How are 'Secret Questions' Secure?

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

Create your own question

[Mostly+a+lurker]

how would you implement a secure facility to change passwords?

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.

Re:Create your own question

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to.

Agreed, but we can go further.

The time I was reverse scamming a Nigerian 419'er comes to mind.

I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.

The secret question this scammer had chosen was "Where were you born"?

The next few emails worked this question into the conversation, using a generous donation to the church in his birth town as the guise. Once I had the town it was trivial to get the password, log in and add an autoreply message to his email. Anyone who emailed him after that time got back my autoreply warning them away.

After the reverse scam I checked his account a few times and the autoreply was still there right up until the account was closed.

Moral to this story: No matter what the question there will probably be a social engineering method to obtain the answer. A good solution along with a user defined question that would raise alarm bells is to simply Audit password retrival attempts.

If someone asks for your secret question and attempts to answer it then place an email in the account giving details of the attempt plus the IP those attempts came from. -- Posting as AC as hacking an email accoumt, even for reverse scamming is a serious crime in my country.

Re:Why you have to provide the real answer?

[Marillion]

The one that bothers me is last four digits of social. In a privacy obsessed world, we've basically taken a nine digit key and reduced it to a four digit key.

Re:Why you have to provide the real answer?

[Detritus]

The leading digits can be guessed if you know when and where the social security card was issued.

Why secret questions?

[scdeimos]

I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.

One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.