31 comments

[ 3.1 ms ] story [ 67.8 ms ] thread
You've updated to make it easier to say over the phone, but it doesn't help for being asked over the phone. Can you trust the person you're talking with to accurately say "What is the make of your first car?", or might they read "What was your first car?" or similar. Even if you specify to them over the phone "please read the question word for word", maybe their system is one with a few built-in standard questions, and all they see on their screen is "first car".
There's also a risk of them changing the question text on the website. Maybe they did a redesign and need the text to fit into a smaller area - who knows.

A workaround may be to just simplify the phrase to "first car" and use that.

Why bother generating a hash based on your password and secret question? Just pick five random words and store those in your password manager as well, along with the question.

    # gsort -R /usr/share/dict/words | head -n 2
    inductory
    thingstead
"What was the make and model of your first car" - turns out, I was driving a brand new Inductory Thingstead, and changing the minute details of the secret question (or me changing the password) won't affect anything.

(One potential downside is having to tell an operator that your car was a "trichroic somatopsychic", which would just take extra time to spell out, unless they see the answer in plaintext.)

I want my password store to be able to generate these for me. Then it would a variation on "correct horse battery stable".

> unless they see the answer in plaintext

I think they do.

That might actually be an interesting feature add-on.

http://i.imgur.com/9LYi9.png

And to avoid being faced with trying to explain how your mother was born to a ... rather eccentric family, it would be cool if it could generate something that's plausibly a family name, pet name, car, mascot, teacher's name etc.

Good thing about security questions is that they don't have to stand up to offline attacks, so a few tens of thousands of options for each might well be sufficient.

An option for names could be a pretty good choice, but after that, the number of options could balloon. Mascot, pet's name, car brand, street name, TV show, city, etc., etc. You won't catch every edge case.

If I'm talking to someone on the phone and giving them my secret answer, I doubt they're going to be giving me the third degree about why my mother's maiden name is "antireligious electrocardiograph", especially if the computer accepts it.

I don't understand why people are trying to come up with such complex solutions to Password and Security Question retrieval when portable and open source solutions, like Keepass[1][2] exist.

Just store your "random" Security Question answers alongside the login credentials - they'll be encrypted safely.

--

[1] http://www.keepass.info/

[2] http://www.keepassx.org/

The advantage of these systems is that you recreate them using nothing but basic, generally available tools and your memory.

Keepass, on the other hand, is useless unless you have the database file with you.

So store it in Dropbox and have a copy on a USB Key you carry with you (along with a portable version[1] of Keepass)

Also, on the same subject, it's the "all you need is your memory" bit that makes me smile. If you could rely on your memory then why would you need to have these hashing functions in the first place? (:

[1] http://portableapps.com/apps/utilities/keepass_portable/

So store it in Dropbox and have a copy on a USB Key you carry with you (along with a portable version[1] of Keepass)

If I'm at a cybercafe somewhere, there's a high degree of probability that it won't let me just run some untrusted binary from my USB stick or the web.

Also, carrying an USB stick still defeats the point of being able to recreate them with nothing. I've lost more than one USB stick in my life.

Also, on the same subject, it's the "all you need is your memory" bit that makes me smile. If you could rely on your memory then why would you need to have these hashing functions in the first place? (:

If you can't rely on your memory, how will you know the master password to open the Keepass container?

Simply put, it's hard to remember a password for each and every site, but it's easy enough to remember a single algorithm (plus a master password) for all of them.

> If I'm at a cybercafe somewhere, there's a high degree of probability that it won't let me just run some untrusted binary from my USB stick or the web.

1. You shouldn't be typing in high value passwords at <random cyber-cafe>.

2. You can get KeyPassDroid for your smartphone.

3. writing your master-password down somewhere may be useful to your next of kin.

1. I don't use this system for high value passwords - I have only four or five of those and I can memorize them (and keep a written down copy in a safe place).

2. I don't have a smartphone

3. Not really, due to (1).

Because the main problem isn't remembering them, but preventing other people from guessing them.
It really sucks that we have to go to such lengths to make the services we use that are "secured to industry standards" un-hackable.

I die a little inside every time some site emails me my own password.

The simplest solution I've had is to keep a notebook where I for every page I write down the security questions and my answer. This is done because I have a bad memory, not as an attempt to salt, but it is a good point that we should try to answer these questions differently every time.

This is used for the few times where I have to do password recovery / phone support, I just grab the book.

For normal password usage I use automated hashing system in Firefox.

I write down the security questions/answers in the "notes" field in LastPass. Books burn down, LastPass doesn't.
Over the last 15 years I've had 3 hard drive failures and 0 burned houses.

ymmv

I treat my security questions exactly the same as passwords, just having a different prompt. The answers are long, randomly generated and not stored in my brain. And the same question for different sites have different answers.

Instead of paper I do use a password program, and ensure that the encrypted data files are replicated to several different places.

The worst is when they use security questions that have answers that change like "what is the first name of your best friend?"
I still can't get back into my very first e-mail account. How the hell do I know who I loved most in sixth grade? I got a different crush every monday, and was convinced we were made for each other.
No, the worst is when they require your answer to be at least four characters long, and your friend's name is Bob, or Tom, or Sam, etc...

I'm looking at you, Citibank.

FTR, some EU countries have viewed standard security questions (e.g. date of birth) as not being sufficent protection for personal data, and hence it could be illegal to store personal data that way.

If you're in the EU, and are storing personal data, you are legally required to protect it. Think carefully about how you set up your EU based web app.

Example: In Ireland it's probably against the Data Protection Acts to use a date of birth/mother's maiden name as a 'security question' for personal data. (cf. http://www.dataprotection.ie/viewprint.asp?DocID=1212&St... http://www.dataprotection.ie/viewdoc.asp?DocID=1062&m=f )

Same comment that I left there.

If multiple sites use the same security question, they will contain the same answer. Therefore if one site has been compromised, someone could use it to login as you at another site.

To fix that you need to add the site itself to the data to hash.

And now you don't remember if you used an uppercase, or where you put spaces, or where you put a dash, or whether you used 1st or 'first', and then you're screwed, because for the hash you need you input to be byte-for-byte the same.

Password management is not a technical problem. All these 'solutions' to passwords being 'insecure' massively miss the point - which is that people just forget things, especially when they need to remember dozens or hundreds of them. Use a password manager and get rid of these nonsensical hacks.

This changes the situation from "What was that password again?" to "What algorithm did I use for this site?", and given that I'm already pissed off at having forgotten my password, the likelihood of my remembering this goes down significantly. Which makes me even more pissed-off.

IOW: When designing a scheme like this, the fact that you'll be angry when trying to actually use it at some point in the future becomes an important design constraint.

Paraphrasing a great comment on this idea from the Schneier thread (sorry, I can't find it):

"Hi, I need to make a change to my account."

"All right, ma'am, I'll have you just answer this security question first: What is the make of your first car?"

sigh "So, look, this is going to sound really stupid, but for these questions I always use random words, and I lost the paper where I wrote them down... I'm really sorry, I just don't remember what they are. It's not a real car make, if that helps, it's just some random nonsense words."

"Uh, let me just talk to my supervisor." [hold] "What can I help you with today?"

I don't understand how this would solve the problem that security questions are trying to solve. Basically, you just want something that you remember and/or infer easily in case you forget your password. If you use a passphrase as a salt to build a hash along with your security question then you are not really solving the problem. You still will have to remember the passphrase in order to build the hash. What if you forget it? Therefore you really haven't solved the problem. For what's it worth I don't believe in security questions and agree that they can be inferred by a reasonably motivated person with rather ease. There is no silver bullet, but it is probably way less risky to just allow password reset by confirmation codes to cell phones.