In the UK a common "authentication" question used by banks and many other institutions is "what is your Mother's maiden name?". The idea is that it's supposedly difficult to find out what someone else's Mother's surname was before she was married. It's not as hard as you might think partly due to just how freely people give out this information and the number of third parties that request it.
I telephoned my Bank some time ago making the request "I'd like to change my Mother's maiden name please". The person I spoke to sounded rather confused. They retorted "how could your mother have changed her maiden name?". What I really meant was "I'd like to change one of the secrets the Bank use to authenticate my identity" but this seemed a complicated way of explaining what I wanted to a non-technical non-security saavy person.
To cut a long story short, the Bank didn't have a process for me to change the secret they held. As they advised me they use a number of other security measures to authenticate me though many of these are easy to determine including "what's your date of birth?".
The only way I can reset this particular "secret" is to change banks...
Incidentally, finding out someone's Mother's maiden name is trivial if they are not married - that's becoming the case more and more these days.
I have always used a different mother's maiden name to my mum's actual maiden name. Security is one of the reasons why I do this, but it's also because my mum's maiden name is too difficult to spell and I don't know how to spell it! Obviously, the maiden name I chose is much easier to spell...
Interestingly, my bank rotates through a number of security questions and I think if I asked them, it would be a simple matter of dropping one question and adding another. If one bank has only one security question and won't let you change the answer, and another lets you choose both the questions and the answers, changing banks isn't such a bad idea.
Some banks including HSBC realised the problem you highlight some years ago and offer the facility to accept an alternate bank use only memorable word that is not set in stone instead of Mother's maiden name. iirc the change happened when HSBC gobbled Midland bank.
For credit it appears from here that the banks we use are feeding Credit databases such as Equifax correct real maiden name data.
Ref Sky TV etc - I've yet to find anyone who own's up to giving a real mother's name on Sky's contracts. Sky TV's contract might easily be interpreted to read that "maiden name" is used as a password to unlock/reset the childlock pincode etc - so any name you can remember is valid.
Mathew> My bank does the same so it's not a big deal but none the less having one question that's so easy to work out isn't great.
I posted a video on www.kyte.tv/yellowpark about how I now have 2 birthdays like the queen. Specifically for the reasons you mentioned about the maiden name thing and its definately not the sort of data I want to go entering into social network sites. You might also be interested to see a Facebook app that Craig Ccmehil threw together to show just what data can be harvested by app developers.
I posted a video blog on www.kyte.tv/yellowpark about how I now have 2 birthdays like the queen. Specifically for the reasons you mentioned about the maiden name thing and its definately not the sort of data I want to go entering into social network sites. You might also be interested to see a Facebook app that Craig Ccmehil threw together to show just what data can be harvested by app developers.
Setting up some demo servers recently Steve and I tripped over the Windows 2008's default password policy: