Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are 'Secret Questions' Secure?

Posted by ryuzaki0 on from the security-versus-usability dept.

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

30 of 116 comments (clear)

  1. Create your own question by Mostly+a+lurker · · Score: 4, Interesting
    how would you implement a secure facility to change passwords?
    Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
    1. Re:Create your own question by BandC · · Score: 2, Insightful

      Even if they create the question themsleves, people will tend to create the same question for many websites so knowing one question/answer pair of one person for one website will lead to knowing it for most/all sites. Therefore, I'm not sure if that's the answer.

    2. Re:Create your own question by Red+Alastor · · Score: 2, Funny
      Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
      Sometimes you cannot write your own so either you type random junk on the keyboard if you are sure you'll never forget your password or you understand the question in a twisted way. What's your favourite animal ? Dubya !
      --
      Slashdot anagrams to "Sad Sloth"
    3. Re:Create your own question by afaik_ianal · · Score: 2, Insightful

      And they also tend to use the same password for most/all sites, so it's really a moot point anyway.

    4. Re:Create your own question by Anonymous Coward · · Score: 2, Interesting
      Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to.
      Agreed, but we can go further.

      The time I was reverse scamming a Nigerian 419'er comes to mind.

      I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.

      The secret question this scammer had chosen was "Where were you born"?

      The next few emails worked this question into the conversation, using a generous donation to the church in his birth town as the guise. Once I had the town it was trivial to get the password, log in and add an autoreply message to his email. Anyone who emailed him after that time got back my autoreply warning them away.

      After the reverse scam I checked his account a few times and the autoreply was still there right up until the account was closed.

      Moral to this story: No matter what the question there will probably be a social engineering method to obtain the answer. A good solution along with a user defined question that would raise alarm bells is to simply Audit password retrival attempts.

      If someone asks for your secret question and attempts to answer it then place an email in the account giving details of the attempt plus the IP those attempts came from. -- Posting as AC as hacking an email accoumt, even for reverse scamming is a serious crime in my country.
  2. You just have to ask yourself the question... by Joff_NZ · · Score: 5, Funny

    What is delicious?

    --
    The revolution will not be televised. It won't be on a friggin blog either
    1. Re:You just have to ask yourself the question... by Rakshasa+Taisab · · Score: 2, Informative

      You just messed up a one line joke...

      There's no question mark there, which is why Tycho goes on to question whetever it is a question or a statement.

      --
      - These characters were randomly selected.
  3. The sites that need it, shouldn't use it. by jafo · · Score: 4, Insightful

    Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.

    For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.

    For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.

    One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

    Sean

    1. Re:The sites that need it, shouldn't use it. by karnal · · Score: 4, Funny

      My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

      I'll bet she couldn't WAIT to get married!

      On a related note, we must be cousins.

      --
      Karnal
    2. Re:The sites that need it, shouldn't use it. by Detritus · · Score: 2, Funny

      I had a Polish friend whose name was so unpronounceable, that I used to kid him and say his family was too poor to afford any vowels. People used to stare at his name tag, while the language part of their brain went into shock.

      --
      Mea navis aericumbens anguillis abundat
    3. Re:The sites that need it, shouldn't use it. by pyrrhonist · · Score: 3, Informative
      ..which means you now have to have an insecure file on your computer storing your different made-up answer for each site... I hope to god that's encrypted and password-protected out the wazoo.

      KeePass

      --
      Show me on the doll where his noodly appendage touched you.
  4. Why you have to provide the real answer? by PaulBu · · Score: 3, Insightful

    Your mother maiden name? / your city of birth,

    Your pet's name? / your GF nickname,

    Your pet? / Ultraviolet

    And so on...

    Paul B.

    1. Re:Why you have to provide the real answer? by Marillion · · Score: 3, Interesting

      The one that bothers me is last four digits of social. In a privacy obsessed world, we've basically taken a nine digit key and reduced it to a four digit key.

      --
      This is a boring sig
    2. Re:Why you have to provide the real answer? by Detritus · · Score: 3, Interesting

      The leading digits can be guessed if you know when and where the social security card was issued.

      --
      Mea navis aericumbens anguillis abundat
  5. Good enough security by ChaosDiscord · · Score: 2, Insightful

    It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).

    You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.

    --
    Search 2010 Gen Con events
  6. Let the user choose their own question by gclef · · Score: 3, Insightful

    If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.

    Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.

  7. Email/Reset Password by dduardo · · Score: 4, Insightful

    I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.

  8. Why follow the rules? by goofyheadedpunk · · Score: 2, Informative

    Who says you have to answer that silly secret question with what it's actually asking for? You could think up a non-public answer ahead of time to the question, "What High School did you go to?" and give that non-public answer. Seems to be a bit more secure than giving an answer which is actually true.

    For example:

    Question: "What's your mother's maden name?"
    Answer: "Sheatemybrotherssoul"

    --

    What if the entire Universe were a chrooted environment with everything symlinked from the host?
    1. Re:Why follow the rules? by AriaStar · · Score: 2, Funny

      Exactly. And every year or so, change what the answers are. Or, instead of your mother's maiden name, use an ex's mother's maiden name if you know it.

      An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.

      --
      It's a girl!
  9. "What is my password?" by The+MAZZTer · · Score: 2, Funny

    Yes, people DO use that as a secret question!

  10. stupid by Anonymous+brave+dude · · Score: 2, Informative

    Whenever I am presented with one of these, I just mash on the keyboard for a bit. I remember my passwords.

  11. No? by gadzook33 · · Score: 3, Insightful

    I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.

  12. There was a comedian... by Ja5on15 · · Score: 2, Funny

    ... that made a joke about this once. For security, he got to choose his own question and answer. The question the techs were suppose to ask him was, "What are you wearing?" with a response of "THAT'S TOTALLY INAPPROPRIATE!"

  13. OBPennyArcade by schon · · Score: 2, Funny

    Best is to allow the user to create their own question.

    That has its own problems:

    http://www.penny-arcade.com/comic/2006/07/12

    1. Re:OBPennyArcade by lazlo · · Score: 2, Funny

      I recall a friend who had a "create your own question" security system at.. I believe it was his bank. Anyhow, it was a question that was asked by call center employees. He had far too much fun with that. He said "I love it! Every time I call my bank, they have to ask me 'Jack, why are you such a fucking pussy?', and every time I have to reply 'Because I am what I eat.'"

      So, there may be other reasons not to use this sort of system.

      But, fundamentally, it's a horrible security measure and should be taken out and shot.

      --
      Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  14. Why secret questions? by scdeimos · · Score: 2, Interesting

    I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.

    One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.

  15. Mnemonic Passwords need more evangelism by Bloodwine77 · · Score: 2, Insightful

    I first ran across the idea of mnemonic passwords here on Slashdot awhile back, and now all my passwords are created using the method. I know Joe Average can understand them, because my PHB's have no problem with them. Well, except for them mouthing the phrases aloud sometimes while typing in the password. Still, that's better than them forgetting it or writing it down on a sticky pad. Mnemonic passwords are easier to remember and eliminate the use of dictionary words for passwords. I'm sure almost everybody here knows about them, but I'll give a simple example for those who may not know and have not googled yet. Choose a phrase for a password. For example, a password for Slashdot could be, "I need to get out of the basement more instead of reading Slashdot". Take the first letter of each word and you get "intgoofbmiors". Then develop a personalized letter replacement scheme that you are use with all your passwords (like switching "i" with either "1" or "!"). So "intgoofbmiors" can become "!ntg00fbm!0r$" When typing out the password say the phrase in your head as you type and it'll flow quite well with minimal frustration. I used to use only a handful of passwords between several systems and sites so that I could remember them, but now I can manage a wider array of passwords thanks to picking phrases that somehow relate to each system or site that I use.

  16. Some systems won't accept the real answer by boustrophedon · · Score: 2, Funny

    When I entered "Spot" as my pet's name, the system told me that my answer had to have at least six characters. I asked my boss if the company would pay for a larger dog.

  17. Funny secret question situation... by Hamster+Lover · · Score: 5, Funny

    I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

    Question: How do I masturbate in the shower?
    Answer: With my SpongeBob SquarePants friend.

    Question: What is the most sexually satisfying farm animal?
    Answer: The Llama.

    I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.

  18. One-way hash the answer by stungod · · Score: 2, Insightful

    So encrypt the answers using a 1-way hash. If the intent here is to help you prove your identity on the site or recover from a forgotten password, why does any human need to know the answers?

    Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.