FT’s new pension provider. But before I could get on to these, I had to set up online security.

As anyone who performs any kind of financial transaction online will know, a login and password are no longer enough. People have a habit of forgetting passwords (probably because we keep being told to insert symbols and numbers into them, never write them down and somehow remember a different one for each website we use), so financial services companies have embraced the concept of “memorable words” that we can recall in order to request a new password. Except that, in a lip-smacking twist of irony, these are very difficult to remember.

For example, Apple’s security questions include “What was the first album you ever purchased?” Looking back, I had the hideous realisation that this was probably a Showaddywaddy LP that I bought for 25p at the school jumble sale. I shuddered to admit to this officially. The first new album I bought was Duran Duran (slightly more forgivable) but — if I forgot my Apple ID — would I remember this self-editing of my dubious musical tastes? So I started to type in Showaddywaddy (after googling how to spell it, and noting any irregular capitalisation). And then I realised that this was the name of the band, not the name of the album. Argh.

Try another question. “What was your favourite children’s book?” How could I choose between The Little Prince and Little Women? And with a question that is so arbitrary, how on earth would I remember the correct answer without writing it down, or emailing it to myself? Neither would be particularly secure.

My pension provider had some corkers on its list. What was the name of my first cuddly toy? Where did I meet my significant other? (as no spaces are allowed in the answer, “drunk at a party neither of us can particularly remember” would not cut it). Even “What was the name of the first boy or girl you kissed?” was not entirely straightforward. Did they mean a peck in the playground? Or kissing with tongues? So I rejected that one too. “Where were you when you had your first kiss?” was the next question the computer offered up. I felt like I was 14 again and being interrogated by my mother.

All of this unexpected emotional tourism was enough to make me long to tick boxes about fund allocation. So why are companies forcing us to do it?

Years ago, if your bank wanted to verify your ID they would simply ask for your mother’s maiden name. Nowadays, with so many silver surfers looking for old school chums on social media, this information is much easier to come by. So they must find more questions to which only you will know the answers (or at least, are harder for hackers to guess).

Of course, nobody wants to be a victim of cyber crime. But there is a balance to be struck. The difficulty of getting through online security, using chip and pin machines and remembering passwords and security questions puts a lot of people off using digital services. It even has an official name — “password fatigue”. And it costs companies money. I have personally abandoned many online shopping baskets because my password won’t work, and by the time I’ve got home to find the drawer with the Post-it note that contains it, I’ve lost the urge to buy whatever it was.

In the future, biometric data and voice recognition software could trump the password. But to get around the problem in the meantime, most people just reuse the same password on many different websites. From a security point of view, this is nearly as dubious as owning a Showaddywaddy LP. There are millions of hacks online every day, but not all companies encrypt their user data.

If you have used the same password on a hacked website as you have for your email account, or anything linked to a credit card, then you could be in trouble. Once a hacker has control of your email, they can request new passwords to be sent to them. If you have bothered to set up the “memorable words” or two-factor authentication (typically a code sent by text to your mobile phone) this will offer some protection. But how can we remember dozens of different passwords?

Internet browsers frequently offer to store passwords, although the IT boffins I consulted advise against this (it’s not usually encrypted). Instead, they encouraged me to try out password management software which can generate and store highly secure passwords that a hacker’s algorithm would struggle to crack.

LastPass is the market leader, but Dashlane also scores highly in online reviews. I was sceptical at first (what happens if my password manager gets hacked?) but reading up on the subject, this is a much more secure method than using similar passwords for everything, Post-it notes, or emailing yourself. There’s even space to insert notes on what those pesky “memorable words” are. All you need to do is remember is one password. Remind me, what was it again?

Claer Barrett is the editor of FT Money; claer.barrett@ft.com; Twitter: @Claerb

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.