Secret Security Questions Are a Joke

← Back to Stories (view on slashdot.org)

Secret Security Questions Are a Joke

Posted by timothy on Thursday August 9, 2012 @03:01AM from the totally-true-thesis dept.

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

42 of 408 comments (clear)

Min score:

Reason:

Sort:

Simple solution by Anonymous Coward · 2012-08-09 03:03 · Score: 5, Insightful

Let people design their own question.
1. Re:Simple solution by NeutronCowboy · 2012-08-09 03:11 · Score: 5, Insightful
  
  Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.
  
  --
  Those who can, do. Those who can't, sue.
2. Re:Simple solution by Hognoxious · 2012-08-09 03:16 · Score: 4, Insightful
  
  The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.
  On trick is to give true answers, but for someone else, i.e. you answer as if you were Linus Torvalds or Queen Victoria. But then you still have to remember who ...
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
3. Re:Simple solution by fredprado · 2012-08-09 03:17 · Score: 5, Insightful
  
  And they are within their rights to do so and suffer the consequences for it.
4. Re:Simple solution by PerfectionLost · 2012-08-09 03:18 · Score: 5, Funny
  
  I had a friend who built an entire fake persona that she used to answer her security questions. Address, parents, pets, you name it.
  In hind site she was probably a little schizophrenic.
5. Re:Simple solution by Qzukk · 2012-08-09 03:18 · Score: 4, Informative
  
  I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.
  When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.
  I never managed to recover my password.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
6. Re:Simple solution by Isaac-1 · 2012-08-09 03:19 · Score: 5, Insightful
  
  And as long as you always answer 42, or 416 what is the problem with that?
7. Re:Simple solution by Anonymous Coward · 2012-08-09 03:22 · Score: 3, Interesting
  
  Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care. And security is only as good as you care about it. It is impossible to force people to use security despite the attempts.
8. Re:Simple solution by MightyYar · 2012-08-09 03:23 · Score: 4, Insightful
  
  I don't think that would fly. If a person's bank account gets hacked, the bank usually (always?) picks up the tab. It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers. If I were on the hook for security flaws at the bank, I'd never bank online.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
9. Re:Simple solution by Hythlodaeus · 2012-08-09 03:31 · Score: 4, Insightful
  
  The purpose of security questions is not security - its reducing customer service workload due to forgotten passwords.
  In most implementations its an overall reduction in security, since the security questions constitute a backdoor to the password, rather than an additional factor of authentication.
  
  --
  For great justice.
10. Re:Simple solution by MightyYar · 2012-08-09 03:31 · Score: 3, Insightful
  
  At the same time, expecting people to be security experts is not going to be successful. You might have a good grasp of it, but chances are you have some exposure to it. It might not occur to your proverbial grandma that people can track down her mother's name.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
11. Re:Simple solution by Sqr(twg) · 2012-08-09 03:38 · Score: 3, Informative
  
  Or go to passwordmaker.org, and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.
12. Re:Simple solution by bluefoxlucid · 2012-08-09 03:40 · Score: 3, Insightful
  
  The problem with that is I've got a 50% chance of getting it right. "Templates" or "operator overloading."
  
  --
  Support my political activism on Patreon.
13. Re:Simple solution by bluefoxlucid · 2012-08-09 03:41 · Score: 5, Funny
  
  For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.
  
  --
  Support my political activism on Patreon.
14. Re:Simple solution by Anonymous Coward · 2012-08-09 03:45 · Score: 5, Funny
  
  You mean the cute customer service Indian guy.
15. Re:Simple solution by Hatta · 2012-08-09 03:55 · Score: 4, Insightful
  
  That doesn't solve the real problem, that banks think that these question and answers provide any sort of security whatsoever. What is the difference between this Q&A scheme and a password? Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?
  We know that this is bad practice for passwords. Why do we tolerate it for "security questions"?
  
  --
  Give me Classic Slashdot or give me death!
16. Re:Simple solution by KhabaLox · 2012-08-09 03:58 · Score: 5, Funny
  
  It might not occur to your proverbial grandma that people can track down her mother's name.
  That's because, as everyone knows, people from Proverbia are idiots.
  
  --
  Ceci n'est pas un sig.
17. Re:Simple solution by Cinder6 · 2012-08-09 04:05 · Score: 4, Interesting
  
  Hell I did it with Blizzard for what, $30 and I got a plush toy.
  This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Battle.net Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.
  My solution to bad security questions? Answer unasked questions. What's your mother's maiden name? Pepperoni pizza. What street did you live on? Empire State Building. Then use different answers for different sites, like you should your passwords. Just be sure you can keep track of them--either an encrypted file or a password manager program.
  
  --
  If you can't convince them, convict them.
18. Re:Simple solution by Cinder6 · 2012-08-09 04:06 · Score: 4, Funny
  
  A good idea, but I'd hate having to remember--exactly--a 5,000 word essay in case I need to reset my password.
  
  --
  If you can't convince them, convict them.
19. Re:Simple solution by glodime · 2012-08-09 04:19 · Score: 5, Funny
  
  She is you.
20. Re:Simple solution by ultranova · 2012-08-09 05:37 · Score: 4, Insightful
  
  For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.
  
  Nothing's funnier than harassing a minimum wage worker who has no choice but to take your shit or be fired, eh?
  Let me guess: you're a CEO?
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
21. Re:Simple solution by Bert64 · 2012-08-09 05:45 · Score: 5, Interesting
  
  I do similar, but with a wildcard subdomain so user@something.mydomain.com, the reasons for this are:
  1, spammers will try to brute force common email account names once they get a domain to target
  2, i can override the wildcard by creating specific mx records for a given hostname, and thus lose the spam without my mailserver having to process it at all, usually i redirect it to the mx records of the server that sold me out.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
22. Re:Simple solution by jmerlin · 2012-08-09 06:11 · Score: 3, Insightful
  
  What scares me the most, I think, is that several of the banks I've used have required ridiculously short passwords and relied heavily on these "security questions" as a second tier of authentication (as if that's more important than 64+ more bits of strength in the password). So you have to pick a password that's between 4 and 8 characters or some nonsense and answer some questions like "mother's maiden name" and "name of first employer" etc.
  
  What we need is some kind of authenticator or something. If you can't trust me to use a 24+ character password or provide me with a more secure means to log-in, I can't trust you to hold my money. It's that simple. Keyloggers still win against complex passwords. Blizzard solved the problem by using symmetric cryptographic protocols so a device that's highly unlikely to be compromised is the source of part of the key (a keychain or a smartphone app). Why can't banks do the same? What a damn shame.
23. Re:Simple solution by Culture20 · 2012-08-09 08:28 · Score: 3, Funny
  
  And what happens if you loose the salt?
  It dumps out into a big pile on my friend's plate. Hilarious.
24. Re:Simple solution by uniquename72 · 2012-08-09 08:41 · Score: 4, Informative
  
  And as long as you always answer 42, or 416 what is the problem with that?
  This is pretty much what I do. I have a password that changes based on the question, but isn't actually the answer to the question.
BYO by wstrucke · 2012-08-09 03:03 · Score: 4, Insightful

I find the security questions I like best are the ones I can make up myself. I typically use nonsense phrases that only I know the answer to. Unfortunately most sites would prefer you pick one of several 'standard' questions like the examples OP provided.
1. Re:BYO by nedlohs · 2012-08-09 03:16 · Score: 3, Insightful
  
  Making them completely pointless, since you'd only need them if you lost the password which would presumably also be in the password manager.
2. Re:BYO by HawkinsD · 2012-08-09 03:18 · Score: 5, Funny
  
  My favorite make-up-your-own pair, which a CSR at a bank was once forced to read to me over the phone:
  Q: "You're not going out dressed like that are you?"
  A: "You can't tell me what to do! You're not my real father!"
  
  --
  Never attribute to malice that which can be explained by mere idiocy.
3. Re:BYO by X0563511 · 2012-08-09 03:20 · Score: 5, Insightful
  
  I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.
  My problems with these "secret questions" are:
  1. They are obviously stored cleartext
  2. They can be used to "substitute" for your non-cleartext password
  3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
4. Re:BYO by captaindomon · 2012-08-09 03:49 · Score: 5, Funny
  
  From Bruce Schneier: Q: Do you know why I think you're so sexy? A: Probably because you're totally in love with me. Q: Need any weed? Grass? Kind bud? Shrooms? A: No thanks hippie, I'd just like to do some banking. Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men. A: Go forth, and kill. Zardoz has spoken. Q: What the hell is your fucking problem, sir? A: This is completely inappropriate and I'd like to speak to your supervisor. Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it. A: It's a good thing they're recording this call, because I'm going to have to report you. Q: Are you really who you say you are? A: No, I am a Russian identity thief.
  
  --
  Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
That's Not Possible by MightyMartian · 2012-08-09 03:03 · Score: 4, Funny

I'm sorry. Apple cannot make mistakes anymore. Clearly this is just anti-Apple-types trying to give the greatest, most wonderful, most lauded, most glorious company that has ever or will ever exist.
I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
1. Re:That's Not Possible by nazsco · 2012-08-09 04:35 · Score: 3, Funny
  
  IPads only goes up to 10. 11 would be too complicated, like a second mouse button.
What is Your Favourite Colour? by Jeremiah+Cornelius · 2012-08-09 03:04 · Score: 5, Funny

What is your quest?
What is the air-speed velocity of a coconut-laden swallow?

--
"Flyin' in just a sweet place,
Never been known to fail..."
Who answers security questions honestly? by BMOC · 2012-08-09 03:04 · Score: 4, Insightful

The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.
Favorite movie? Gigli
First Car? Moon Rover
Mother In Laws Name? Dead
etc..etc..

--
I swear they give me mod points to shut me up.
1. Re:Who answers security questions honestly? by imagined.by · 2012-08-09 03:07 · Score: 3, Insightful
  
  I usually just generate additional passwords and save them in KeePass.
Don't Give the Real Answer by mikestew · 2012-08-09 03:06 · Score: 4, Insightful

Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.
Of course, that does no good if Apple simply ignores the security questions.
Use the First Girlfriend question by danbuter · 2012-08-09 03:09 · Score: 4, Informative

Jokes on them! I've never had a girlfriend!
Mother's maiden name by AnalogDiehard · 2012-08-09 03:18 · Score: 4, Informative

I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.

--
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Security questions: FAIL by macraig · 2012-08-09 03:20 · Score: 4, Insightful

Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.
It's not the questions by gerardrj · 2012-08-09 03:52 · Score: 3, Insightful

It's the answers. For the best security the answers should have nothing to do with the question, just like you see in all those old spy movies:
Q: What is your favorite color
A: walkaboutclock
Q: What was the name of the street you grew up on?
A: g!blix05
When only the account holder can possibly know the answers then there can be no social engineering to bypass the security.
None of this, of course, has any effect if policies and procedures at the vendor site allow for the questions to be bypassed. As I have posted elsewhere, we don't know the contents of the alleged call; the operator could have been threatened, blackmailed, bribed or even an accomplice.

--
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Then make it simple... use an algorithm! by gosand · 2012-08-09 04:33 · Score: 4, Interesting

Use an algorithm.
Use real answers, but replace vowels with the letter Q. (for example)
Mother's maiden name: Smith => SmQth
First pet: Spot => SpQt
Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember. Then you can apply that rule to any password.
Like switch the first and last letters. Smith = hmitS, Spot = tpoS. Or use numbers. Or a combination. It quickly looks like nonsense, but if you use a rule then you can apply it. Or change it. If you have to change a password, then switch from using Q to W, then E, then R, then T, etc.
You can even write down your rule in plain site. If I wrote down "flip Q" as a reminder, it would remind me to flip the first and last letters, then replace vowels with Q.
And I just came up with this one for this post. The one I actually used is based on something nobody could guess, and has been altered over the years so that I am the only one that knows it. And it works! I still remember an intern at my first job left to go back to school in 1994, and he told me his unix password in case I needed to get into his account. It was CIrpotb, (Clearly I remember picking on the boy,) from Pearl Jam's song Jeremy.

--

My beliefs do not require that you agree with them.
Re:mother's name by TaoPhoenix · 2012-08-09 09:09 · Score: 4, Insightful

How did the summary miss the chance to mention Facebook? Oh, they don't mention the F-word (!!) for once when it makes the Zuck look bad?
For lists of questions that don't include "design it yourself", Facebook is the Walmart of Secret Question Busters.
(Simulation)
"Yay, I feel special, I made a Facebook account! Let's tell the whole world who I am! I'm ______ ______, I born and raised up in Philly, shout out to all the Main Street peeps! My whole family is there in Philly. Let's Like Mom, and Mom's whole family! I named my cat after Susan Boyle's, Pebbles."
(Later, looks at security questions. "Doh!")

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine