Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are 'Secret Questions' Secure?

Posted by ryuzaki0 on from the security-versus-usability dept.

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

10 of 116 comments (clear)

  1. The sites that need it, shouldn't use it. by jafo · · Score: 4, Insightful

    Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.

    For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.

    For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.

    One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

    Sean

  2. Why you have to provide the real answer? by PaulBu · · Score: 3, Insightful

    Your mother maiden name? / your city of birth,

    Your pet's name? / your GF nickname,

    Your pet? / Ultraviolet

    And so on...

    Paul B.

  3. Good enough security by ChaosDiscord · · Score: 2, Insightful

    It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).

    You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.

    --
    Search 2010 Gen Con events
  4. Let the user choose their own question by gclef · · Score: 3, Insightful

    If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.

    Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.

  5. Re:Create your own question by BandC · · Score: 2, Insightful

    Even if they create the question themsleves, people will tend to create the same question for many websites so knowing one question/answer pair of one person for one website will lead to knowing it for most/all sites. Therefore, I'm not sure if that's the answer.

  6. Email/Reset Password by dduardo · · Score: 4, Insightful

    I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.

  7. No? by gadzook33 · · Score: 3, Insightful

    I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.

  8. Re:Create your own question by afaik_ianal · · Score: 2, Insightful

    And they also tend to use the same password for most/all sites, so it's really a moot point anyway.

  9. Mnemonic Passwords need more evangelism by Bloodwine77 · · Score: 2, Insightful

    I first ran across the idea of mnemonic passwords here on Slashdot awhile back, and now all my passwords are created using the method. I know Joe Average can understand them, because my PHB's have no problem with them. Well, except for them mouthing the phrases aloud sometimes while typing in the password. Still, that's better than them forgetting it or writing it down on a sticky pad. Mnemonic passwords are easier to remember and eliminate the use of dictionary words for passwords. I'm sure almost everybody here knows about them, but I'll give a simple example for those who may not know and have not googled yet. Choose a phrase for a password. For example, a password for Slashdot could be, "I need to get out of the basement more instead of reading Slashdot". Take the first letter of each word and you get "intgoofbmiors". Then develop a personalized letter replacement scheme that you are use with all your passwords (like switching "i" with either "1" or "!"). So "intgoofbmiors" can become "!ntg00fbm!0r$" When typing out the password say the phrase in your head as you type and it'll flow quite well with minimal frustration. I used to use only a handful of passwords between several systems and sites so that I could remember them, but now I can manage a wider array of passwords thanks to picking phrases that somehow relate to each system or site that I use.

  10. One-way hash the answer by stungod · · Score: 2, Insightful

    So encrypt the answers using a 1-way hash. If the intent here is to help you prove your identity on the site or recover from a forgotten password, why does any human need to know the answers?

    Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.