Secret Security Questions Are a Joke

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"

Simple solution

Let people design their own question.

Re:Simple solution

[NeutronCowboy]

Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.

Re:Simple solution

[fredprado]

And they are within their rights to do so and suffer the consequences for it.

Re:Simple solution

[PerfectionLost]

I had a friend who built an entire fake persona that she used to answer her security questions. Address, parents, pets, you name it.

In hind site she was probably a little schizophrenic.

Re:Simple solution

[Isaac-1]

And as long as you always answer 42, or 416 what is the problem with that?

Re:Simple solution

[bluefoxlucid]

For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.

Re:Simple solution

You mean the cute customer service Indian guy.

Re:Simple solution

[KhabaLox]

It might not occur to your proverbial grandma that people can track down her mother's name.

That's because, as everyone knows, people from Proverbia are idiots.

Re:Simple solution

[glodime]

She is you.

Re:Simple solution

[Bert64]

I do similar, but with a wildcard subdomain so user@something.mydomain.com, the reasons for this are:

1, spammers will try to brute force common email account names once they get a domain to target
2, i can override the wildcard by creating specific mx records for a given hostname, and thus lose the spam without my mailserver having to process it at all, usually i redirect it to the mx records of the server that sold me out.

What is Your Favourite Colour?

[Jeremiah+Cornelius]

What is your quest?

What is the air-speed velocity of a coconut-laden swallow?

Re:BYO

[HawkinsD]

My favorite make-up-your-own pair, which a CSR at a bank was once forced to read to me over the phone:

Q: "You're not going out dressed like that are you?"

A: "You can't tell me what to do! You're not my real father!"

Re:BYO

[X0563511]

I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.

My problems with these "secret questions" are:
1. They are obviously stored cleartext
2. They can be used to "substitute" for your non-cleartext password
3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.

Re:BYO

[captaindomon]

From Bruce Schneier: Q: Do you know why I think you're so sexy? A: Probably because you're totally in love with me. Q: Need any weed? Grass? Kind bud? Shrooms? A: No thanks hippie, I'd just like to do some banking. Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men. A: Go forth, and kill. Zardoz has spoken. Q: What the hell is your fucking problem, sir? A: This is completely inappropriate and I'd like to speak to your supervisor. Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it. A: It's a good thing they're recording this call, because I'm going to have to report you. Q: Are you really who you say you are? A: No, I am a Russian identity thief.