Slashdot Mirror
Secret Security Questions Are a Joke
Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"
Let people design their own question.
I find the security questions I like best are the ones I can make up myself. I typically use nonsense phrases that only I know the answer to. Unfortunately most sites would prefer you pick one of several 'standard' questions like the examples OP provided.
I'm sorry. Apple cannot make mistakes anymore. Clearly this is just anti-Apple-types trying to give the greatest, most wonderful, most lauded, most glorious company that has ever or will ever exist.
I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.
The world's burning. Moped Jesus spotted on I50. Details at 11.
What is your quest?
What is the air-speed velocity of a coconut-laden swallow?
"Flyin' in just a sweet place,
Never been known to fail..."
The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.
Favorite movie? Gigli
First Car? Moon Rover
Mother In Laws Name? Dead
etc..etc..
I swear they give me mod points to shut me up.
Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.
Of course, that does no good if Apple simply ignores the security questions.
Jokes on them! I've never had a girlfriend!
I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.
I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Just treat them like I do. Select any "question" and type another password into the answer box (one that you never give out).
Should it come to a password reset password where you're asked for no, NOBODY will ever guess it and you'll be able to reset your password either automatically (if they allow you to), or via a customer service representative (who will be wondering why your mother's maiden name was AH8hfds86, but who cares?).
Just as secure as anything else and requiring you to give out zero additional personal information, and totally UNABLE to be discovered by someone who happens to know you, for instance (unlike DOB, maiden names, etc.)
Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.
We need real security - which comes from an obvious list of last attempts to log in. That way we know when and where (IP address tells all), someone tried to log into our accounts. If we don't recognize the times and places, then we can act.
We certainly can't trust the websites themselves to protect us.
excitingthingstodo.blogspot.com
Question 1: Why did the chicken cross the road?
Question 2: Why is six afraid of seven?
* dodges tomatoes *
/* No Comment */
This right here is at the core of almost all problems in the world: the inability of people to differentiate between the actions of an individual and a group, or projecting the individual actions into a collective mindset.
Yeah, totally sucks how everybody does that.
They are de facto alternative shared secrets used for authentication, so that instead of there being just one password that will open an account there are more. Because the answers are mostly things we don't think of as particularly secret and many systems use the same sets of questions, the result is what everyone knows is bad practice: a weak password used in many places.
The right fix for the "security question" mess is not better questions or trick answers, it is to eliminate the process that demands them. A human-mediated password reset process is always going to be subject to social engineering and if the humans mediating that process are low-skill CS reps whose work is only deemed to be worth the prevailing call center wages in Chennai or Manila, the social engineering is likely to be unchallenging. If you must offer a way for a user to recover an account for which they've forgotten the password, it should not be vulnerable to attack via research or pleading.
...that ask for your first pet, because while people can figure out my current and even some former pets, there's nobody I've probably even told in REAL life about my first pet, Aflie, a baby chick I had for a few days. So with that question I'm totally safe.
This space available.
It's the answers. For the best security the answers should have nothing to do with the question, just like you see in all those old spy movies:
Q: What is your favorite color
A: walkaboutclock
Q: What was the name of the street you grew up on?
A: g!blix05
When only the account holder can possibly know the answers then there can be no social engineering to bypass the security.
None of this, of course, has any effect if policies and procedures at the vendor site allow for the questions to be bypassed. As I have posted elsewhere, we don't know the contents of the alleged call; the operator could have been threatened, blackmailed, bribed or even an accomplice.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
those with memorable answers are precisely those most likely to be very important (i.e. likely public or easily accessible) information.
You're stuck with "What is your mother's maiden name?" (visit an Genealogy website and search for the person to find out) or the alternative, "What was the phone number of the first person you ever dated?" (Something you yourself likely can't find.)
I've noticed a sharp rise in these kinds of difficult-information questions in recent months. The problem is that if I have to go digging through my personal archives to find the information (if I can even find it at all), it's quite possible that I won't be able to find it when I need it later on, and likely that I won't simply remember it offhand.
I know people that have taken to generating secure random passwords and using these as the answers to questions, then keeping a spreadsheet with (a) domain, (b) questions, and (c) the random password generated for each question. But of course then there's a spreadsheet hanging around that contains this information, and the labor overhead involved becomes a disincentive to take the questions seriously at all (which is why I also know a person that answers every single security question they're asked to answer with "None".)
But seriously, at the practical level, who can answer:
What was the first name of your third grade teacher?
What was the nearest cross street to the home you lived in as a child?
Who was your sports or other hero at eight years old?
What was the name of your boss on your first job?
All of these kinds of questions dig back into obscure things that haven't been important to most people in many years, not to mention that many people wouldn't have known in the first place, and/or the answers could be so ambiguous that you'll struggle to remember what you entered ("Superman?" "My dad?" "Neil Armstrong?") given the ambiguities and categorial thinking involved.
I tend to think that the answer to security is a social one—calculate the risks and use "good enough" security, then assume that some percentage of security cases will fail and maintain resources/insurance to address the resulting cases in a way that allows you to continue to do business and gain users/customers. More or less what happens with banking right now.
STOP . AMERICA . NOW
Use an algorithm.
Use real answers, but replace vowels with the letter Q. (for example)
Mother's maiden name: Smith => SmQth
First pet: Spot => SpQt
Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember. Then you can apply that rule to any password.
Like switch the first and last letters. Smith = hmitS, Spot = tpoS. Or use numbers. Or a combination. It quickly looks like nonsense, but if you use a rule then you can apply it. Or change it. If you have to change a password, then switch from using Q to W, then E, then R, then T, etc.
You can even write down your rule in plain site. If I wrote down "flip Q" as a reminder, it would remind me to flip the first and last letters, then replace vowels with Q.
And I just came up with this one for this post. The one I actually used is based on something nobody could guess, and has been altered over the years so that I am the only one that knows it. And it works! I still remember an intern at my first job left to go back to school in 1994, and he told me his unix password in case I needed to get into his account. It was CIrpotb, (Clearly I remember picking on the boy,) from Pearl Jam's song Jeremy.
My beliefs do not require that you agree with them.
These are things are not about security - they are about convenience. Primarily they are used for self-service password resetting. I don't think beefing up the "security" on convenience questions is really very helpful.
If you are serious about your security, you should pick randomized strings to use as the answers to the convenience questions, then store them in a nice secure password safe.
How did the summary miss the chance to mention Facebook? Oh, they don't mention the F-word (!!) for once when it makes the Zuck look bad?
For lists of questions that don't include "design it yourself", Facebook is the Walmart of Secret Question Busters.
(Simulation)
"Yay, I feel special, I made a Facebook account! Let's tell the whole world who I am! I'm ______ ______, I born and raised up in Philly, shout out to all the Main Street peeps! My whole family is there in Philly. Let's Like Mom, and Mom's whole family! I named my cat after Susan Boyle's, Pebbles."
(Later, looks at security questions. "Doh!")
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
In Mexico, the two banks I use use two-factor authentication — A password (with some non-obviousness requirements, but yes, in the end they put stupid hard limits on the entropy, such as a maximum of 8 characters) and a security token. I have had one for over six years (lost the second one, but it lasted ~5 years on me) without a hiccup.
They are now telling me it's safer to kill the tokens and use a SMS to my cell phone as the second factor. Right, as if there is phone coverage always, everywhere. As if SMS messages are always instantaneous. As if I always have my phone on me. As if I never travel overseas (and avoid using the phone because of the roaming costs).
So, by the end of the month, one of the banks will stop accepting a perfectly safe security practice.
How do you deal with sites whose stupid password "complexity" rules disallow the passwords generated by an app like LastPass? You know, the braindead rules that ignore total length, and only care that 3fa456d9eee71e8b doesn't have uppercase characters, has three 'e' characters in a row, has a 3-character sequence like '456', and/or lacks punctuation? Or worse, sites that reject it for HAVING digits, or being 16 characters instead of 12(max)?
I tried a program like that ~6 years ago (I forget which one... it was for PalmOS), and ended up getting totally frustrated because more than half the sites I used were intolerant of the passwords it generated. Even when I forced the program to generate what I thought might be the least-common denominator acceptable to most sites (exactly 8 characters, forcibly mixed-case with at least one digit), I STILL ran into sites that rejected them for stupid reasons that had nothing to do with real entropy, and everything to do with the fact that the web app's author apparently didn't know how to use Javascript properly (half the time, they only did client-side validation, and it was obvious that the main reason for some of the rules was the author's inability to do proper Javascript regular expressions).
Of course, let's not forget the joy of trying to use an app like that with a mobile phone and banking apps that bend over backwards to prevent you from entering the password in any manner besides one character at a time, by hand, using an onscreen keyboard that shuffles itself around after each character, from rote memory. Or even the stupid mobile website for an unnamed pizza chain that acts like your online ordering credentials are the arming keys to America's nuclear missiles (despite not actually storing your credit card or any other sensitive info online), and hasn't gotten an order from me in years because I don't have the patience to deal with them.