Slashdot Mirror

← Back to Stories (view on slashdot.org)

How are 'Secret Questions' Secure?

Posted by ryuzaki0 on from the security-versus-usability dept.

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

12 of 116 comments (clear)

  1. Create your own question by Mostly+a+lurker · · Score: 4, Interesting
    how would you implement a secure facility to change passwords?
    Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
  2. You just have to ask yourself the question... by Joff_NZ · · Score: 5, Funny

    What is delicious?

    --
    The revolution will not be televised. It won't be on a friggin blog either
  3. The sites that need it, shouldn't use it. by jafo · · Score: 4, Insightful

    Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.

    For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.

    For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.

    One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

    Sean

    1. Re:The sites that need it, shouldn't use it. by karnal · · Score: 4, Funny

      My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

      I'll bet she couldn't WAIT to get married!

      On a related note, we must be cousins.

      --
      Karnal
    2. Re:The sites that need it, shouldn't use it. by pyrrhonist · · Score: 3, Informative
      ..which means you now have to have an insecure file on your computer storing your different made-up answer for each site... I hope to god that's encrypted and password-protected out the wazoo.

      KeePass

      --
      Show me on the doll where his noodly appendage touched you.
  4. Why you have to provide the real answer? by PaulBu · · Score: 3, Insightful

    Your mother maiden name? / your city of birth,

    Your pet's name? / your GF nickname,

    Your pet? / Ultraviolet

    And so on...

    Paul B.

    1. Re:Why you have to provide the real answer? by Marillion · · Score: 3, Interesting

      The one that bothers me is last four digits of social. In a privacy obsessed world, we've basically taken a nine digit key and reduced it to a four digit key.

      --
      This is a boring sig
    2. Re:Why you have to provide the real answer? by Detritus · · Score: 3, Interesting

      The leading digits can be guessed if you know when and where the social security card was issued.

      --
      Mea navis aericumbens anguillis abundat
  5. Let the user choose their own question by gclef · · Score: 3, Insightful

    If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.

    Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.

  6. Email/Reset Password by dduardo · · Score: 4, Insightful

    I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.

  7. No? by gadzook33 · · Score: 3, Insightful

    I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.

  8. Funny secret question situation... by Hamster+Lover · · Score: 5, Funny

    I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

    Question: How do I masturbate in the shower?
    Answer: With my SpongeBob SquarePants friend.

    Question: What is the most sexually satisfying farm animal?
    Answer: The Llama.

    I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.