Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Shows "Secret Questions" Are Too Easily Guessed

Posted by kdawson on from the name-of-your-late-great-aunt's-fifth-parakeet dept.

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

21 of 303 comments (clear)

  1. Don't use them by slart42 · · Score: 5, Funny

    I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

    1. Re:Don't use them by Shin-LaC · · Score: 4, Insightful

      Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

    2. Re:Don't use them by Anonymous Coward · · Score: 5, Interesting

      Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"

    3. Re:Don't use them by zonky · · Score: 4, Informative

      Password safe , add the question and give a randomly generator combination as the answer. Problem solved.

    4. Re:Don't use them by Xest · · Score: 4, Insightful

      Not only that but when I have used them I've found them annoying as they're often case sensitive and it's easy to forget what you entered or how you entered it. What is your dog's name? Which dog? What is your date of birth? What date format?

      They're just bad all round, often the questions you get to choose from either fall into the category of far too easily guessed/socially engineered such as where were you born which 90% of people you've ever met can tell from something like your accent or where you work and live if you never moved away or they fall into the category of being too ambiguous such that when it comes back to remembering how you entered it 3 tries will probably get you locked out.

      Creating a list of questions that truly are secret and of which at least one is common to everyone is near impossible. You could start asking things like "Who at your workplace would you most like to sleep with" but I don't think most people would want to answer such intrusive questions!

    5. Re:Don't use them by pkretek · · Score: 4, Interesting

      I always sha those stupid questions with a related answer and some number: echo -n MyPet01|shasum -

    6. Re:Don't use them by pbhj · · Score: 5, Interesting

      I bet it stores the answers as plain text instead of hashing it like your pass. You're probably basically giving the support guys your password, hope you don't use it elsewhere ... but no, of course no one would make a system that retarded

    7. Re:Don't use them by Jurily · · Score: 5, Insightful

      Hence, rendering the whole facility useless, and causing you extra inconvenience.

      Disabling an insecure security feature is not an inconvenience.

    8. Re:Don't use them by dargaud · · Score: 4, Funny

      I always set the question to "What is my password?"

      I would set mine to "What is t1f2l3g4 ?" with the answer being "Not my password!"

      --
      Non-Linux Penguins ?
    9. Re:Don't use them by baxissimo · · Score: 4, Informative

      That's the Bible, Genesis 1:1.

  2. Not bad if used with email by Zouden · · Score: 4, Insightful

    Secret questions are only less secure than passwords if they tell you the password right away. But if they reset the password and email the new one to a pre-specified email account then just guessing the answer isn't enough; you'd have to have access to the victim's email account too.

    This doesn't really work that well if the password is actually for someone's email account, though.

    --
    "A week in the lab saves an hour in the library"
    1. Re:Not bad if used with email by tylerni7 · · Score: 4, Insightful

      If you were just emailed a new password without having to provide the answer to a short question, obnoxious people could reset your password every 8 hours or something.

  3. Secret Question are easier than the password by rolfwind · · Score: 4, Interesting

    What is the surprise? They don't have to follow the same rules as passwords (letters and at least 1 number, etc) that many sites enforce. Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.

    If someone was really wanted to go on a phishing expedition, they would open a site that requires registration, security questions, and all that, and then try the information on the webmail of the people who just registered. Probably would work phenomally as well.

    If websites wanted to be truly secure, they would ask for a mailing address or at least a phone number to confirm resetting things (thinking of financial accounts, not stupid forums). They confirm the same inane, easily duplicable facts in real life, but at least they have to reach you at a confirmed safe location.

  4. I agree by jez9999 · · Score: 5, Funny

    Secret questions are way to easily guessed. They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:I agree by will_die · · Score: 5, Insightful

      Who the hell else would know that?
      Every other web site that you visited that asked that question.

  5. Why don't... by Jamamala · · Score: 5, Interesting

    You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

    Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

  6. I use a physical book. by Rosco+P.+Coltrane · · Score: 4, Interesting

    If I'm allowed to choose the question, I use the time-tested method that was used in 80s games, which is "word in page x, line x, x-th word". If I'm not, it's usually a "pet" or "mother's name" question and I use the characters names or animals in the book.

    I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.

    I usually remember most passwords I use all the time, but for the accounts I seldom use, the book title is the only thing I need to remember to recover my passwords. Given the size of my library and the fact that the book is a huge, boring French novel, tough luck even for a burglar to find it.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  7. Spot on by pjt33 · · Score: 5, Interesting

    Shame I just used my mod points. There are plenty of cultures in which women don't change their names when they marry, and even in those where they do they tend not to change them unless they marry, which is becoming less common. Fortunately banks are starting to wake up, and maybe in a decade they'll all have semi-sensible account security.

  8. Re:You do have secrets... by pjt33 · · Score: 4, Funny

    Yes, but "Where are the bodies buried?" isn't really the question you want to choose for password recovery.

  9. Re:encrypted password file by ortholattice · · Score: 4, Insightful

    "When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file."

    Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts, then remember what she called it, where she stored it, and how to run it everytime she is asked one of these retarded questions. Oh, and also how to save the output to her gpg file after remembering what her gpg file was called and where she stored it and what its password is.

    If you (presumably) guard your passwords carefully (in this same gpg file?), why do you even bother saving the answer to the "secret question"? Just type a bunch of random keyboard characters (bang hard, using the opportunity to release the pent-up frustration), don't save it, and be done with it. Isn't that faster than going through the perl script rigamarole?

    For most things - various user forums, etc. - I don't give a damn about all this password/secret question paranoia. If they crack it, so what? I haven't changed my slashdot password since day one, its easy for me to remember, and if someone cracks it and "steals" my "identity" here, well, I would probably find it amusing.

    There are a relatively small number of things, such as bank accounts and trusted access to other people's networks (and yeah, my servers' roots) whose passwords I protect very carefully. Almost none of those things involve extra secret questions in case I forget the password, or if they do I've give a gibberish answer I don't save.

    (OK, I have a CISSP cert, and those hyperparanoia-filled meetings I have to go to to keep it up sometimes make me want to scream).

  10. Ok, stop the smart ass solutions by fph+il+quozientatore · · Score: 5, Insightful

    So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"

    --
    My first program:

    Hell Segmentation fault