58 comments

[ 2.8 ms ] story [ 57.6 ms ] thread
A seemingly good question I ran into was "Enter the last 5 digits of your driver's license." I always have my driver's license with me, which sounds good. The problem is NJ driver's license numbers are actually encoding of your data. The last 5 digits are your birth month and year (MMYY) plus a digit that maps to your sex (0 or 1 for a female, 5 or 6 for a male). My Facebook profile contains the answer to the security question.
Never mind if I move to another state and throw out my old driver's license.
I also do not understand the usefulness of "secret" questions ... mostly the correct answer would be far too easy, so every one with access to my website, Twitter or Facebook pages would be able to answer it (or trick it out of me or someone who knows me).

So now there are a lot of accounts with some very strange answers to their secret questions - answers so far out that I would have to write them down along with the complex password... which makes them completely redundant.

There are about four ways of authenticating a person, in traditional security-think: something you know, something you have, something you are (fingerprint et al), and somewhere you are.

The secret question is an attempt at the first method. However, "what's your mother's maiden name" fails because it's so easily discovered through web sites (Ancestry.com!) and via social engineering.

I always give a standard answer to every secret question that has nothing to do with the question being asked.
Wait until you encounter some service like Yahoo Mail who absolutely refuse to change your password unless you remember the junk answers to the security questions. Even if I provided an alternate email contact, the security questions needed to be answered.

I stopped using them then.

Presumably if it's a standard answer, he'll not have forgotten any of them.
That's back to the "I use the same password on all sites" problem, which is essentially what he's doing - if he uses it on a site that's compromised, all of his logins are now potentially exposed.
That's true, although I do hash my answer with a domain-specific secret, I should have mentioned that.

If at all possible, however, I don't fill out the secret question. There are actually a good amount of major sites that let you skip that step.

I'd rather just be locked out if I forget the password, than have that be another vector for taking over the account.

Yes, absolutely. I was probably unclear; I wasn't trying to say it was a GOOD idea, just that it works.
I generate a random password-like string and store it in my password database.
(comment deleted)
Also, it turns out that "What is your usual password?" is a bad secret question.
I did something like this recently. I got to enter my own secret question and set it to "What's the usual?" meaning my usual password. Note, that this wasn't the password I was using for the site.

Fast forward a few months, and I call the site's billing department. The decide to verify my account by asking me my secret question. Queue the CS rep on the other end being extremely confused when I successfully name out a long string of characters that he thought was just corrupt data.

Your method is likely storing a plain text string that would grant access to other accounts you own.
True, but they're all throwaway account I don't care about. Things I do care about all have their own unique password.

Excellent point about the plaintext though.

Yeah, I've thought about doing this, but the problem is that the value is generally stored in plaintext and accessible to a wider range of support personnel than I'd be comfortable with.
Facebook is quite clever about this. To verify your identity under some circumstances, Facebook shows you pictures of your friends and asks you to identify them. It is up to you to figure out the best way to authenticate your users.
It's almost a clever idea, but what FB really does is show you pictures that have been TAGGED as your friends, when in reality it's up to whomever tagged them to be correct. And I've seen plenty of pictures of woodland animals, circus and carnival performers and other less respectable items tagged as my friends when they clearly are not. So, it can be worse than secret questions when you try to create an account somewhere and the secret question is "who is this?" and the picture is of a horse in heat doing what nature dictates.
However, I have heard that they do have some kind of face recognition technology in place to only show you real faces for verification.
So you get a bunch of pictures of your friends' babies?

Also, I don't recognize a lot of my friends because we all graduated high school together a quarter century ago and I haven't seen them since, unless we both attended the same reunion at some point.

Yeah, that's BS, I've gone through the process and had to identify friends by things like their elbow (lucky enough I knew the context of the picture and could figure it out).
I fully agree with the article and I am also one of the people that give bogus (but consistent) answers to these questions. So for example for 'what is your first pet' I fill in something like 'the last unicorn' or another phrase that has never left my brain.

The article also reminds me of another anecdote.Many years ago in the last millennium I checked out this German teenage forum (bravo.de) because well, I was a German teenager. Anyway, on that forum you could not only give the answer to the security question. They even allowed you to specify the question you want.

That feature amused me a lot and I checked out other people's self-made security questions. Being a teenager forum in the later 90s this is what happened. A very substantial number of forum users had the security question 'what is my favorite Backstreet boy' or a variation thereof. And, well, pretty much everybody loved Nick Carter. Nobody liked the others. In just one our I was able to log on to many, many accounts just with the phrase 'Nick'.

I'm working for a client right now that's requiring us to collect no less than three "shared secrets" from users who are signing up to buy a product. I can't imagine they'd have less than a 90% dropoff at that point in the sale process.

Oh, they're also requiring that we encrypt the answers in the database. With encryption keys stored on the same server. But that's a separate (and arguably sillier) issue.

Oh, they're also requiring that we encrypt the answers in the database. With encryption keys stored on the same server. But that's a separate (and arguably sillier) issue.

Well, that's fine. Just keep the decryption key somewhere else, or don't use an algorithm that can be decrypted.

While one-way encryption would be the obvious way to properly handle it, there is a need in this project for customer support to be able to see the answers to secret questions to verify them over the phone. And if we're automating that, then anyone who's into the system already has everything they need to recover the decryption key, even if it's elsewhere.
To verify the correctness, they can type provided answers and the computer will do its job, checking the hashes. That is, in case phone support person has immediate access to the computer (which is probably the case) and can type fast enough.

The only thing required is a well-designed text normalization algorithm, which will neglect all variations in case, spacing, punctuation, spelling (i.e. "color" vs "colour") and other similar sort of issues.

(In edge cases, where this may fail, the plaintext answers could be recovered by authorized person from off-site write-only-API "secret storage" server, where the data should lay encrypted with asymmetric crypto. Less convenient, but more secure.)

I hate these questions. Except for some questions, like "Mother's Maiden Name", there are a lot of them where I won't answer _exactly_ the same way every time you ask me... Where did I got to college? There are three conceptually equivalent answers (abbreviation with periods, abbreviation without periods, full name) that I might be inclined to respond. Even something as simple as the name of a dog or a make of car often has multiple answers.
Better than nothing, but that's still easily brute-forcible, even by humans.
No, it's not. I ran across one where apparently I had chosen "favorite restaurant" 10 years ago. I tried 5 likely candidates, and several passwords I use for these things. Nothing went.
But if even you can't guess the right answer, then that doesn't really count, does it? Hacker can't get access to your account, but neither can you. Might as well have entered sdaw4#$%@#$%#$5.

I'm talking about the scenario where someone either has your answer from another corrupted site, or tracks down the information publicly, like the kid who 'hacked' Palin's email.

Assuming you're using legit info, it's easy enough to try several reasonable variations of, say, University of Iowa, in the way a human would abbreviate it.

I think you're missing my point... these are very occasionally used passphrases that really aren't as easy to remember as one might think. At the same time as the article points out, they're easier than an random password to hack.

So worst of all worlds: harder to remember, easier to break.

This is what I really hate about secret questions. There may be many variations of the answer to a question.
Put even more simply: what good is having the best password security on earth if having a 'secret word' that's not subject to the same strict security requirements will still open up an account. I always find it horribly ironic when you're told over and over again, "don't use easy to guess things like birthdays, child or pet names, or your mother's maiden name as a password because it's easy to guess" only to have the next question be, "What is your mother's maiden name?"

The whole concept has always been silly; glad to read a well-rationed argument against it. But honestly, why should we even need such an argument?

I recall being asked by PayPal what the last four digits of the last credit (debit?) card I used was, when I needed my password.

Problem was that the card had been ditched months ago, so there was no way I was going to remember that. I eventually remembered the password, but I wonder how I would have gained access to my account otherwise.

Some people are too creative with password "security" for their own good.

(comment deleted)
Just use a different password for secret questions. It thus becomes impossible to guess or socially engineer.
Except that most peoples' passwords are incredibly easy to guess.
Well then it's not going to do much good as you could guess their password just as easily.
Are there any positives for security questions?? Well, I suppose secret questions are good for preventing brute force account recovery. You can't expect to beat security questions in a timely way with an automated attack. You would usually have to rely on manual search or social engineering, as pointed out by the article. But the real question is, why even allow account recovery via a publicly accessible web form in the first place?

So, I definitely agree with the article, there has to be a change. You sure can beat security questions (at least in their current state), but it's probably much harder to get around something like email or SMS verification.

Chase.com and cardmemberservices.com are good examples of SMS/email account verification done right, which I've used with great success, but both of these sites already had my personal phone number, so SMS verification just makes sense for them.

I suppose SMS verification is probably the closest thing we've got to real user verification at the moment, am I silly to consider this the ideal venue for account recovery?

The big issue, then, is it's definitely harder to get a user's phone number than to get their mother's maiden name, but skipping all that extra input and having a simple account recovery email should do the trick, shouldn't it? Most of the times you're already collecting user emails.

Well, the biggest issue with email is that an email account can also be compromised. Perhaps getting big email companies like Gmail to remove security questions from their apps in lieu of SMS verification is the next step, while everyone else just relies on email-based account recovery (unless SMS is an option). If email security was more rock-solid, then email verification is all we need, right?

Disagree - Security questions are much easier to brute force than passwords. Assuming that you can send an answer to the database quickly and automatically, and that you can select your dictionary based on the question, most of the questions are easy.

Names? http://www.census.gov/genealogy/names is a good database for the US; 1,711 names will get you the top 50% of last names for "Mother's maiden name", questions. 59 male names and 138 female names also represents 50% of the population (Yes, we're pretty unoriginal). There are <100,000 first and last names in total which cover 90% of the population. (not combinations)

Birthdates? There are 365 days in a year, so 36,500 numbers will cover this one.

Last N digits of your drivers' license/social security number/credit card? There are 10^N such numbers. N is often 4, which is a measly 1,000 numbers.

Pretty measly stats.

I see your point and suppose I stand corrected for the most common cases, so then I'm really wondering what the benefits of security questions are. They generally degrade the user experience and provide a publicly accessible avenue for compromising a user account.
SMS verification would be a lot more useful if cell companies didn't insist on charging over $1 million/GB for them (well, unless you sign up for their text messaging plan).

Thankfully, Chase does email as well.

(Verizon: 20¢ ea., so 1GB / ( 160 bytes/ea) * 20¢/ea = $1,342,177.28. Though you can get a plan for 250 for a mere $134,217.73/GB.)

I hope I did the math above wrong.

I think Secret Questions are even worse that described in the post. It creates a situation where one hacked web site can reveal critical personal information, such as mom's maiden name, that can be used across a range of sites and offline id theft vectors.

I also deeply resent random ecommerce sites asking for personal information like the name of my dog or high school. My answer is always a random variation of "none of your damn business." This has caused me some problems when I do need to reset my password, but contacting support resolves it.

Shouldn't the answers be hashed? It shouldn't be any worse than it would be for a password (i.e.: it shouldn't reveal it).
Yes, but do you trust them to do that?
I've had banks ask me some of these questions over the phone as a verification measure, so I end up assuming that the answers are available to phone reps in the system somewhere. Possibly not true everywhere, but at various banks I've been asked over the phone for: mother's maiden name, my city of birth, and at Citibank, something labeled an "account password" that I had previously chosen online, and didn't realize I would end up having to spell out orally over the phone to a rep! (Fortunately it's not the same as the citibank.com login password... it seems to be a password used only for this purpose of phone verification... but still, getting people in the habit of being willing to spell a password out over the phone to a rep isn't encouraging great habits.)
Even worse is when they ask for authentication with a yes/no question based on something personal about the account. "Is your mother's maiden name Smith?" "Are the last four digits of your social security number 1234?".
The name of your dog is "personal" information? Isn't it "dog-al" information? :)
Random (keyboard mashing, random enough) works a charm - I've found that support often give puzzled sounds over the phone, before moving on to other forms of identification that render the secret question irrelevant.

The exception is any website that doesn't require use of their prescribed questions.

I have a 'Secure Note' in my OS X Keychain which contains answers to every Secret Question. The answers are 12 digit random passwords (generated by Keychain) containing letters, numbers, and symbols.
I use 1Password to generate a 50-character random "answer" for these nonsense security questions. Then I store the question and the answer in a note tied to the 1Password record.

If they really wanted to get clever, 1Password should offer an option to perform this task automatically when you're filling out a registration form.

I basically do the same when they're required. And then I still get sites yelling because my dogs name can't have #$ in it! Or because I pasted the same complex second password into all three security questions!
Why store them in a note, instead of as part of the form data for the page so that 1Password can handle filling them in for you?
Yes, you're absolutely right. That's indeed what I'm doing in most cases.
My bank has a good one - you have to supply three pairs of associated words or phrases

It's upto you what to use as questions and answers

I agree with the point that secret questions suck, but the entire idea that any sort of second password as high-security is flawed. Daily WTF did a great write-up (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx) on how real two-factor authentication requires two distinct forms - one based on what you know, and one based on what you have. Historically the "what you have" has been one of those RSA tokens but now Google is doing some two-factor using phones and it's easy to do this using text messaging as well (as someone mentioned). With this availibility of cheap RSA devices and cell phones, I see no reason why institutions such as banks - where I really care about the security of my data - can't implement the same measures that Blizzard does for World of Warcraft.
Bad implementations of a feature do not make the feature bad as well. If you as a site owner allow for example a password reset based on just answering the secret question, guess what: bad implementation. If you don't inform the users what the secret question can be used for, guess what: bad implementation. If your users choose to use a question that has an answer that can be found easy its the same as having a user use for password the word 'password'. I can go on and on about how you can get something like this wrong.

Lets say that my computer gets keyloged and the attacker gets the account/password of site X and my email info aswell. Now the attacker wants to take over both of the accounts. Lets see how things will go if no secret question is involved: At best site X for a password change will require a e-mail confirmation, probably by just providing the old password the attacker will be able to change it. On top of that the site that hosts my e-mail can't be linked to something else, because of that i guess by simply providing my old password the attacker will get over my e-mail too.

HOWEVER if the sites require a secret question/answer verification the attacker wont be able to take over my accounts. And i am able to change both the password and get full control of the accounts.

Secret question/answer feature should be treated as a MASTER password. You have your casual password which allows you to identify yourself to the system etc but if you want to change some critical information of the account you will have to provide you master password.

If both the site and the user make good use of the feature there is nothing wrong with it.