Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are 'Secret Questions' Secure?

Posted by ryuzaki0 on from the security-versus-usability dept.

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

12 of 116 comments (clear)

  1. You just have to ask yourself the question... by Joff_NZ · · Score: 5, Funny

    What is delicious?

    --
    The revolution will not be televised. It won't be on a friggin blog either
  2. Uh oh, phishing alert... by Anonymous Coward · · Score: 1, Funny

    How are 'Secret Questions' Secure?

    Um, can't answer that, its my secret question.

  3. Re:Why follow the rules? by AriaStar · · Score: 2, Funny

    Exactly. And every year or so, change what the answers are. Or, instead of your mother's maiden name, use an ex's mother's maiden name if you know it.

    An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.

    --
    It's a girl!
  4. Re:The sites that need it, shouldn't use it. by karnal · · Score: 4, Funny

    My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

    I'll bet she couldn't WAIT to get married!

    On a related note, we must be cousins.

    --
    Karnal
  5. "What is my password?" by The+MAZZTer · · Score: 2, Funny

    Yes, people DO use that as a secret question!

  6. Re:Create your own question by Red+Alastor · · Score: 2, Funny
    Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
    Sometimes you cannot write your own so either you type random junk on the keyboard if you are sure you'll never forget your password or you understand the question in a twisted way. What's your favourite animal ? Dubya !
    --
    Slashdot anagrams to "Sad Sloth"
  7. There was a comedian... by Ja5on15 · · Score: 2, Funny

    ... that made a joke about this once. For security, he got to choose his own question and answer. The question the techs were suppose to ask him was, "What are you wearing?" with a response of "THAT'S TOTALLY INAPPROPRIATE!"

  8. Re:The sites that need it, shouldn't use it. by Detritus · · Score: 2, Funny

    I had a Polish friend whose name was so unpronounceable, that I used to kid him and say his family was too poor to afford any vowels. People used to stare at his name tag, while the language part of their brain went into shock.

    --
    Mea navis aericumbens anguillis abundat
  9. OBPennyArcade by schon · · Score: 2, Funny

    Best is to allow the user to create their own question.

    That has its own problems:

    http://www.penny-arcade.com/comic/2006/07/12

    1. Re:OBPennyArcade by lazlo · · Score: 2, Funny

      I recall a friend who had a "create your own question" security system at.. I believe it was his bank. Anyhow, it was a question that was asked by call center employees. He had far too much fun with that. He said "I love it! Every time I call my bank, they have to ask me 'Jack, why are you such a fucking pussy?', and every time I have to reply 'Because I am what I eat.'"

      So, there may be other reasons not to use this sort of system.

      But, fundamentally, it's a horrible security measure and should be taken out and shot.

      --
      Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  10. Some systems won't accept the real answer by boustrophedon · · Score: 2, Funny

    When I entered "Spot" as my pet's name, the system told me that my answer had to have at least six characters. I asked my boss if the company would pay for a larger dog.

  11. Funny secret question situation... by Hamster+Lover · · Score: 5, Funny

    I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

    Question: How do I masturbate in the shower?
    Answer: With my SpongeBob SquarePants friend.

    Question: What is the most sexually satisfying farm animal?
    Answer: The Llama.

    I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.