Study Shows "Secret Questions" Are Too Easily Guessed

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Don't use them

[slart42]

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

Re:Don't use them

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

Until now......

Re:Don't use them

[nemesisrocks]

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Re:Don't use them

[Shin-LaC]

Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

Re:Don't use them

Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"

Re:Don't use them

[zonky]

Password safe , add the question and give a randomly generator combination as the answer. Problem solved.

Re:Don't use them

[4D6963]

Also, neither would you. Hence, disabling this whole huge security hole.

Fixed it for you. If you look at a security as a bunch of security components put together either in line or in parallel, you'll realise that when you put in parallel something somewhat secure like a password and something not very secure like asking a question, then the system is only as secure as the weaker of the two securities. You don't need to know much about someone to know or guess where they were born or what their favourite TV show it, I mean that's the kind of information people put on their Facebook profile for the whole world to see to begin with.

Re:Don't use them

[theeddie55]

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Of course he'll know it, he wrote it down on a piece of paper with his password.

Re:Don't use them

I've lost a password to a Yahoo account, guess how to renew the password? Answer my secret 'kc0cxewr2gsk5' question. Answer? Probably 'z1oimh6zw'. Had no choice but to stop using Yahoo mail because of the secret question requirements.

Re:Don't use them

While this is mostly true it ignore the fact that someone will notice a password change next time they log on.

Re:Don't use them

[Xest]

Not only that but when I have used them I've found them annoying as they're often case sensitive and it's easy to forget what you entered or how you entered it. What is your dog's name? Which dog? What is your date of birth? What date format?

They're just bad all round, often the questions you get to choose from either fall into the category of far too easily guessed/socially engineered such as where were you born which 90% of people you've ever met can tell from something like your accent or where you work and live if you never moved away or they fall into the category of being too ambiguous such that when it comes back to remembering how you entered it 3 tries will probably get you locked out.

Creating a list of questions that truly are secret and of which at least one is common to everyone is near impossible. You could start asking things like "Who at your workplace would you most like to sleep with" but I don't think most people would want to answer such intrusive questions!

Re:Don't use them

[BikeHelmet]

My pet's name is JDianD_6S8pXOHMK8m2C!

If I lose my password, I probably lost my computer(or my memory?), which means creating a new account is less hassle than what I'd be going through at the time.

But... I've never lost a password yet. The only troubles I've had with passwords is when sites get hacked. They give you short new ones by email, but the new ones sometimes don't work when you try to change them(to something more secure), so then you're stuck with them. :/

If you actually use the secret questions from time to time, I suggest you lock your passwords away with KeePass and put a good master password on it instead. Random hexadecimal passwords of random lengths are way harder to guess than a secret question!

Re:Don't use them

Actually, slart42's first pet really was named OIYNTDttye7it867t&%&^%&^T(

Re:Don't use them

[Swizec]

While this is mostly true it ignore the fact that someone will notice a password change next time they log on.

So they've noticed a breach post facto when anything the hacker wanted to do was already done. Like I dunno, send a bunch of bad things in your name, steal your sensitive data and so on. Yeah, knowing they might have done this really helps preventing it from happening.

Re:Don't use them

[pkretek]

I always sha those stupid questions with a related answer and some number: echo -n MyPet01|shasum -

Re:Don't use them

[digitalchinky]

And here's me thinking I might skip the whole password safe type thing and just wing it. At least until my job required me to sign up for some HSBC corporate banking stuff. Turns out that while you do give a password, they never, ever, ask you for it. 4 weeks later when they get around to telling you your application has been approved, you have dredge back up all the bogus 90210 user@example.com crap you typed in: Mothers maiden name, shoe size at 11 years of age, what you ate for breakfast on the 13 of September 1993, the names of your 4 previous pets that departed our dear earth as a result of unfortunate microwave accidents, that kind of thing.

I'm a tad more careful now. My crap has gained a little more consistency so to speak.

Re:Don't use them

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

The name of my first pet, a hamster, was

Spotty'delete from secretquestions;--

Re:Don't use them

[pbhj]

I bet it stores the answers as plain text instead of hashing it like your pass. You're probably basically giving the support guys your password, hope you don't use it elsewhere ... but no, of course no one would make a system that retarded

Re:Don't use them

[zombie_monkey]

On many sites, there is no way to disable supplying a hidden question and answer. Which is why I always input a random sequence of characters for both with the maximum length allowed, and I can safely forget about that attack vector.

Re:Don't use them

[3247]

While you may not be able to disable it, nothings stops you from having your mother's maiden name generated by apg.

Re:Don't use them

[AvitarX]

I would say that many sites unfortunately require you to enter a secret question to log in, rendering it very difficult.

When I am at a new computer I have a very hard time entering my birth city (is it where I popped out, what's on my birth certificate, the major metro I was in, or the state I was born, adding a layer of subterfuge).

Some even have rules for the secret question, making it even harder.

The customer support people actually recommended I use the same thing for every question when they had to re-grant me access to my bank account.

Re:Don't use them

[AvitarX]

they usually don't let you use your password as the answer(not that I've tried).

Re:Don't use them

[Jurily]

Hence, rendering the whole facility useless, and causing you extra inconvenience.

Disabling an insecure security feature is not an inconvenience.

Re:Don't use them

[Jurily]

In that case, I always set the question to "What is my password?"

You also give a fake one as answer, right?

Re:Don't use them

[Opportunist]

It can be used sensibly. You can come up with a paragraph in a book (I have one), use the first letters, use the sentences up to the last one as the question and the last sentence as the answer.

Not foolproof, but generally good enough. At least when the system allows you to ask your own question.

Re:Don't use them

[Splab]

Thats why my secret question when possible is a string of random characters with the answer always being another string of random chars (makepasswd --char=15).

Yes that means I won't be able to ever recover my password if forgotten, but neither will anyone else.

Re:Don't use them

[Antique+Geekmeister]

It usually is plain text, because when I've gotten people on the phone to change my passwords, they've accepted 'close enough!' answers for the street I grew up on or my high school. Exact spelling on such things can matter if it were kept encrypted.

Re:Don't use them

[MirthScout]

When I can create my own question and answer I use:
What is answer number 1?
What is answer number 2? ...

Re:Don't use them

[TranceThrust]

The alternative of answering those questions truthfully and thus keeping this facility useless, would render password-protected access useless; pick your poison.

Re:Don't use them

[dna_(c)(tm)(r)]

Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

It is what Bruce Schneier described he does in the article behind the last link.

Re:Don't use them

[John+Hasler]

Sensible man. Now as long as he keeps that piece of paper secure (by keeping it in his wallet with his driver's license, perhaps) his account is secure. Until the Web site is cracked.

Re:Don't use them

[GuldKalle]

It can become quite an inconvenience if the app designer relies on that feature.

Re:Don't use them

[John+Hasler]

You are assuming that the answer actually is his password.

Re:Don't use them

[John+Hasler]

Clever! Firefox needs a plugin for that.

Re:Don't use them

[arielCo]

I think he meant that forgetting your password both renders the feature useless AND causes inconvenience, as opposed to "renders the feature useless and [thus] causes inconvenience".

Re:Don't use them

[impaledsunset]

Being forced to enter "Ajkdua9uMNDiau9dfuJdjA(D82*27UAd89Z&DADAUIdjk" as your pet's name is certainly an inconvenience. At many sites you must actually enter it twice.

Re:Don't use them

[dargaud]

I always set the question to "What is my password?"

I would set mine to "What is t1f2l3g4 ?" with the answer being "Not my password!"

Re:Don't use them

[Thaelon]

I use the same password on my luggage!

Re:Don't use them

[morgan_greywolf]

Ha! I've got you all beat! I set my secret question on Slashdot to be "What operating system do you run?"

No one will ever guess the answer to that!

Re:Don't use them

[skroops]

umm..? except then you have thousands of printed copies containing both your question and the answer. and if it's indexed you can just search the question and the answer will pop up in google.

Re:Don't use them

Mine was hunter2.

Re:Don't use them

[GargamelSpaceman]

Yeah, that's my question, but I type in a bunch of crap I don't bother to remember as the answer. Basically, If I lose my password I'm toast, but nobody's going to guess the answer to my secret question, not even me.

Re:Don't use them

[Opportunist]

itbGcthate

Please tell me the answer.

Re:Don't use them

[CarpetShark]

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Think how the dog feels, running to his bowl for food every time the fax machine starts a handshake.

Re:Don't use them

[CarpetShark]

It'd be pretty easy to get a list of publications, extract the initial letters, and search for the longest prefix match.

Re:Don't use them

[NexusJedi]

Yeah, it does.

Re:Don't use them

[dfm3]

I can't believe you were modded funny instead of insightful. I do something like this for all my "secret questions", and write the answers down in a secure place.

Years ago we had a family member who started using the personal information of their relatives to commit fraud and identity theft. They knew us well enough to know the correct answers to most of the standard questions. Thus we've always seen the use of such questions as a security risk.

Re:Don't use them

[stuntpope]

Finally. I was scrolling for that.

Re:Don't use them

[canajin56]

Well, my bank has ~10% chance of asking me one of my security questions every time I log in. Mind you, they aren't used for password recovery, so they aren't a security risk in the first place. But I can imagine some overeager website "enhancing security" by randomly asking you your recovery question when you try to log in.

Re:Don't use them

[Opportunist]

In my rather simple example, it's fairly easy. I mean, it's not like there aren't millions of copies in circulation (even though they might differ a bit, depending on what flavor you prefer).

Let's make it harder. Take a book, make a hash out of the cover text, add two numbers, like '21;6', telling you (because you know the 'cypher') that you're to start reading on page 21, line 6, and the answer is likewise the first letter of every word (of that line).

A little creativity can go a long way here. Start replacing letters with numbers (l33tspeek finally has a reason to exist...), essentially apply the same principles you use when creating passwords and mnemonics for them.

I use password reminders this way. I tend to be forgetful, it's a pity, but I know how my brain works and what mnemonics work for me to remind me of things. Luckily, my brain is so twisted that nobody else can connect the dots. :)

Re:Don't use them

[TheSeventh]

One of my credit card banks just forced this onto its customers -- and you can't use the same answer for all three.

I prefer answers that have absolutely nothing to do with the question, but I can't remember exactly all my witty and funny responses to their inane questions, so this "security" frequently fails.

Re:Don't use them

[sortius_nod]

because that's not the 2nd thing you'd guess?

Re:Don't use them

[TheSeventh]

Except for the cases where you can't access your account from an unknown computer without supplying both the password, and the correct answers to the security questions.

For example, if you ever get a new computer, lose your computer, etc.

Unless of course, you make frequent backups, as I'm sure everyone here does, and you bother to backup the cookies directory . . .

Re:Don't use them

[baxissimo]

That's the Bible, Genesis 1:1.

Re:Don't use them

[L4t3r4lu5]

Windows Vista / 7 has a gadget available called HashPass

It appears that they also do Apple widgets and a Firefox Bookmarklet for the same purpose; Hashing password based on context and a keyword.

Re:Don't use them

[CarpetShark]

Sounds awfully complicated. You could just generate a pair of two random numbers, put one in as the question and one as the answer, and store them somewhere safe.

Personally I just (essentially) disable the secret question things by battering my keyboard randomly for 160 characters or so.

Re:Don't use them

[itsthebin]

in the beginning goatse created the hole and the exit.

eh ?

Re:Don't use them

[vertinox]

Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

ProTip: Use something other than the real answer.

Q: What is your mother's maiden name?
A: y0Urm@mmA!

Or whatever characters they happen to allow.

Re:Don't use them

[An+anonymous+Frank]

perhaps these "secret" question/answers come from the days of credit card transactions, where if someone found a receipt (back when your name wasn't on them) it would still be difficult to take over someone's account without the requisite personal/secret info.

when I first saw the secret questions appearing as a security measure online, I figured it was only to deter scripted attacks. Still, I've come to have my own answers to the typical questions, that are not actually factual, thus even if someone has access to the real information, it won't help them with resetting my password(s).

Re:Don't use them

[LordLimecat]

Doesnt someone have to also breach your email account in order for this to be an issue? So in essence they have to A) guess your secret password and then B) guess your email accounts password?

seems like a good reason to have a strong email account password, keep the recovery email address up to date on all accounts, dont enable password recovery on email address, and not worry about the "forgotton password" issue for other sites.

Re:Don't use them

[LordLimecat]

How did they get access to the email accounts where the password recovery was sent? Seems like securing that linchpin would have kept all the other accounts safe.

Re:Don't use them

[MrMr]

I've posted this before, but people are just way too obedient.
If you pick an answer it does not have to be true, it has to be memorable.
Your first pet was obviously called 'twentythree', just like your mother.
For that reason you must be born on 1-1-1970 (aka ctime of memset(&t,0,sizeof(t))

Re:Don't use them

[tftp]

You could start asking things like "Who at your workplace would you most like to sleep with"

Names come from a limited set, so this is already a weakness. Additionally, if the attacker has access to your workplace then your secret is no longer a secret.

My personal preference is to give randomly generated answers to those questions, and write them down in case I ever need them.

Re:Don't use them

[Cassini2]

It'd be pretty easy to get a list of publications, extract the initial letters, and search for the longest prefix match.

Fortunately, or unfortunately, the book copyright people have made major efforts to ensure the text of books is not available in digital form. This has several consequences, one being that random sentences stored in obscure texts are hard to find. Another is that there are many texts that will never be read by people wanting to read them, because they are out of print and unavailable.

Also, the Google books database is not a substitute for a raw database of book contents. Google will only pick up the reference if the person literally types the sentence into the search engine. If a person reverses the letters in a word, or just picks the first letter of critical words, then Google is lost. There is no substitute for a large database of book contents for cracking a problem like this.

Re:Don't use them

[uberjack]

I resist using them whenever I can, but unfortunately, some sites DO require it. It's a most idiotic requirement, on par with requiring a doggy door the size of an adult male, for every new house built.

Re:Don't use them

First Boss: Mother
State I was born in: Naked
etc.

Re:Don't use them

[SQLGuru]

You could always use the same answer for every question (regardless)

From your bank:
What was the name of your first pet? PASSPHRASE@bankdomain.com12345

From your e-mail:
What is your mother's middle name? PASSPHRASE@emaildomain.com12345

From your favorite blog:
What is your favorite color? PASSPHRASE@blogdomain.com12345

Not easily guessable without prior knowledge of the pattern, but easy enough for you to derive as needed. Now, the question would be whether or not they forward-only encrypt the answer and verify it much like a password or if it's stored in clear text that any numbnutz with DB access could poke around. Hopefully it's treated as secure as a password, but I could see a lot of places not treating it that securely (which is probably mentioned in the articles that I didn't read).

Re:Don't use them

[laurelraven]

There is only one Security Question they should ever ask you to reset your password: What is your email address? Type it in, and get your username and a temporary password emailed to you.

Re:Don't use them

[SQLGuru]

What about the case where a SQL Injection attack (yeah, I know, devs should escape any user input before "executing" it) allows the hacker to see your answers to your security questions but not your password. Now *THEY* know it and *YOU* don't. They reset your password and you have no hope of ever recovering it (granted, it's hope that is limited to "I hope they don't reset my security questions!").

Re:Don't use them

[pbhj]

Lol, you're right, I did fall for that one.

Re:Don't use them

Similarly, when they ask me to specify a hint, I type, "no hints."

More than once this resulted in me being frustrated at the "forgot your password?" screen. But in all cases I eventually remembered.

Re:Don't use them

[Richy_T]

Oh, gotta love the rules:

"For enhanced security, please enter your favorite color"

red

"Your security response contains too few characters. Please try again"

FFS!

(Red is not my favorite color by the way, this was for a throwaway account and I was just trying to be lazy on the typing).

My other favorite is sites that don't allow me to use some of the characters in my low-security password or require more characters than it contains, meaning I have to invent an entirely new password that will be forgotten within 5 minutes.

Re:Don't use them

[DMUTPeregrine]

There's a better way. Write the actual answer + some secret salt. Take the MD5 sum (or other hash you can generate). Use that.

Re:Don't use them

[cellocgw]

You could always use the same answer for every question (regardless)

Good luck. Many websites refuse to let you enter the same answer for multiple questions.

A certain company whose name sounds like Gorthrop Numman is far, far worse. Examples: if you select the question "what state were you born in", the only legal answers are 2-character alpha. If you select "what year were you born in" the only legal answers are 4-digit integers (I didn't check to see whether 6748 would get accepted. I just tossed the entire site into my IgnoreForever category).

Re:Don't use them

[Zancarius]

This is a really good suggestion, and it brings up a point I've never really understood... Just because they ask you a "secret question" doesn't mean you have to answer it honestly!

Unfortunately, what this proves is that the less savvy users are--again--the ones who bear the unfortunate side-effects of their lack of general understanding. Except, in this case, it's because they're being honest!

Me, I always pick a nonsensical statement, but I really like your suggestion of keying it with the domain of the site asking the question. Though, I'd imagine you'd have to have some memory of the site's previous domain if it were ever bought out or moved.

Re:Don't use them

[Sophira]

Hopefully you don't actually use those; they can be derived.

Re:Don't use them

[Chelloveck]

The custom security question I always use is, "Why should I compromise security with a security question?" The answer, regardless of the question, is always to mash the keyboard a few times.

Re:Don't use them

[CarpetShark]

PASSPHRASE@bankdomain.com12345
PASSPHRASE@blogdomain.com12345

That kind of system would be pretty good, except that different sites have different arbitrary limits on answer lengths, and then you have to start remembering variations, with no clear reason why a password failed to work on a site (because it needed a shorter or longer variation)

Re:Don't use them

[kalirion]

I remember when after a few years I tried to log back into Magic Online and couldn't remember the password. To retrieve the password I was asked the custom security question I'd apparently chosen when creating the account: "What is the airspeed velocity of an unladen Volkswagen Beetle?" Neither "African or European?" nor "I don't know that" worked.... What the hell was I thinking?

Re:Don't use them

[osu-neko]

I successfully recovered a password from a site recently using this facility because they let me pick my own question, so I did and gave an honest answer. Also made me laugh out loud when this site that I didn't even remember signing up for to begin with popped up the question:

"Hey, what's the idea?"

XD The answer to this question was immediately obvious to me, and would not be to anybody else, precisely satisfying the requirements for a good security measure. If they let you pick your question, it should be easy to come up with something you would know the correct response to, but would leave most people scratching their heads. I didn't remember ever setting this up to begin with, but I knew immediately the one and only possible correct answer to this question (knowing that it was me asking it of myself removed all possible ambiguity about what it meant).

This is pretty secure, actually... except for the storage problem. :( My honest answer doesn't satisfy good password policy regarding symbols, upper/lowercase, etc., so it's probably easy to brute-force even if hashed.

Re:Don't use them

[osu-neko]

I have occasionally used "What would your password be if the admins weren't idiots?" This works because the answer is not my password, but it is something probably more secure than the password they forced me to choose. There's a true observation that an 8 character password that uses both upper and lower case letters and a symbol is more difficult to brute force than an 8 character password that does not. However, it is also true that a 16 character password that does not is more difficult to brute force than an 8 character one that does. It's a sign of how stupid many programmers are that many sites will accept at eight character password that does, but tell you your password isn't secure enough when you give it a more secure 16 character password that does not.

Re:Don't use them

[X0563511]

Good luck. From what I've seen, sites that require these 'questions' tend to send you your password in the cleartext. Over email.

Really, who the fuck does that?

Re:Don't use them

[thePowerOfGrayskull]

It'd be pretty easy to get a list of publications, extract the initial letters, and search for the longest prefix match.

Okay, hop to it. Let us know when you have the answer.

Re:Don't use them

[rthille]

A 401K pushing lady gave a presentation at our company and covered this "feature". She made the comment that you wouldn't want to use a question many people would know the answer to, like "What's your favorite color?" I responded from the audience with "Fish"

Re:Don't use them

[Joe+Jay+Bee]

One of my online banking websites' security questions let me specify the question and answer. It's currently "Who is the second person you slept with?"

If anyone can guess that, aside from her obviously, they win a prize.

(FWIW, they also ask you for random characters from a password, so it's not just a case of working out who I used to fuck.)

Re:Don't use them

[Josef+Meixner]

For international users there is also often the problem that some of the questions make no sense. I never was to anything I could compare to a high school as the system is different here. So the number of questions is even smaller. I also saw a system you had to select two questions. From two lists of 4 non overlapping questions. So even there reducing the number of possibilities.

But what really annoys me is, when one of those things only accepts characters and perhaps numbers and even limits the length (I think Yahoo Mail did that, but I am not sure, I just filled the field with random stuff and forgot it).

Re:Don't use them

[twms2h]

Not foolproof, but generally good enough. At least when the system allows you to ask your own question.

Why does that matter? You can still answer "What's your mother's maiden name?" with stuff from a book.

Re:Don't use them

[Ironica]

That question doesn't work so well when it's your email account you can't remember how to log into...

Re:Don't use them

Assuming your running a browser with a GUI then just Copy + Paste. That is not the fun part tho:

"We're sorry. Your pet's name must be within 2 to 20 alpha characters long. Symbols other than ' and space are not accepted. This is because our tech department is sick of your stupid help me I forgot my password emails. You had your chance at security. So just remember when 1334 hax0r 13 year old kid guesses Sniffles name, YOU brought this on yourself! Sorry for any inconvenience and thanks for choosing our product."

Re:Don't use them

[ibookdb]

Another option for a techie user "select sha1(realanswer)" I always have sqlyog running connected to a bunch of database servers and I can always do that. Only problem is when I'm not at a computer :) I guess I can do that on my phone but haven't tried.

Re:Don't use them

[Ironica]

No, it's like requiring you to plan out where you're going to put the doggie door, without actually requiring you to build one.

Just because they ask for your first pet's name doesn't mean you type "Fido."

Re:Don't use them

[cstdenis]

Most companies store your password plain text too rather than a hash because it makes tech support easier.

Re:Don't use them

[uberjack]

What about the sites that have no other way of retrieving/resetting a lost password? Other than having to email some douche to do it for you?

Re:Don't use them

[HeronBlademaster]

The last time I had to enter a "secret answer", the site prevented me from using non-alphabetic characters in the answer. That meant no symbols, numbers, or even spaces.

So, it seems your solution is not universally applicable :(

Re:Don't use them

[Ironica]

many email accounts allow web-based pw recovery through the same secret question setup.

Re:Don't use them

[HeronBlademaster]

Now, the question would be whether or not they forward-only encrypt the answer and verify it much like a password or if it's stored in clear text that any numbnutz with DB access could poke around.

I found recently that Comcast prevents you from using a password longer than 12 characters for your comcast.com account. As far as I can tell, that means they're storing passwords in plaintext - I can't think of any other reason to impose a maximum password length.

I also wrote about American Express' password idiocy (it's even worse than Comcast) several months ago.

Until companies can store passwords securely, how can I even maintain a dim hope that my "secret" answers (which can likely be Googled with ease) are stored securely?

Re:Don't use them

[HeronBlademaster]

I had to use one website which, upon registration, sent me my username and plaintext password in separate e-mails, explaining that sending them in separate e-mails was to "increase security".

Re:Don't use them

[HeronBlademaster]

Several years ago I needed to regain access to an account, and couldn't remember the answer to my secret question: "Who is your hero?"

I called in and talked to a CSR, convinced him I should have access, and got the answer (and password) changed. Out of curiosity, I asked what I had put as the original answer.

Bob. (It was an inside joke with a friend from high school. I didn't know anyone named Bob.)

So yes, this sort of "witty response" solution to "secret" answers can be problematic.

Re:Don't use them

[totally+bogus+dude]

If you're using something like password safe and have access to its database, then you won't need to be recovering your password in the first place, will you?

Re:Don't use them

[Opportunist]

OMFG, I forsee the Something Aweful bible version.

Re:Don't use them

[Opportunist]

Very well. You identified my source. What's the answer, though?

The question is a reminder. It should remind me what my answer should be like. What will my answer be, though? The next line, i.e. Gen. 1:2? A certain psalm (again, first-lettered) that means something to me. John 3:16 (or whatever that 'very special' part is that everyone seems to like)? My favorite commandment?

It's my reminder that the "Bible text" is the answer. The book, though, is big enough to keep you guessing a while 'til you find out what part is my "important" part.

Now, it was fairly easy to find this out. I mean, the bible ain't a too obscure book. Now consider I took the DirectX SDK documentation or, if I had one, my childhood diary. At least from the latter there should be only one existing copy.

Re:Don't use them

[Puppet+Master]

And then you set the password to:

"I don't remember!" :)

Re:Don't use them

[CarpetShark]

I said "easy", not "I really care". Big difference ;)

Re:Don't use them

[clone53421]

Oh, come now. Can't you be more creative? Make the hint be something like, say, "rule 34" or "the game". Completely unrelated to your password, of course.

Re:Don't use them

"Hey, what's the idea?"

Sex, obviously.

Re:Don't use them

[Ironica]

What about RTFA? Yes, it is much more convenient to have a GIANT SECURITY HOLE. Like having a man-sized doggy door. You can't make it easy without making it easy to compromise.

So, Schnier proposes, you *should* make it so that you have to contact the company to reset your password. And they *should* have to jump through hoops to validate that you are who you say you are. Just like you *should* have to call a locksmith if you lose your housekeys.

Re:Don't use them

[Opportunist]

Well, you should get some sort of reminder WHAT book you took your answer from. Else you're stuck with two rather unfortunate options: Either use the same phrase everywhere or make your own reminder.

Either's not really a good option.

Old news ?

I guess everyone from the /. community already knew this.
I frequently fill out my "secret questions" with total random nonsense, like:

"What is bla times 12381?", A: "2823848232abc!"

I guess, if I can't guess it afterwards, noone else should be able too ;=) (providing the answer isn't easily brute forced)

random answers

[Better.Safe.Than.Sor]

Question: What is your favorite color?
Answer: 37Uhy78jn

Good luck on nailing that anytime soon.
Next . . .

Re:random answers

[rolfwind]

Question: What is your favorite color?

#0099CC

Re:random answers

[4D6963]

Yep, security-savvy users do that because they know that's just wrong, the problem is companies pushing that security measure when it actually undermines their security efforts. It's like they're really asking for accounts to be broken in.

Re:random answers

[theeddie55]

good luck remembering that when you forget your password.

Re:random answers

Ha! Now I've got your password, sucker!

Re:random answers

[Fex303]

Question: What is your favorite color?

#0099CC

Great. Now I have to change the combination on my briefcase...

Re: random answers

[French31]

Question: What is your favorite color?
Answer: Blue. No, 37Uhy-- Auuuuuuuuuuuugh!

Re: random answers

Question: What color is a blue Air Force Truck?
  Answer: ???

Re:random answers

[pokeyburro]

#0000FF! No, #FFFF0-- Auuuuuuuugh...

Its a flawed concept

They tell you to chose a difficult to guess password, checking that it is made up of letters and numbers, does not contain your name, etc. Then they ask you for an "easily remembered answer" to a question. This in effect is a secondary back-door password, which you are told to select with the opposite criteria to the main one.

Re:Its a flawed concept

[digitig]

To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?

Re:Its a flawed concept

[story645]

Surely in that case it's only an issue if the cracker has already compromised your email account?

Which the cracker often can do if he knows the answer to a security question, which often as not is the same question he answered the 1st go around ('cause there are about 5 common questions and people tend to choose the same ones across accounts.) The major exception I can think of is if the account is tagged to a school/work/other non-hotmail/yahoo/gmail account.

Re:Its a flawed concept

[treat]

To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?

I've rarely seen that setup. The security questions usually just allow you access to the account instead of the normal password. Sometimes they are randomly asked even though you already know the real password.

It does seem quite random and to change frequently on most sites.

Duh

[Spad]

This is why when I'm forced to have a secret question / answer I always use gibberish.

I reason that in the unlikely event I forget my password I'd rather have the hassle of going through a more long-winded retrieval process than having random people able to reset my password.

We did this to a friend when I was still at school - "Forgot" his Yahoo Mail password, guessed his secret answer and reset his password. No malicious intent, we just enjoyed winding him up, but I reckon a good 15 or 20 people that I knew could have guessed his answer correctly.

That's spot on

[TractorBarry]

Radomness and strangeness are your friends when it comes to this sort of thing. I don't think too many people would guess one of mine (obviously no longer in use)

Q: How many Alsations mime to rice ?
A: Egyptian Eskimo Chess

Of course it helps if such systems at least allow you to set up your own questions as that is entirely memorable to me :)

It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a half decent system !

Re:That's spot on

[dword]

I use the same answer to "Secret Questions" all over the place... now I realize, that's just as bad as using the same password!

Re:That's spot on

[jez9999]

It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a half decent system !

Was it L. Ron Hubbard's prediction for the date/time of the end of the universe?

Re:That's spot on

Yea, you just have to run into one hacked/untrustworthy service and they can reset all accounts :)

Re:That's spot on

[GargamelSpaceman]

Actually, they can likely do it anyway. If you use the same password everywhere, then likely somewhere it's stored cleartext.

Re:That's spot on

[Richy_T]

1) Tools->Options->View Cookies (or whatever).

2) Scroll down to slashdot.org

3) ...

4) Profit

Not bad if used with email

[Zouden]

Secret questions are only less secure than passwords if they tell you the password right away. But if they reset the password and email the new one to a pre-specified email account then just guessing the answer isn't enough; you'd have to have access to the victim's email account too.

This doesn't really work that well if the password is actually for someone's email account, though.

Re:Not bad if used with email

[Tukz]

So I was wondering. I forget my password to Site A, and go through a password recovery and answers a secret question only I know about, and then they send me a new password, or password recovery instructions, to my email.

This is where I get a bit confused. Why go though the entire Secret Question thing, if the system is going to send it to my email anyway?

Why not skip the secret question part, and just send me a email with instructions or new password right away?

Only thing it may protect against, is a stolen email account, but then you're screwed anyway, since it mails you....

Re:Not bad if used with email

[ILongForDarkness]

This doesn't really work that well if the password is actually for someone's email account, though.

Exactly. If I was malicious wouldn't attack someone's bank account directly. I'd crack their email account and then likely get dozens of passwords at once. I'd likely get information about other accounts they have that I wasn't aware of, oh you have an investment account from your last jobs pension, how nice.

Once you have the email account you can then with a lot of sites tell them that you forgot the password and have them resend it to the compromised email address. The problem with security questions IMHO is that a lot of the questions are something that you could ask someone or could come up in normal conversation. Hey what elementary school did you go to? Oh you have an uncle on your mothers side, whats his name? (now I know your mothers maiden name). Etc. It is the same thing that you hear about not using words for passwords. It makes them easier to guess.

Re:Not bad if used with email

[QuestorTapes]

Primarily, I believe that is useful for sites that reset the password when you request it. Some do that and send you a new password, instead of looking it up. This is mostly if they encrypted it and discarded the original password. That way some random person is less likely to unset your password unexpectedly.

My bank uses similar logic, for an authorized computer designation. They track the computer I'm logged in from, and if I change computers, I have to click to email (or text message) a secondary key for that machine, to my previously registered email/cellphone.

I don't need to provide the secondary key if I'm logging in from the same computer as last time. But when I change computers, they invalidate the secondary key for the previous computer.

Re:Not bad if used with email

[tylerni7]

If you were just emailed a new password without having to provide the answer to a short question, obnoxious people could reset your password every 8 hours or something.

Re:Not bad if used with email

[Tukz]

I usually employ the "send and click link" method.

You request a password change, the system sends you an email with a link you need to visit, to confirm you did indeed request a password change. Only then does it generate a new, random, password and mails it to you.

No one can change your password, without your acceptance. No need for secret questions.

Re:Not bad if used with email

[prionic6]

They should send an email with a link in it to reset the password.

Anyway, what happens if I forget the answer to the secret question?

Re:Not bad if used with email

Actually the reset happens only after you confirmed the reset by visiting a link included in the email.

Re:Not bad if used with email

[Tukz]

That's just it. You're screwed.

Unless they got other sensitive data on you, no way you can prove it's your account and get someone to restore it for you.

I had same problem with Blizzard a few years back. Forgot my secret question, which I never though I'd use, and they refused to do anything, until I mailed in picture id (drivers license AND passport) along with some other information. (Product receipt, product CD-KEY, etc).

All that bulls*it could had been avoided by sending me an email with a link to reset password.

Re:Not bad if used with email

[need4mospd]

Then they should just require you to log on before resetting your pass.....ah crap

Re:Not bad if used with email

[prionic6]

It's not complete bullshit from their perspective, i think. Your email account security is completly out of their control, so sending a password reset link is not the end-all solution. Depends a bit on the account, but I would not want my bank let anyone who has control over my email account reset my online banking password.

Re:Not bad if used with email

[averner]

I really wish sites would specify which kind they are. A secure individual who doesn't know is inclined to give some nonsensical information for the secret answers.

Re:Not bad if used with email

Bah, still the wrong method for password reset

1) Request a password reset that mails a new pseudo-random password

2) Reset the password only when I login with that new password.

3) If I login with the original password, or simply ignore it for 48 hours, I can safely assume the password reset request was not needed and ignore the prior "reset request"

Now, I don't have to trouble the user with a bogus security question and the malicious password reset attack does not harm me. Without harm, there is little incentive to attack either.

Re:Not bad if used with email

[DMUTPeregrine]

It's normally a link you have to click to confirm your desire to change your password. What it does help prevent is DoS attacks, since generating and sending a few million of those password recovery e-mails per secord can bring a server down.

Re:Not bad if used with email

[ILongForDarkness]

Hence why hacking someones email account first makes the most sense. I have more sites that use this method, or just reset the password and send me the new one to the email account on record, than I have ones that ask me a "security" question. Another option that my collegue proposed which is a good idea, is let the user type in their own security question. He had a site that let him do that and is using a really bizarre question that only he would know the answer to.

Too many of the security questions are information that is publically available, especially if you are well known. How hard would it be to find out "mother's maiden name", "birthday", "pets", "where you met your spouse" etc etc. for a celibrity. I have a hard enough time trying not to find out that information about them. Ah crap while flipping to the business section I accidentally found out that Britney Spears shaved her head, crap I didn't need to know.

Re:Not bad if used with email

[clone53421]

Oh you have an uncle on your mothers side, whats his name? (now I know your mothers maiden name).

My father's last name is not the mother's maiden name of my cousins on my mother's side. Yet, he is their uncle, and for some of them he's their uncle on their mother's side.

Was that confusing enough, or do I need to try harder?

Re:Not bad if used with email

[ILongForDarkness]

Not to mention get your mail server blacklisted.

What did they really expect?

[Aladrin]

The questions have to be so easy that the owner will -never- forget them... That means they pretty much have to be a defining characteristic in a person's life.

Favorite color, birth city, mother's maiden name, location of first job, favorite pet, etc etc.

While my friends couldn't name a couple of those, it'd be stupidly easy for them to get those answers from me in a normal conversation. Even strangers, around friends, have a good chance at it.

Also, my bank takes this a step further... Sometimes when you log in, it asks you one of the security questions after you put in the name and password. I've never felt this made much sense, but oh well.

Re:What did they really expect?

[NewbieProgrammerMan]

The questions have to be so easy that the owner will -never- forget them...

Unless, of course, they force you to use security questions that (1) you don't have an answer to, or (2) you have an answer that doesn't satisfy their assumptions about possible answers; then you have to make up an answer on the spot that you won't remember a week later.

(1) "Who is your favorite author?" I have a handful of authors I like, but I don't go to the trouble of choosing a "favorite" one, so I had to pick one at random and forgot to write it down, so I couldn't answer the question a year later.

(2) What is your maternal grandmother's first name? "Ora" --> "Sorry, your answer is too short." WTF? IT'S HER NAME!

By now, most places seem to have figured out it's not a good idea to make you choose from a narrow set of predefined questions, but that's been replaced by making me choose a fucking image and make up some bullshit text and passkey to go with it on the spot.

Re:What did they really expect?

[Cro+Magnon]

I remember one possible question was "What's your favorite movie?". I doubt that I could remember what my favorite movie was in 2003. It's almost surely not my favorite in 2009.

Re:What did they really expect?

[hacksoncode]

"my bank takes this a step further"

This is their pathetic response to the "three factor authentication" requirement.

Really.

Re:What did they really expect?

If it's BoA, I think that's a problem when they went to the new "sequential process on new ip" system. They've still got legacy stuff (which asks you for user/pass) *before* forwarding you to the new login.

Breaking news

[damaki]

People who use unsecure password will use unsecure retrieval question. Guess what is the problem? Worse, once their uber secure password is stored on their navigator, they will use a simple question. In the end, the user is almost ever the problem.
I usually use something personal enough so that nobody else, even my girlfriend, knows the answer.

Re:Breaking news

[Zero__Kelvin]

"I usually use something personal enough so that nobody else, even my girlfriend, knows the answer."

You just gave it all away! Now we know that the question was "what is your sexual orientation" ...

Re:Breaking news

The problem I've experienced is that these sites have three or four short lists of questions with obvious answers from which you must choose. When users are confronted with several websites which have slightly different lists of questions with obvious answers, are they supposed to develop and memorize a mapping from the different stupidly obvious questions they selected to questions that are more secure?

My bank went with this type of so-called extra security measure, and I entered long strings of profane insults as answers. Now I keep most of my money with another institution that has demonstrated some intelligence in regards to security.

Re:Breaking news

[BenoitRen]

Damn furries.

Re:Breaking news

I thought the question was "What is my offline name?"

My question is:

[dvh.tosomja]

Who has more water that we expect to?

Re:My question is:

A preposition is not a good word to end a secret question with.

Re:My question is:

[radio4fan]

A preposition is not a good word to end a secret question with.

This is the sort of thing up with which we should not put!

(not © Churchill)

Re:My question is:

[clone53421]

I will not tolerate this frivolity!

Oh wait, was I suppose to end that sentence a preposition with?

Secret Question are easier than the password

[rolfwind]

What is the surprise? They don't have to follow the same rules as passwords (letters and at least 1 number, etc) that many sites enforce. Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.

If someone was really wanted to go on a phishing expedition, they would open a site that requires registration, security questions, and all that, and then try the information on the webmail of the people who just registered. Probably would work phenomally as well.

If websites wanted to be truly secure, they would ask for a mailing address or at least a phone number to confirm resetting things (thinking of financial accounts, not stupid forums). They confirm the same inane, easily duplicable facts in real life, but at least they have to reach you at a confirmed safe location.

Re:Secret Question are easier than the password

[noidentity]

Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.

Yes, but you can choose the answer; you don't have to answer them truthfully (in fact, best if you choose the answers randomly, and write them in a safe place if you want to use them in the future).

Re:Secret Question are easier than the password

[Piranhaa]

Paypal does that.

PS: No, I don't like to use Paypal when preventable.

I agree

[jez9999]

Secret questions are way to easily guessed. They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

Re:I agree

[will_die]

Who the hell else would know that?
Every other web site that you visited that asked that question.

Re:I agree

[Shrug]
If they're stupid enough to ask that one, I just lie. People are unlikely to guess that my mother's maiden name is, oh, "!Gupthyrxik99".

Re:I agree

[noidentity]

Secret questions are way to easily guessed.

Fortunately, it's the answers that your attacker needs to come up with (unless it's jeopardy.com)

Re:I agree

Nice way to miss the sarcasm, dork.

Re:I agree

[Maajid]

If the attacker was sufficiently motivated, I'm sure he could get someone's mother's maiden name -- not the toughest 'encryption', is it? After all, we won't want to be living in a world where hackers keep directories of peoples' maiden mother names, would we!

Re:I agree

[OhHellWithIt]

They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

I assume you are making a joke. One source is public records. If you're married in the U.S., there is a marriage record on file in the courthouse of the county where you're married. This record is open to the public, and (at least in the state where I live), it lists the names of the couple's parents, as well as the places of birth of the couple. That tells me where you were born.

The courthouse of the county where you were born will have your mother's maiden name on your birth record -- which I believe is also a public record -- and, if I remember correctly, also your father's birth info.

I've started using a friend's mother's maiden name. The big problem comes when I can't remember whether the account was set up before or after I started this practice.

As for most of the other special questions I've seen, they are either easily guessed by someone who knows me fairly well, or they are such obscure things that I may well forget them in about ten years -- long before I expect Alzheimer's has kicked in. You'd think I shouldn't have to worry about people who know me, but remember that most frauds are perpetrated by people who know the victim.

Re:I agree

[TRS80NT]

Somehow my idiot brother was able to figure it out. Bummer.

Re:I agree

[GbrDead]

That unfortunate nerd who has been in love with your mother in high school?

Re:I agree

[kthejoker]

I trick them by using my father's maiden name.

Re:I agree

A couple of months ago, I logged into my HotMail account (I use it when I need an email address that I don't care if it gets spammed) and there was a line at the top reminding me that my 'vacation message' was still in effect. I had never set a vacation message on my HotMail account, so I went to check it out.

It turned out that my vacation message was a spam for some wholesale electronics place. I removed that message, and then went to look in my sent mail. Sure enough, my account had been used to send spam to thousands of people about this same scammy shop. I changed my password, and haven't had any other troubles.

It bothered me, though, that someone had figured out the password. It was just a string of gibberish, mix of upper/lower case, digits, and punctuation symbols. What must have happened is that I used that same password to sign up for some other web site, and that place got hacked, or just sold their database, or something, and probably just about everyone uses the same password for everything. Happily, I only used that password on sites that don't matter; every other site has a distinct password.

But the point is, you're right. You're giving the same information to dozens of web sites out there, and the information is only as secure as the least secure/trustworthy of all of those sites.

Re:I agree

[clone53421]

father's maiden

???

Actually, I'm not sure I want an explanation.

encrypted password file

[mcelrath]

I just keep a gpg-encrypted file with all my passwords. When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file. This file is heavily backed up. I cannot imagine a scenario where I would lose a password, or the answers to "secret questions".

The only time I've had a problem is with stupid websites that require registration (and I don't care about, so didn't write down the gibberish I wrote in their registration form) and some time later I decided to come back to that stupid site.

Re:encrypted password file

[ortholattice]

"When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file."

Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts, then remember what she called it, where she stored it, and how to run it everytime she is asked one of these retarded questions. Oh, and also how to save the output to her gpg file after remembering what her gpg file was called and where she stored it and what its password is.

If you (presumably) guard your passwords carefully (in this same gpg file?), why do you even bother saving the answer to the "secret question"? Just type a bunch of random keyboard characters (bang hard, using the opportunity to release the pent-up frustration), don't save it, and be done with it. Isn't that faster than going through the perl script rigamarole?

For most things - various user forums, etc. - I don't give a damn about all this password/secret question paranoia. If they crack it, so what? I haven't changed my slashdot password since day one, its easy for me to remember, and if someone cracks it and "steals" my "identity" here, well, I would probably find it amusing.

There are a relatively small number of things, such as bank accounts and trusted access to other people's networks (and yeah, my servers' roots) whose passwords I protect very carefully. Almost none of those things involve extra secret questions in case I forget the password, or if they do I've give a gibberish answer I don't save.

(OK, I have a CISSP cert, and those hyperparanoia-filled meetings I have to go to to keep it up sometimes make me want to scream).

Re:encrypted password file

[mokus000]

Stupid sites like that probably have a whole lot of dead accounts anyway. And I for one feel no remorse whatsoever when I add to the pile.

Re:encrypted password file

Your house is hit by an EMP, and all of your electronics stop functioning. Any offsite backups are also hit.

Foolishness aside, there's something to be said for being able to get back into your account without needing any of your current technology.

Re:encrypted password file

[radio4fan]

When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file. This file is heavily backed up. I cannot imagine a scenario where I would lose a password, or the answers to "secret questions".

So why bother saving the answers to secret questions? If you're not going to lose the password, surely you won't need the answers to the secret questions. And if you lose access to the password file, you've also lost the answers to the secret questions.

Re:encrypted password file

The only time I've had a problem is with stupid websites that require registration (and I don't care about, so didn't write down the gibberish I wrote in their registration form) and some time later I decided to come back to that stupid site.

For stupid websites you don't care about, why not just have a standard 'insecure' logon/password combo to use for all of them?

Re:encrypted password file

[mcelrath]

So why bother saving the answers to secret questions? If you're not going to lose the password, surely you won't need the answers to the secret questions. And if you lose access to the password file, you've also lost the answers to the secret questions.

Just in case. You never know when a password gets grabbed by e.g. a keylogger, network sniffer, or insecurity on the server side.

Re:encrypted password file

[mcelrath]

For stupid websites you don't care about, why not just have a standard 'insecure' logon/password combo to use for all of them?

I do. But sometimes sites won't accept my password because it doesn't contain the right magic combination of numbers/letters/punctuation/length, or my desired userid is taken...

Mostly here I'm talking about saving passwords for business sites: frequent fliers, banks, credit cards, any online merchant, etc. The paranoia is required because somewhere in the bowels of there website is my credit card number or other sensitive information.

Re:encrypted password file

[mcelrath]

I'm sure there are 1000 "password wallet" applications out there that will do all this for your grandmother. I haven't looked. (kwalletmanager?) And I'm too paranoid to use them anyway. And I configured vim to automatically decrypt/encrypt files when I edit them. While I'm at it, here's the perl script. This is a solution for me, not your grandmother. But the principle can transfer.

If there *isn't* some suitable password manager for your grandmother, why not write one? As Scheier says, passwords are dead.

My bank asks these stupid questions. I think it's the only instance where I actually recorded my gibberish answers to such questions.

Re:encrypted password file

[LordLimecat]

Wouldnt the first thing any reasonably able hacker do be to change the recovery email address and secret question? One would think that if someone is in the know on account theft theyd know about these not-too-secret backdoors.

Re:encrypted password file

[mcelrath]

You fell victim to one of the classic blunders! The most famous is "Never get involved in a land war in Asia," but only slightly less well known is this: "Never assume criminals are hyper aware and intelligent!" MUAAAAHAahaaaa!!!

Your punishment is to watch a few episodes of COPS.

Re:encrypted password file

[vanyel]

Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts

That's overkill: these are passwords and should be treated as such. Free associate some random words, twiddle it a bit to avoid a dictionary search and save it somewhere. Even grandma can do that.

Re:encrypted password file

[clone53421]

Yeah, how on earth would you prove your identity to anyone without giving them a series of memorised passwords and recovery answers?

It would be more of a hassle, but in such extreme circumstances ("Your house is hit by an EMP"?), faxing your birth certificate and drivers' license should be more than adequate.

Re:encrypted password file

[clone53421]

You fell victim to one of the classic blunders! ... "Never assume criminals are not hyper aware or intelligent!"

Fixed that for you.

Seriously, when we're talking about security, assuming "they'll be too dumb to figure it out" is a royally stupid approach.

You do have secrets...

[__aarvde6843]

We all have our little secrets. It's not hard to find a question/answer nobody else could figure out... Unless you are such a nice, innocent and transparent person, like Sarah.

Anyways, this is an old topic and /.ers are intelligent people...

Re:You do have secrets...

[pjt33]

Yes, but "Where are the bodies buried?" isn't really the question you want to choose for password recovery.

Re:You do have secrets...

[Ironica]

Bravo. Lately the oblig xkcd references have been getting sloppy. That one was well played.

Re:You do have secrets...

[clone53421]

It's funny, but it's also true. The answer to your secret question is almost undoubtedly stored as plain text in their database. Don't use anything that you don't want any random person working for that company to be able to see.

Why don't...

[Jamamala]

You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

Re:Why don't...

[physicsphairy]

I used to fill in gibberish for the secret question answer. Now I use an alternate password, since that is *really* what I want--another way in if my account gets hijacked--not a password reminder.

Oh, and as far as hashing a standard answer goes, you could also just convert some letters to numbers (as is common with passwords), or have the answer be the real answer written once forward and backward, i.e., you can implement encoding algorithms yourself without needing to pull up the command prompt (which should work just as well for deterring guesses).

Re:Why don't...

[mokus000]

If they truly know you, I'd hope they got to that point because you trust them. When trust is misplaced, all bets are off when it comes to security.

Re:Why don't...

[maxume]

If you salt the hash, they would also need to figure out the salt (and you would only need to remember 1 extra thing that was used across sites). Hopefully the authentication system is such that even a weak salt would require enough guessing to trigger some alarms, or something.

I think my long term solution will be to stop, as much as possible, interacting with systems that require stupidity in the name of security. To some extent that will mean agitating for systems to use physical tokens (which are strong and only a little inconvenient) and things like OpenID (which may be too complicated for most people to want to deal with; I mean people who store their passwords in their browser, with no system or profile password protecting them, ya know, the majority).

Re:Why don't...

[mdielmann]

Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

Looks like I'll be skipping this one...

Re:Why don't...

[sorak]

You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

It's easier to just act like an idiot:

"What's your mother's maiden name"

Turnip-eating cocksucker!

That is correct. So what will you be needing today?

My Qs

[Daimanta]

Q What is the highest prime number?
Q In 60 characters, prove Goldbach's conjecture
Q How many palindromic primes are there in base-10?
Q What is the lowest Sierpinski numer?
Q Solve the Happy Ending problem for arbitrary n
Q Prove or disprove that the Euler-Mascheroni constant is irrational in 60 chars.

Crack my account and I'll use your idea ^^

Re:My Qs

[pjt33]

Q What is the highest prime number?

There isn't one.
Non-existent.
Fictional.

Yes, I see your point. It would take quite a while to enumerate all the possible answers.

Q What is the lowest Sierpinski numer?

22,699. Am I right?

Re:My Qs

[digitig]

Q What is the lowest Sierpinski numer?

22,699. Am I right?

Well, it's 10223, 21181, 22699, 24737, 55459, 67607 or 78557. That looks manageable for a brute-force attack.

Re:My Qs

[MightyDrunken]

No these are far too easy. Want we want are SECRET QUESTIONS, not answers. Mine is, "The answer is 42. What is the question?".

Re:My Qs

[rdnetto]

What, no Riemann Hypothesis?

Re:My Qs

[TheSeventh]

"Not all those who wonder are lost" ;)

Me, staring in the fridge: "I wonder how old this pasta is?"

My roommate, seeing me ponder this: "Are you lost?"

Re:My Qs

[jimbolauski]

Q) Solve the Happy Ending problem for arbitrary n
A) $50 for a happy ending.

Re:My Qs

[kst]

No these are far too easy. Want we want are SECRET QUESTIONS, not answers.

Mine is, "The answer is 42. What is the question?".

41?

Re:My Qs

[Ironica]

No these are far too easy. Want we want are SECRET QUESTIONS, not answers.

Mine is, "The answer is 42. What is the question?".

What do you get if you multiply six by nine in base 13?

I use a physical book.

[Rosco+P.+Coltrane]

If I'm allowed to choose the question, I use the time-tested method that was used in 80s games, which is "word in page x, line x, x-th word". If I'm not, it's usually a "pet" or "mother's name" question and I use the characters names or animals in the book.

I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.

I usually remember most passwords I use all the time, but for the accounts I seldom use, the book title is the only thing I need to remember to recover my passwords. Given the size of my library and the fact that the book is a huge, boring French novel, tough luck even for a burglar to find it.

Re:I use a physical book.

[dword]

Even better: check out the definition of paranoid I just found on Slashdot!

Re:I use a physical book.

I love it. He's got an ultra-top-secret method of hiding his passwords, but he just posted said ultra-top-secret method to one of the most popular tech sites on the intertubes.

Re:I use a physical book.

Similar to my method. Generally speaking desks and work areas tend to have books, printers, speakers, and so on just sitting around- and a lot of them have some sort of code- the model number, or the ISBN, or a SKU, or whatever. All I need to do is pick one of these, and then remember the source object. There's no notes, there's no indicators, and it's easy to remember something like 'printer' or 'Oxford English Dictionary.'

Re:I use a physical book.

[noidentity]

I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.

So that's it! I've been having a hell of a time figuring out your passwords. Thanks for the tips.

Re:I use a physical book.

[dword]

I reckon Rosco P. Coltrane knows what he's doin'.

Re:I use a physical book.

[L4t3r4lu5]

So, you use passwords which are french, vulnerable to brute force / rainbow table attack, greater than 8 characters, with an integer < 99 appended? I'm pretty sure l0phtcrack has a mask for that, and with the length definitely over 8 the amount of words to crunch through is significantly reduced.

Not paranoia, but best practice; I never use the maximum amount of characters for that reason. It's too obvious, and easy to brute force.

Passwords *should* be written down

I have a list of some ~150 accounts and passwords on paper in an unlocked cupboard. They are forum accounts, accounts to online communities (digg, etc.), online stores, to my less important emails, to some FTP servers, etc. etc...

I don't need to worry about harddrive breaks or hackers - everything is on paper and offline. I don't need to worry about my family members wanting to log into my driveThruRPG online store account - why would they want to? And even if they did they could do nothing without my paypal account.

There are only a few passwords that aren't on the list - my private e-mail, my work e-mail, my paypal, logins to my home and work computers and login to the encrypted partition on my hard drive.

I don't use the same password in any two places. Only flaw of this is that if I were to lose that list (probably due to my house burning down) I would have to recover a lot of passwords. However, in such event the password recoveries would be the last thing to worry about...

Spot on

[pjt33]

Shame I just used my mod points. There are plenty of cultures in which women don't change their names when they marry, and even in those where they do they tend not to change them unless they marry, which is becoming less common. Fortunately banks are starting to wake up, and maybe in a decade they'll all have semi-sensible account security.

Re:Spot on

I don't understand your banking system at all. Here in Finland depending on the bank, you have a customer number or something else and a password plus/or a random number from your secret number card that your bank sent you.
I don't get it what's so hard to implement this in all banks. A little piece of paper with a hundred random 4-digit single use numbers on it and a database of these on the server. There's no way anyone oculd get to any of my bank accounts without physical access. Even with a keylogger or some other way they would only get my "username" and an allready used password.

Re:Spot on

Dear Bank: I have lost my one time pad. Can you send another?

Re:Spot on

[clone53421]

No, fuck you.

Actually, more like "Sure, please provide six forms of ID and a bone marrow sample."

Re: the book is a huge, boring French novel

[neonsignal]

That's a bit much. I rather enjoyed reading Les Miserables.

Duh.

The really sad thing is that it takes

    research from Microsoft and Carnegie Mellon University

and that they have the balls to

    present[ed] [it] at the IEEE Symposium on Security and Privacy

Re: What date format?

If you know about date formats, you know there is only one. ISO 8601.

no shit sherlock

[saiha]

The worst are the ones that force you to have a "secret" question. Oh like its that hard for an acquaintance to guess your high school, or your mother's maiden name?

Usually I just create a second password (I'm sure somewhere my mother's maiden name is inwyd15), but even that is one more thing that can get loose.

Re:no shit sherlock

[dword]

But... wait a moment! What if a company can sue you for providing them with false information? They want to check your account on another provider that tells you your password instead of changing it when you go to "Forgot my password". They check the details of your account with them, see they're bogus and try them. If they work, it's the company's lucky day. If they don't, they can try to sue you to obtain the information from you or to make you change your question and answer. Then, they can scare you by telling you that you should do the same with all your accounts. Bam! They now have confidential information that you trust them with and allows them to login using your account on their competitor's website. The answer may be confidential, but the TOSes usually specify that you must provide accurate, truthful information and they reserve the right to peek into the answer of your secret question, for your own protection.

I know it's a stretch, but, considering the lawsuits we've seen on Slashdot lately, I'm still wondering why nobody tried this yet!

Come to think of it, I own a website that requires your email address as username... brb, checking "my" email accounts.

Re: What date format?

[Xest]

That's a standard that defines a format, not a format by itself, regarldess it's also one of many standards, although many of those are obsolete now. Still, there are plenty more than just one single date format however you cut it!

But the point is that on some days you'll use 20/3/2009, other days you'll use 20/03/2009, then you might use 20th March 2009 and all that's assuming just a single date ordering from days to years which is common in Britain but not so in the US which uses months, days, years or Europe which mostly follows years, months, days.

Study Shows "Secret Questions" Are Too Easy

[Yogiz]

That's why I only use one secret question.

"What is my password for this site?"

bogus answers

[DNS-and-BIND]

I always put a fake name as my Mom's maiden name. Why does anyone need to know that? It's just an ordinary word, and I always list it the same.

The problem comes with those idiot services that try to be too clever by half, and ask a battery of questions ("what was the name of your first grade teacher" "what was your first dog's name") and other such worthless trivia. These fields are required, and cannot be skipped. One day, the site decides to be clever again (I can picture some nerd furiously beating off as he thinks about his great idea) and asks me what's my favorite color when I log in. I mean, if I forget my password, that's my problem. But using these personal questions as some sort of CAPTCHA or user verification is just stupid.

Re:bogus answers

[Shados]

Even worse, in my opinion, is some bank's web sites, like mine: It doesnt let me have a password of more than 8 characters, and special characters are not allowed (only alpha and numbers, not even space!).

Then in the name of security, they put these stupid questions. Fix the passwords first anyone?

Re:bogus answers

[SuseLover]

I answer all those questions with fake nonsensical answers. There is no reason to use a real answer to any question as long as YOU know the correct answer. i.e. Q: What is the name of your first pet? A: laughing

Re:bogus answers

[Quirkz]

A few years ago, Bank of America wouldn't let you use more than 4 characters, and they had to be numbers. Basically, just a PIN. They've since updated that, but for a while it was ridiculously bad.

Re:bogus answers

[DMUTPeregrine]

And yet your PIN is still just 4 numbers. Everywhere.

Re:bogus answers

[Ironica]

Mine isn't.

Re:bogus answers

[Shados]

My PIN is 10 characters long, thank you very much. Still only digits though.

Yesterday wants its news back

[Opportunist]

I dimly remember I saw something like this on /. before...

It's a no brainer. Or at least it should be. Most of those "secret" questions draw from a limited set of possible answers. Worse, ALL those answers will be found in a dictionary. Because they invariably ask for (*drumroll*) a real, usually English, word.

Now, what do we tell people, what did we tell them for ages? DO NOT use words that can be found in a dictionary. Yet for the "secret answer" (which is in almost all cases as good as the real password) we ask for a word that can be found in one.

Is it me or is this like, you know, STUPID?

There is no "secure" word. Not even your pet's name. My first pet was called ;drop table *;, btw. Yeah, I'm such a geek... sorry 'bout your database, btw.

Re:Yesterday wants its news back

[itsdapead]

Is it me or is this like, you know, STUPID?

Only if it is implemented in such a way that knowing the answer is as good as knowing the password.

There's no reason it can't be used as part of a belt & braces approach (of course, if someone's stolen your belt then its possible that they've stolen your braces as well) and/or where the worst thing that it can trigger is to get a new temporary password mailed to your known address.

It also depends what the stakes are and comes down to a risk analysis between the potential security risk vs. the inconvenience of losing access to the account while your identity is confirmed (...not that there's any really effective way of doing that).

Re:Yesterday wants its news back

My first pet was called ;drop table *;

Which database supports wildcards for table names like this?

Yeah, I'm such a geek...

:^)

Re:Yesterday wants its news back

[Opportunist]

Good idea, in theory. In practice, it's immediately followed up with a service request asking what mail address they used when signing up, followed again with the cry that they don't use that mail address anymore and thus you're back to square one.

Or, even more likely, the person didn't even supply a valid email address (or if they had to, a throwaway one) to avoid spam.

Depending on the security requirements of the place you're dealing with you're usually right, from a security point of view, that triggering a password reset and having the password mailed to a predetermined is the right choice. Due to the general stupidity, lazyness and paranoia (in the WRONG places... why are people usually only paranoid where they shouldn't be but litter their personal information everywhere else on the 'net?), it usually doesn't work out, though.

Re:Yesterday wants its news back

[LordLimecat]

Is it possibly because guessing the secret word on its own does NOTHING to compromise your account? It simply generates a password recovery form on 95% of websites out there. The remaining 5% i wouldnt want to give any sign up info anyways.

Re:Yesterday wants its news back

[itsdapead]

Good idea, in theory. In practice, it's immediately followed up with a service request asking what mail address they used when signing up, followed again with the cry that they don't use that mail address anymore and thus you're back to square one.

The policy has to be that you must get the security question right first time and you kept your email address up to date. That's going to work for quite a lot of people - although it might not feel that way to the poor sod on the helldesk.

The real problem, as I've said elsewhere, is that no one is providing a practical solution to "square one". The paradox is we do need a proper (IT-aware) ID card scheme that lets us prove our identities easily when the need arise but (with some justification) don't trust anybody to implement it safely.

Re: the book is a huge, boring French novel

That's a bit much. I rather enjoyed reading Les Miserables.

OT I know, but did your really enjoy the ~5 pages spent describing some villains who then contribute 1/2 a page of actual plot?

Having said that, overall I did like it, but I think Dumas' "Three Musketeers" is a far more enjoyable read.

Study...

[nog_lorp]

Is this the study that was conducted by 4chan during the election? Where they found that 100% of Sarah Palins have easily guessed Yahoo mail security questions?

I got one

[bytesex]

I always use the first name of my first real girlfriend. But then, that's not going to be much use for many slashdotters. But then, you can also use the first name of your faux girlfriend. Her name is even more secret !

Re:I got one

[silent_artichoke]

Yeah, nobody would guess Natalie Portman...

Re:I got one

[Ironica]

Yeah, nobody would guess Natalie Portman...

Ah, but you don't use her *real* name... you type "hot grits" instead! Now you're secure.

boring...

So now we need studies to show that "secret questions" are insecure.

Is computer science getting boring?

Re:boring...

[Ironica]

So now we need studies to show that "secret questions" are insecure.

No, "we" don't need studies to show that secret questions are insecure. "We" need studies to print out and drop on the desks of our CEOs and COOs, so that we can explain why we want two-factor identification, or at the very least, we need to take the time to teach everyone in the company how to come up with a halfway-secure password that won't end up on a post-it on their monitor.

("We" would just email the story, but there's over 1500 unread messages in the CEO's box, and the COO's Blackberry buzzes constantly so she doesn't pay much attention anymore. Back to paper it is.)

Seen this on one webmail site

what is your favorite color?

Any guess???????

Only one problem with one time keys

[Kupfernigk]

Did you ever read John Le Carrés "A Perfect Spy"? In that, the one time key was a copy of Simplicissimus. Lose the book, career over. (I'm paranoid too, I used to use Weingreen's Hebrew Grammar until the day I had to rescue it from the Oxfam pile...)

Cryptic Crossword Clue

[AliasMarlowe]

I prefer to make up a cryptic crossword clue, but one which only I could know the answer to. Here's an example: "Red Cross indebted to largesse (9)". Don't bother trying to guess the answer - it involves two uncommon languages, and some personal quirks. It's also more than 9 characters long.
For those "first pet" idiot questions, I typically choose an extinct species, but not any of the well-known ones, and add a non-alphameric character (like Elrathia^kingi or Charnia_masoni, although I have not used those particular examples). An analogous approach works for "mother's maiden name" and other such security challenges.
This approach has served me for years, and I can always remember the passwords...

No duh

No duh,
No duh,
No duh,
No duh,
No duh.

By the way, can you guess what my secret answer might be?

In all seriousness, with social networking sites, don't you think someone's secret answer can be found there? Pet's name, for example?

Where was I born?

I remeber having to make a choice of crappy questions and the result is that I put a load of gibberish as the answer.

So I forget password one day and get asked the question...then after several attempts start shouting at the PC - What do you mean my favorite sport is not squash? And don't tell me I wasn't born in a hospital ward!

Too easily guessed?

Due to the stupid questions that have been asked.

Quite a few sites have begun adding "Roll your own question" options as well.
These ones are much safer to use.

But of course, if you do have one of those sites with the usual crap, just don't answer them directly.
Moms maiden name? How about Steve?
First Pets Name? Tyrannosaurus Fuckyou?
Favourite colour? Urple. (bonus points for those who get the reference.)

But then you have stupid idiots like Sarah Palin who enter their own question with something so easily identifiable. (a fucking zipcode? Holy hell woman)
So, back to square one it seems. Damn my 2 sided thoughts always balancing out.

lemon

You can also opt for a default answer, with a variable question.
Let's say you choose a simple answer that is easily remembered, like the name of the street you live in, i.e. Oakley road.
No matter what question you choose, your answer will always be Oakley road.
For example:
Question : What is your mother's name?
Answer : Oakley road.

In this case you only have to remember what question you chose.
Safe? Depends. It's sure as hell a lot harder to guess than actually answering the question.

A very simple trick

[Drakkenmensch]

When I have to fill out a "secret question" with an answer that's all too easy to look up, I just make up an answer no one will figure out but me. If someone trying to get into my account tries to guess what was "the color of my first car", how are they going to know the answer if I made up a word that doesn't even exist?

Solution: Non-Sequitur Answer for All Questions

[syntap]

Just pick one word you use to answer all questions, like "love2canoo" or something. Why put in answers people can guess? Just make up a single answer that answers all questions.

For example:

1) Mother's maiden name: love2canoo
2) First pet: love2canoo
3) First car: love2canoo

That way everyone trying to guess your answers will always be wrong. I'm not sure why people think they really need to answer those things truthfully. Lie, and others trying to use the truth will fail.

Re:Solution: Non-Sequitur Answer for All Questions

[JasterBobaMereel]

Use a reasonably secure password that you don't use for any other purpose as the answer to all the questions

i.e. use it as an alternative password, not as an bypass

Re:Solution: Non-Sequitur Answer for All Questions

[L4t3r4lu5]

That would work until one site asked you "What's your favourite hobby?"

Re:Solution: Non-Sequitur Answer for All Questions

1. What's your favorite hobby: Spot

Just criss cross

[superFoieGras]

I always choose the question "What is your mother maiden name ?", and answer my pet name...

duh, don't answer the question!

[thegoldenear]

I don't get this. I don't fill out secret question answers if I don't have to, prefering to just have the regular password, but if I do fill them out, for-gods-sake my answer wouldn't be the answer to the actual question, it would be something random like the password!

Answering the actual question is obviously flawed security.

Pete Boyd

Re:duh, don't answer the question!

[GargamelSpaceman]

Not filling them out is dangerous. If you don't fill them out then a question is selected by default. No answer is still an answer. A reasonable guess to 'the answer' is nothing, or rather, I didn't fill it out.

I imagine an operator asking: What is your mother's maiden name? Then the perp being stumped, and after a period of silence, the operator determining that the question was answered correctly.

And a machine is almost guaranteed to be that dumb.

Re:duh, don't answer the question!

[thegoldenear]

I was thinking of a web form where you're asked whether or not you want to answer a secret question, to which I choose 'no'.

Pete Boyd

Ridiculous security question example

A credit web site asked me for the name of my first pet. I entered the answer which was "meg" (a spaniel).

This failed validation for being too short.

Ok, stop the smart ass solutions

[fph+il+quozientatore]

So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"

Re:Ok, stop the smart ass solutions

[GargamelSpaceman]

As has been said before, the guy who shasums a MyPet01.txt file and submits it to every site is giving the support people at every site the means to bypass all his password protections since that will be stored cleartext.

Re:Ok, stop the smart ass solutions

Are people missing the problem, or seeing the problem, knowing they are not in a position to fix it, and sharing there work-arounds for this security issue?

The fix for this problem is simply not have the dumb-ass questions in the first place, but that is controlled by the site admin.

And before that...

[itsdapead]

Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Trump that: E.E. 'Doc' Smith pointed out sometime in the 1930s that what the world really, really needed was a foolproof way of establishing someone's identity. Unfortunately, his solution was to have some omnipotent aliens come up with a magic identity bracelet, which isn't particularly helpful.

That's the real problem - these dumb-ass methods of establishing identities come about because there is no good solution on offer to let a service provider check that you are who you say you are - and no way do we trust our wonderfully tech-savvy governments or industries to set up and run one.

Re:And before that...

[jonaskoelker]

and no way do we trust our wonderfully tech-savvy governments or industries to set up and run one.

We have such a thing in Denmark, "Digital signature" (an RSA key pair). It works fine for twiddling your taxes on-line, and other public services, but unsurprisingly I can't use it to login here at slashdot.

Unless all governments agree on at least some kind of interoperability, it won't see widespread use. And East Bumfukistan will probably not have the kind of identity verification you'd want, even though a piece of paper may disagree.

passwords.txt

[MindKata]

"Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience."

Not really, he just keeps OIYNTDttye7it867t&%&^%&^T( in a text file near his root directory called passwords.txt ;)

Re:passwords.txt

[clone53421]

Don't forget to have Limewire share C:\.

Those ICQ - Hotmail days...

Ahhh this reminds me of all the interesting things you could find about random people in their Hotmail (and I think Yahoo) mail accounts...

You only needed to do a global search for ICQ profiles (that matched some of your criteria like having a hotmail) and look for the "filled" profiles...

From there you went from hotmail and asked for a "forgotten password"... form, usually it will ask you things like your date of birth or other stupid info like that and more usually than not, the secret question was "where were you born, etc".

I guess something similar could be achieved with today's Facebook... the only difference is that the contact information is private by default :(

Security Question

[flickwipe]

"What's the difference between an orange?"

Surely these are used as a second layer

[argent]

The only time I've run into these being used is as a second layer after they send a hashed URL to my email address, so the attacker would have to have known which email account on which server I was using, then discovered the password to my mail account or set up a MITM attack on my mail server, before they even got to the secret question part.

Re:Surely these are used as a second layer

[Culture20]

I've seen them used as a way to reset the password, but also as a secondary, mandatory field during password authentication. The secondary field tripped me up because a had just generated random crap to throw in the fields.

17%, eh?

[Endo13]

So that means the average person should be able to guess the name of my first pet in 6 guesses, right? Go ahead. Try.

Re:17%, eh?

[Cro+Magnon]

I don't have, and never have had a pet (you insensitive clod). Maybe someone who know me well enough might guess that I'd use my mom's pet for that question, but I'm not that worried about the few people who know me well enough to figure that out AND old enough to know her first pet's name.

Re:17%, eh?

[Endo13]

That's a good guess, but no.

heck if I know!

[bradley13]

Ach, I hate sites like that. Even if I wanted to, I can't remember my grade school teachers' names. And if I make up something spontaneous, I am guaranteed to forget it later... It's almost as irritating as all the different password guidelines out there: with or without special characters, digits, capital letters, etc, etc.

What I do

[DeHackEd]

Regretably a few sites I visit regularly (including my bank) may prompt me for these questions, so a question of "Mash the keyboard!" and an answer of "alsjdgiosadln" no longer works.

Instead, as someone already stated, I select a secret question of "What is my password?" and if it's necessary for a second, "Type my password backwards." (answer: drowssap)

And finally, if it's a question to be asked by a human (tech support for an ISP I know of does this now), the question is something silly. As fun as "What are you wearing?" would be, I have sympathy for the employees and instead have "The Joker is invading Gotham - what do I do?"

Re:What I do

[DeHackEd]

Hate to reply to myself, but I just remembered a good site I once registered with and I thought others might find it interesting or amusing. It asked me for a security question, but when I checked the headers at the top of the page it said I was already logged in and there was a View My Account button. Curious, I tried it and it worked and I didn't need to enter a security question. Awesome.

Obviously, I tried logging out and in (asked me to set a question, ignored it) and tried a password reset. The reset failed because I didn't have a security question set. Even better!

No one ever expects...

[rlwhite]

the Spanish Inquisition!

delimited passwords

i, too, have always deplored the secret question. so many sites force you to use them but they are really just insecure back doors into your account.

my solution? for years i've been treating passwords and secret questions as two fields each, delimited by a non-alphanumeric. for example: say my mother's maiden name is "harris", i and i'm entering it as a secret answer on amazon.com. i would answer "amazon*harris". for passwords, i have a standard password, for example, "ninjasinmypants". at amazon.com, my password would be "amazon*ninjasinmypants". that way my password is different from site to site, but still easy to remember.

add some password common-sense, e.g. not using dictionary words, and you end up with pretty strong passwords that are easy to remember.

Re:delimited passwords

[afex]

i've never understood this approach...if someone hacks your amazon account and sees that it's "amazon*ninasinmypants", don't i now know that your bank's password is "chase*ninjainmypants" and your ebay password is "ebay*ninjainmypants"? This is a serious question btw - i'm sure there's a good reason for doing this as i've heard of many people doing it, but i just never got it...

Re:delimited passwords

Not a bad suggestion.

But pirates would be better.

Re:delimited passwords

i've never understood this approach...if someone hacks your amazon account and sees that it's "amazon*ninasinmypants", don't i now know that your bank's password is "chase*ninjainmypants" and your ebay password is "ebay*ninjainmypants"?

This is a serious question btw - i'm sure there's a good reason for doing this as i've heard of many people doing it, but i just never got it...

You are correct that it is insecure. Most people don't realize that it may very well be that the forum.freegamesnow.com site is the one that you give this password to and that they will be the vector through which it is abused.

You need to either encode the password to be less obvious (rot 13 comes to mind) and or add numbers to it if you do that. Frankly, "ninjasinmypants" is no different than using a "G" at that point.

It sounds clever, but it really isn't. Neither is spelling secret s3cr3t.

Bank of America's account-access question

[gznork26]

One of the questions that Bank of America uses to verify your identity for helping over the phone is 'Which branch did you open your account at?" But then, for some people, they have a trick answer. For some reason, B of A unilaterally changed that information for my account, and then expect me to give the false answer in order to access my account. They can't explain why it was changed, and are incapable of setting it back to a true answer. I argued this all the way up to the Office of the President, and nobody there would even acknowledge that it was a bad precedent for them to insist that a customer intentionally lie to them.

To make matters worse, their customer service claimed to be able to leave a note instructing agents not to ask that particular question. However, the note doesn't appear on their screen until AFTER they have asked their stupid questions.

P. Orin Zack

+ + +
Read my fictional account of corporate incarceration in the Business Short Stories section at http://klurgsheld.wordpress.com/

Centrelink are retards (how not to do security)

[the_raptor]

Here in Australia the Federal government department Centrelink (who are responsible for welfare, student support etc) make you answer a secret question every time you log on to their online system. Which is moronic as your user name is your customer ID you aren't supposed to give out, and they enforce strong passwords.

Funny thing is that when you set a decent secret question you probably won't remember the answer over a year later (to clever for my own good). Of course their system is "smartly" designed and you can't get rid of your old questions just make new ones. So now I have about five questions I can't remember the answer to and twenty that are along the lines of "What is your name?" and I just hit refresh until I get an easy one.

Remember folks if you make your security too tight people will just write their passwords on a sticky note and put it on their monitor.

Mod Parent Up

Set the secret question/answer up Jeopardy style.

Makes sense.

[man_ls]

People who you trust, are more likely to know more details about your life. So, of course, they may come across information that could also be used for a secret question. But, then again, they are people you trust so it's less of a big deal. I've never known personally, and have only heard once on the Internet, of someone whose close friend cleaned out their bank account by guessing their secret questions.

The real problem is that 17% of non-trusted individuals were able to piece together some of those answers.

Making it easy on purpose?

[CristalShandaLear]

There is a possibility that people choose questions and answers that their nearest kin or friends could actually guess. In case of emergency or in the event of my death, there is the possibility that I would want my family to be able to access my main email.

Not all of my email, but definitely my main one...

It's easy

My little brother, when he was 8 years old, decided to "hack" a little girl's email account. Her secret question was "What's my favourite colour?" He concluded that, since she is a girl, of course her favourite colour would be pink! Bingo! It worked, and he was able to reset her password. He wasn't clever enough to change her secret question so she was able to get back into her account.

the really dumb questions

[JustNiz]

Especially stupid and annoying are the questions that assumes everyone on the internet is an American, or at least follows American culture.
("What state was your high school in?", "who is your favorite baseball team?" etc)

My bank is even more retarded

[drinkypoo]

From the time when you open your account to the time you first log in to the home banking system, your password is the last four of your SSN. Thanks, assholes. On the plus side, they only use secret questions to enhance login security (ever so slightly) by making it inline connecting from anyplace you haven't manually instructed their website to place a cookie on the system.

Preset Questions suck

[djnforce9]

Not sure if this was said before but one of the problems is that a lot of login systems do not let you choose your own question AND answer. You instead have to choose from a set of pre-defined (and probably very easily guessed) questions to which you can attach your answer. This prevents you from using the secret question as a secondary/alternate password. On top of that, some people just choose something highly memorable but easily guessed (much like their password itself is likely to be). I think your best bet is to just enter a nonsense answer (that doesn't reflect the question) but you then need to remember what that was should you ever have to retrieve your account details.

I had fun with one of these recently

[csnydermvpsoft]

About a month ago, I had to make a bunch of tech support calls to my now former ISP for my business connection. A couple of years ago when I established the account, they asked me to create one of these, but this one was rather unusual in that I could choose any question I pleased. I chose "why should this type of 'security' never be used?" with the answer being "inadequate security." I had to answer that question over the phone about fifteen times over the course of a month, which took a little bit of the pain out of dealing with the incompetence at this ISP. Only a couple of the reps I spoke with seemed to get the joke, or (very likely) most of them didn't care.

Not just insecure: UNRELIABLE

[macraig]

Several vendors, who I will kindly not name (you know who you are), have a nasty habit of using secret questions that are based around the concept of one's "favorite" things. It never occurs to them that one's preferences and favorites might actually change over time! What happens to the usefulness of such questions when what you favor has changed a year after you originally chose the question and its answer? Then it becomes a headache of trying to recall your past state of mind, similar to trying to recall former e-mail addresses used to set up online accounts.

At the very least, if vendors feel a need to rely upon such secret questions as a security tool, the questions chosen should be OBJECTIVE and not dependent upon a person's emotions or state of mind. State of mind is malleable.

Anyone can get the secret answer for that matter.

[spaceturtle]

"Yeah, so my dogs name is Rufus, whats yours?"
"Fido huh? MWahahaha!"
True story. When someones been playing Runescape for half their life playing Runescape they tend to forget their "secret question" and the need to keep it secret.

Only wimps use backup passwords onto stick notes.

[spaceturtle]

Only wimps backup their password to a sticky notes: _real_ men just upload their important passwords on ftp, and let the rest of the world mirror it ;)

Just Lie

[WallyHartshorn]

The answers to my secret questions are always lies. I don't want to have to keep my mother's maiden name a secret, and if a friend asks the name of my first pet, I want to be able to answer honestly.

Security is about context, not "strength"

[gilgongo]

This is the part "security specialists" don't get: when it comes to humans and security, it's all about the *context* in which the negotiation between perceived risk, convenience and reward takes place. A study such as this is trying to study the wrong thing. It's not the fact that people choose insecure passwords, or guessable questions - everyone knows that - it's WHY THEY DO that matters.

Here's a hypothetical scenario. You are asked to create an account on a site called "wobble your bum cheeks" which lets you uploads pictures of your behind and make them look like they are wobbling hilariously. As part of the signup process, you are asked to choose a password. What do you do?

a) Choose something you are unlikely to forget (like "password" or "forgetmenot")

b) Choose a strong password like (like "L0Lcatz" or "baz00kas")

c) Don't bother to sign up

Thinking about those choices, what sort of things run though your mind? How is the dialogue between perceived risk, convenience and reward panning out? Now add some extra spice: the site demands you also choose a security question. Same three options broadly apply. Same negotiation.

Now repeat the above in a different context: applying for an online bank account. Now what do you do? Do you see where I'm going with this?

FAR, FAR more research is needed into CONTEXTUAL security - the "human factors" around it and the reasons WHY people exhibit certain behaviours when faced with the above negotiation. Until then, TFA can kiss my dick. Who cares. Really.

I didn't need a study to know that

My answer to the secret question has always been a random key sequence and a mental note not to trust the security of this obviously incompetent service.

Over the phone verification

[Jave1in]

I had a registrar confirm my identity by asking me to answer the secret question I setup. The question I made up was was "What is the fucking point of this security question bullshit?" Unfortunately I couldn't answer the question because I was laughing so hard hearing him read it with a thick Indian accent.