Slashdot Mirror
How are 'Secret Questions' Secure?
Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?
What is delicious?
The revolution will not be televised. It won't be on a friggin blog either
Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.
For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.
For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.
One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".
Sean
Your mother maiden name? / your city of birth,
Your pet's name? / your GF nickname,
Your pet? / Ultraviolet
And so on...
Paul B.
It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).
You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.
Search 2010 Gen Con events
Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?"
I agree that asking the same old "mother's maiden name", "street you grew up on", "city you were born in" etc. is pretty weak, esp. as you get asked these questions over and over.
But I do like the ones where they ask you to create a question/answer pair for yourself. That way, I can come up with some obscure or even meaningless type of question that only I would understand. Sure, someone can build up a database of these types of questions, but if I self-obfuscate the question AND the answer (using mnemonics, for example), it might be more difficult to make sense of it for anyone but me.
I always use the "Make up a question" option when it's available.
If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.
Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.
That thing that identifies you that you know? Its called a password (or sometimes passphrase).
The more passwords you have, the less attempts are necessary.
Worse still: These "passwords incase you forget your password" are things lots of people might know.
Passwords are only as strong as their secrecy, and since two is no better than half as good, these systems are _less_ secure than having a single password.
They do, however, have a benefit- and that's the cost of creating a new account. Users that have forgotten their password might click the forgot-password button instead of create-new-account, and it might just keep the number of accounts low.
Unfortunately, it's usually better to just delete the old accounts, since that keeps the number of "accounts" closer to the number of "active accounts" _AND_ it means there are less targets to attack.
When this is an option, the question I like to use is:
"What is your password?"
"How to Do Nothing," kids activities, back in print!
" I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. "
So in other words to borrow a metaphor, someone has access to your box, and is root.
I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.
How are 'Secret Questions' Secure?
Um, can't answer that, its my secret question.
Who says you have to answer that silly secret question with what it's actually asking for? You could think up a non-public answer ahead of time to the question, "What High School did you go to?" and give that non-public answer. Seems to be a bit more secure than giving an answer which is actually true.
For example:
Question: "What's your mother's maden name?"
Answer: "Sheatemybrotherssoul"
What if the entire Universe were a chrooted environment with everything symlinked from the host?
Yes, people DO use that as a secret question!
Whenever I am presented with one of these, I just mash on the keyboard for a bit. I remember my passwords.
Schneier's take and Penny Arcade's take. Just give up and enter junk for the questions. If you lose your password, call someone.
How we know is more important than what we know.
I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.
They are not secure at all. They are a joke. Someone people are stupid enough to post certain personal information on their blogs or social networking sites. They are not secure in any way or form.
What they need do it is to create a dual password system, where there's a master password which can change anything, and a secondary password which can change anything but the master password. You would always log in using the secondary password. Concerning the master password, write it down, stick it in a very safe place at home provide you trust family members.
Back when I was in a high school computer science class and bored, I tried logging onto someone else's MSN Messenger account. The password I had was bad, and I decided to click on the "forgot password" link. The question was... of all things, city of birth. Now, some 75% of people going to my school would (quite logically) be born in the same city as which the school is located in, and apparently, he was clueless enough to put that down as his answer. It reset his password and gave me the new one, I now had complete access to his Passport! account.
Another thing to note: If you asked someone for their password, (if they had any clue) they would simply ignore you or tell you to go away. Asking for their mother's maiden name, however, can be completely innocucious, and from my further experience with MSN and high school students, it was.
The inherit problem with the system is that passwords are supposed to be, by nature, secret. A "secret question", even though it claims to be secret, is still using a public article of data for its uses. Think about it, how many of those annoying formletters ask for your mother's maiden name? With "secret questions", that bit of data is almost as useful as your password. Sure, it'll lock you out of your account and you'd be able to figure out something was up, but until then, the attacker could easily transfer all of your funds to an unnamed Russian bank account.
In case anyone wants my city of birth, it's "8sge76g9br9t87rg8eg4f67dtwj53kg7t6r8g4b87"
... that made a joke about this once. For security, he got to choose his own question and answer. The question the techs were suppose to ask him was, "What are you wearing?" with a response of "THAT'S TOTALLY INAPPROPRIATE!"
A plethora of relatively unimportant web sites require logins, and they offer a cheap and easily implementable way to reset those logins by asking for a piece of (often benign) personal info (birthdate or zip code, for example). Now, banks and brokerages are hopping on that bandwagon, though in a different way. They are using personal identifiers (mother's maiden name, favorite color, first job, etc) as part of a 2-factor authentication mechanism (as opposed to simply a password reset mechanism). Bank of America rolled this out about a year ago with their Sitekey service. Using this scheme, if you're logging into your account for your typical machine, then a cookie on that machine identifies that you're on your home/office workstation. You are required to enter your userid/pw and then you're logged in. But if you (or an ID thief or hacker) use a different machine, then you are additionally prompted to answer a question, like one of the questions cited above. Answering that question correctly installs the appropriate cookie on the new machine. This seems like a very cheap way of implementing 2-factor authentication, and not necessarily a bad idea. Other ideas include hardware tokens or single-use secondary keys, but those schemes tend to be more expensive. With the challenge-response scheme, a simple keylogger that is installed and that intercepts the login password is no longer enough for a hacker to access the account. It's a slight increase in security. It means that tech-savvy thieves will have to find ways around the system and non-tech thieves will resort to traditional measures, like social engineering, dumpster-diving, etc. In the end, financial institutions must still rely on a number of different security mechanisms, including lock-out periods for transferred funds, confirmation emails for certain account changes, notification of suspicious account activity, and so forth.
Best is to allow the user to create their own question.
That has its own problems:
http://www.penny-arcade.com/comic/2006/07/12
I use Password Safe (Google it). I use two files - one is usernames and passwords and one is the stupid questions (and randomly generated answers). I avoid using the same question for two different sites. That effectively means I have two different usernames and passwords for each site.
If I lose both the files then I am screwed since I don't even know what the answers are!
With good datamining, so called secret questions are totally insecure.
There you are, staring at me again.
I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.
One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.
Nearly as I can tell there is absolutely nothing secure about a secret question. By definition it is a way to circumvent a moderately secure password system.
Frankly I think it's a way for the company issuing the account to get just a little bit more information about you. Mother's maiden name? Name of high school? I think birth city is another common one. Sounds like a way of linking you to other people.
Personally I always pick the most obtuse question and give it a completely false answer. Then, as usual, don't forget my password.
No sig for you. YOU GET NO SIG!
Secret questions are only as secure as the secret itself - if you just gave that answer off to some web site, what's to stop you from giving it to another? Imagine this - you have an account of someone you want to break into, and you know their email address. You send them an email (tailored to not be like spam at all) inviting them to some special promotion on a site you set up, complete with login and the same security question. Anyone who answers this, poof, they have given you access to whatever account it is that you seek.
... with a nick of cookiepuss must be the hight of my /. experience, but still -- you get more than one try to answer the "security" question, and if for all of them the secret answer is "Red" you have advantage over the bad guy who might try to work on actually guessing the real answer.
Paul B.
I first ran across the idea of mnemonic passwords here on Slashdot awhile back, and now all my passwords are created using the method. I know Joe Average can understand them, because my PHB's have no problem with them. Well, except for them mouthing the phrases aloud sometimes while typing in the password. Still, that's better than them forgetting it or writing it down on a sticky pad. Mnemonic passwords are easier to remember and eliminate the use of dictionary words for passwords. I'm sure almost everybody here knows about them, but I'll give a simple example for those who may not know and have not googled yet. Choose a phrase for a password. For example, a password for Slashdot could be, "I need to get out of the basement more instead of reading Slashdot". Take the first letter of each word and you get "intgoofbmiors". Then develop a personalized letter replacement scheme that you are use with all your passwords (like switching "i" with either "1" or "!"). So "intgoofbmiors" can become "!ntg00fbm!0r$" When typing out the password say the phrase in your head as you type and it'll flow quite well with minimal frustration. I used to use only a handful of passwords between several systems and sites so that I could remember them, but now I can manage a wider array of passwords thanks to picking phrases that somehow relate to each system or site that I use.
That comic is delicious. Mmmm. I love waking up to the fresh taste of Penny Arcade on Mondays, Wednesdays, and Fridays.
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
I hate "Secret questions." I'd rather keep track of my passwords. I've only once lost an account due to a forgotten username/password combo. And that wasn't an important account. I always fill the secret answer with pure giberish. Hitting 30+ random keys is a great workaround for me. Especially the stupid new sites that require not one but two secret questions.
When I entered "Spot" as my pet's name, the system told me that my answer had to have at least six characters. I asked my boss if the company would pay for a larger dog.
The problem only arises if you assume that people give honest answers because if they don't, it's as hard as keeping track of multiple passwords for every site. Each one has different question lists, after all, and the answers to some questions can change over the years (before I came up with my own scheme below, I set up an account with "Best Friend's Last Name" as the question - she's now my wife, so her last name is different... but when I infrequently have to log in, I have to think back to when I signed up to realize, it was around the time we first met!
My approach makes this a nonissue. (this is not quite my real method, but parallel) I just pick a question and set the answer as "I can't remember". Give the same answer every time, who cares what the question is, but don't make it something real. "Huh?" is good too, or "42".
Comedian Eugene Mirman has a funny bit about this authentication scheme - his credit card company let him choose a question, so he made them ask him "What are you wearing?" and he has to answer, "That's highly inappropriate!"...
Perfectly Normal Industries
Birthplace? InMyMommie:-)
.Centimeters. to .Inches. to .Millimeters. (Answer: Penis length in each unit, surrounded by dots. ex. answer: .15.6.152. )
Mother's Maiden Name? BritneySpears
Optional:
Number of computers + computers (ex. answer: 266788379 - "computers" on a telephone keypad + 2 because the person owned two computers)
Optional:
Swith your toolkit from
It's plainly secure if you're not an idiot, I mean, who of us would use our hometown as our place or birth - let alone Earth.
I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:
Question: How do I masturbate in the shower?
Answer: With my SpongeBob SquarePants friend.
Question: What is the most sexually satisfying farm animal?
Answer: The Llama.
I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.
I had the same thought - everybody knows my pets name etc. I always make up a fake answer (It's always the same answer, just different questions) - that way, even someone with super-personal info (significant other, parents..) can NOT know the right answer.
Actually, existence of secret questions is to make you feel your account is more secure.
If it were truly a secure system, they would not be willing to change your password over the phone, because phone conversations are not encrypted. The only thing you could do would be to have your account locked/frozen over the phone, and possibly mail a signed form with a secondary password, and a signature guarantee (like a notary's seal) to request a token be mailed to your address of record, and then you change your password -- by logging into the web site over SSL and entering the authentication details on the token, along with your secondary password/secret question answer.
... by entering a random valuf from a strong password generator. If the site does not offer to mail me a new password if I forget (most do), then they are out of luck. I even have sites where getting a new password emailed is the only way of access I have.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
For some inexplicable, unintended loss of brain capacity, when the bank asked me the "Mother's maiden name" question, I gave them one of my *grand*mother's maiden names. They accepted it. I don't know if there's an inconsistency in the system somewhere that might bite me later, but I've not noticed any problems with anything banking-related, and it's been years since the mistake.
So, maybe the solution is to give an answer that is plausible but actually wrong (and make sure you remember it!). Then, if someone looks up the "correct" answer from other sources and tries to use it, they'll be unpleasantly surprised.
Of course, this assumes there's nothing illegal about doing it.
And you are an idiot if you do that. At least have a few different "security levels" with different passwords. Read/listen more about this technique at http://grc.com/securitynow
Trivial - who cares they get the default uid and passwd.
Shopping - they have my CC; each gets their own username, and the password is a mix of the username + the same symbols and numbers in key locations.
Bank, Broker - different uid, different strong password, changed monthly.
Highly secure accounts - one-time password protected via a hardware device. I wish I could pay my broker for this.
None of these are stored in a browser. My master uid/passwd list is maintained in an encrypted file (TrueCrypt) and stored on USB and disk drives at home and work and on a remote friends computer. Without the key file and password, it is completely secure. Heck, do you want a copy?
I was at Wal-Mart the other day getting a new watch battery. An employee came up with a herd of "new hires" and asked the lady behind the counter if she could borrow her scan gun. She asked each of these kids IN THE MIDDLE OF THE STORE for their social security numbers, which they sheepishly surrendered. (Best not make trouble on your first day wage slave!) She keyed their socials into the scan gun and it printed out a label with the new hire's name printed over a bar code for the time clock. Golly gee, I wonder what number was in that bar code.
This is Wal-Mart, the largest employer in the USA if I remember correctly. How many times have you lost an ID badge going about a cushy job? At least once, right? These people wrestle with boxes all over the store, there's no telling how many Wal-Mart badges have been lost. And each of them has the employee's social security number on the back?!? That's just fucking pathetic. Don't worry, I told the lady so before I left, fat lot of good that it will do...
Who ever said that you have to answer the 'Secret Question' truthfully? No matter what the 'Secret Question' is, I use the same answer. At work I have to answer 3 out of 5 different questions to get my password reset. When I set up the answers to those 5 questions, I just use the same answer for all of them. They have no relevance to actual data. Who are they to tell me what the answer should be? Example: Q. What is your mother's maiden name? A. My right toe. Q. What is the name of your pet? A. My right toe. etc.
So encrypt the answers using a 1-way hash. If the intent here is to help you prove your identity on the site or recover from a forgotten password, why does any human need to know the answers?
Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.
A few months ago I was logging into paypal, and for some reason the site told me that I had been using the same password for too long, and I would be required to change it (and no, this wasn't a phishing site). I couldn't understand this at all, I had never heard of such a thing as being REQUIRED to change my password. I have a secure password that I use on all of my important accounts, and I remember it very well. Now though, they were forcing me to come up with something totally new. As you could expect, a few weeks later, I had forgotten the new password. Then comes the secret question screens... I couldn't remember if I had actually answered the secret questions when I made my account, or if I had just typed some random characters. Apparently I had typed random characters, because after 5 attempts, paypal LOCKED DOWN my account. Now, it's been months since this occurred, and after many phone calls, and even faxing them a ton of my private information that they requested, my account has STILL not been reinstated, with hundreds of dollars of my money locked up in there.
The first three digits are based on where the SSN was issued (typically where you're born), so they aren't useful anyway. I have the impression the middle pair isn't all that helpfor for some other reason, though I could be making that up.
The bigger issue is that they aren't really indented to be private, and at this point clearly aren't.
Some people have been recomending giving wrong answers, but there's a problem with that: unless you give the same wrong answer every time, it's no good. A friend of mine came up with a much better way to make his answers hard to guess but easy to remember. Whenever he can, he picks the question about his pet's name. Instead of just saying (Let's say for example) Rover, he ansers with this: mypetsnameisrover. Just as easy to remember, but no scammer's going to get it right even if they guess the right name.
Good, inexpensive web hosting
I don't need the questions, so I just fill the response field with noise. 'S pretty secure.
StoneCypher is Full of BS
Two quick observations:
Where I am required to answer one of these "your pet's name" questions, I do so accurately, but with my hands slightly off. Let's say there's three tiers of paranoia about an account and for stuff I don't care about I just move both hands one charater to the right while typing my secret answer. For medium stuff I move them apart from each other and for what I deem critical i move the right hand up and the left one in (reality is different but that's the gist). Incidentily, I do the same thing for my passwords. Turns moderately secure passwords into sheer line-noise.
Thanks to these simple measures, my passwords are more secure than average which is all they need to be. There is no such thing as absolute security, but you only need to be more secure than the next guy. You'll never get rid of all termites, but you only need your house be less attractive than you neighbor's. You won't stop all burglaries, but you only need your house more burglar-proof than the one across the street. You cannot stop lightning, but you can make sure that you aren't the tallest thing out on the plain when the thunderstorm hits. All you have to do is be lower than a most other things and you're as safe as you could be.
We're all born with nothing.
If you die in debt, you're ahead.
As someone who *has* read other peoples email by knowing trivial information such as their pet name or city of birth (there are only soo many cities in a state...), I never ever put real information for the answers. It is just too easy to exploit.
If you don't want to put utter gibberish, or at least an answer that has no relevance to the question, then don't be suprised if someday those precious pictures of you and your tarzan-elf kit are leaked on the net.
As long as nobody finds out that my mother's maiden name is Asduyff43rfasdhf14351243qwe9yfakshdfadfh...
http://www.macdevcenter.com/pub/a/mac/2005/01/01/p aris.html