28 comments

[ 1.9 ms ] story [ 73.4 ms ] thread
I think now days you really want to have 3 factor authentication for e-mail. It is a gateway to just about anything you do online!
Another proof of the fact that security questions are a really bad idea.

I'd rather have to go through some manual time intensive procedure in the unlikely instance of losing access to my password safe, instead of opening myself that wide to social engineering.

I agree. I would prefer to have to ring up a support line and provide ID or something. However, that opens up two problems:

* What if it's a non-critical service? * How do they link an ID to an account without requiring it at launch?

The main problem here is that a large amount of a consumer web service's user base are none technical, "normal", people who will in all likelihood balk at a more complicated authentication process unless they can really see the need for it OR it is implemented really well. Currently the best implementation is the card reader used by banks but that is a pain as you have to have it with you all the time (however it is protected people's money and so a certain level of pain is more tolerable in this instance). As a result most banks only use it for big stuff like sending money to a new account etc. I think only Barclay's use it for logon and it is a real PITA and made me leave them as a bank.

Santander use the "if you don't recognise the picture above then don't login" method which is stupid as if people don't login regularly then they will forget what picture they choose and login anyway.

That's a very good point. Two factor authentication is the way to go IMO. It is a pain to have it with you all of the time, but what if it was just a simple little USB that you used to reset the password?

To login you need your password + your phone but to reset your password you need that USB with a unique fingerprint on. That way, I'd just keep it at home in some kind of safe.

I tried using google's two factor auth for a while. It was such a pain to have to unlock my phone and load the app every time I wanted to log in that I stopped using it pretty quick. When people are used to just loading their password manager up when they start their computer, sticking their more secure details into that, and then being able to log in to wherever with a click and a very short wait, sticking that sort of extra complexity in seems like a deal killer. Maybe for my debit card but... then it's worth going to a little extra effort for the security.
Most accounts remember you've authenticated until you log out. That's never been a problem for me
It's cookie based. The system tries to put a cookie on your computer to stop you clearing your cookies at the end of the session. It's not meant to ask you to reauthenticate on every login, if you look at the help, it tells you that clearing the cookies is probably responsible.

More bother than its worth to me under those conditions, ought to be Ip based instead and kept server side.

Apple put some effort into fixing the password recovery vulnerability for AppleID's recently (i.e. a few months ago), vs. KBA.
I use gibberish answers to security questions. This way I don't need to worry who all know my mother's maiden name or my first pet's name. Staying safe is easy, if you know how to game the system.
I do the same thing. What good does it do me to have a secure password, if the answers to security questions are well known?

Of course, I learned this the hard way. I had an ex that was able to breach my email because she knew personal details to answer my security questions (of course this was back in Hotmail days circa 2001).

Passwords can't be safe. We have a fundamental problem with passwords that somebody got to fix by replacing passwords with something safe.
Reading this article, I'd say that the weakest link isn't "you" (or "myself"), but "others", to which the account providers tailor their (in-)security practices, and thus allow easy access to any account.
Consider this:

The question "What is your pornstar name?" asks for your mothers maiden name and first pets name...

To get your security details.

I believe the corresponding joke goes something like this:

"To get your pornstar name, take your mother's maiden name and first pet's na--"

"Let me stop you there. You realise those are both common security questions for authentication if you forget your password, right?"

"Argh! You mean my bank knows my pornstar name?!"

>>>The only thing left between me and winning the bet was the questions. I dropped them both subtly in a conversation, noted down the answers and to my surprise: they were both accepted.

Hoo boy. They should let us create our own security questions that can't be asked in everyday conversations. I never liked "Favorite pet's name" or "Best teacher's name" and the rest of them.

Security 101: Never answer security questions truthfully
Not a bad idea, but then you have to create some file with a list of your little lies. Then that file has to be encrypted and you have to remember the password for it. What was your childhood pet's name? Did I answer this with 'Bob Saget' or 'Nosferatu'? I can't remember!
Yes, I generate them at random, and keep them at my password database, right next to the actual password for the service.

That makes them absolutely useless, it's true. And it is the most usefullness you can extract from them. I'd throw them away, but lots of services make you anwser them once in a while.

Wait? You can reset a facebook password by having 3 friends confirm? What the? First of all getting 3 friends to pull a prank on someone should be fairly easy. Other than that you can just create 3 fake accounts and get the victim to add you as friend. I find that way worse than these security questions, because there's essentialy no way to defend against this.

Well, except by not having facebook (which luckily I don't have).

What the original author failed to mention (or likely never bothered to find out) was it's not simply 3 friends, but instead 3 friends from distinct social circles, possibly with a minimum mutual friend requirement or more.

When you choose the you're friend you want to verify, it dramatically limits the choice pool for the next two, meaning you can't pick 3 mutual friends, you need to pick yourself, their friend from back in college you don't know, and their sister. Harder to do than get any three friends to play a prank.

Thanks, I wasn't aware of that!
I certainly hope they stay my friends, and don't die before I need them.
Who gives real information as answers to security questions? The approach I took is to use a hardware device with limited login attempts to generate store most of my (random, 16 character) passwords (an IronKey, in my case).

IronKey have a reset mechanism involving security questions; I've never used it, and I don't know the answers I gave; they're on a sheet of paper, in a safe somewhere. Yes, it's going to be inconvenient if I ever need it, but if it happened tomorrow it would be a once-in-ten-years event.

My bank inconveniently REQUIRES security questions in addition to a PIN for online banking; again, the information they have is made up. I remember it because I use it regularly, so that ISN'T written down anywhere.

For almost anything else less important, I've either just ignored the security questions (ie. entered random data) or noted them in the extra account info field on the IronKey.

For email, I run my own mail server in colo. It's maybe overkill, but I don't care. Credentials are again 16 character random passwords that I couldn't tell you, and authentication is only allowed over TLS. I'm toying with going for full client SSL certificates but device support would be the issue. I've already discovered more than I wanted to about incompatible SSL implementations on mobile devices over the years, which is why I'm still building Debian packages from source linking to OpenSSL instead of GnuTLS... And there's no webmail access. Never did find one that wasn't either written in PHP, half-functional or abandoned.

Who gives real information as answers to security questions?

Most people do. This piece doesn't really point out that people are a "weak link" (though they are) as much as it highlights that these "security questions" do not really add much security in most cases.

Well no, the point is not that security questions don't add security, it's that they greatly subtract from security.

Sometimes security questions are used to augment a password, but in many cases, including the one given in the article, they are provided as an alternative to a password, and one that's often much easier to guess.

Here's a thought with respect to security questions/answers. Even if you designate random, password-like/quality answers, are those answers security hashed?

If not, you're nonetheless one DB dump or other undesirable access away from having your account pwned.