

Secrets, Lies, and Account Recovery: Personal Knowledge Questions at Google [pdf] - giltleaf
http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43783.pdf

======
joshuak
Nice to see someone finally formalizing what to me seems pretty obvious.
Adding account recovery inherently lowers security.

1\. Additional vector of attack with lower than password threshold of
security.

2\. Questions may have common answers.

3\. Few possible answers.

4\. Publicly available answers.

5\. Social engineering can phish for answers easily.

6\. Answers may be easily known or guessed by social proximity (family,
friends, coworkers).

Transient information questions like "favorite food", unknown strictness rules
like capitalization or character exclusions cause users to pick consistent
answers that do not necessarily relate to the question.

This along with inconsistent passwords rules across all sites, and none of
them showing the rules on the login page to remind you, piss me off to no end.
Please can we start using public key cryptography, and just have our own
private keys? Please!!!!

If you ever create password based web apps or work in security please at least
watch this MIT lecture.

[https://youtu.be/M2gc6b1hmk8?t=5m15s](https://youtu.be/M2gc6b1hmk8?t=5m15s)

(cued to start of lecture)

~~~
Yizahi
Also you will never ever remember what you wrote in that particular question
(unless you will threat it like second password). And considering that
anything less than 12 random chars now can be broken in hours... I really
don't know what companies think when they expect us to write "white", "1977"
as a complete password substitute.

And lots of companies like to screw you in many different and inventive ways
using this crap. For example Apple - they asked me for two security questions
during registration (and I wrote it down of course), then at some point they
added a third one with some random answer that I didn't fill. So now I have to
open page with question a few times to get both of the questions that I did
fill in and not one known and one not. (this happened to my oldest account,
for two new appleIDs apple asked for all 3 questions correctly).

------
shabble
From a quick skim of the paper, it doesn't seem like they mention how they
acquired the data, other than some mention of how it's secured by their
rate/count-limiting process.

I'd hope they're storing it all as one-way digests, and it occurs to me that
their strength metric (% number guessable given X attempts) might in fact be
them brute-forcing their own data. Or they could log the inputs and result of
each attempt by actual users during their experiment.

Or they could be secretly parsing and storing it all, and consequently know
enough about you to guess most of your other services, should they NSL^Wneed
to.

 _" For example, it was estimated that it actually takes over 2^100 guesses to
compromise an average password due to the presence of less than one in a
million users choosing 128-bit random strings as passwords"_

I'll be the one looking smug until I misplace my personal password database.

------
sssilver
I do my own questions, and specify a format. Example secret question:
FirstElementaryTeacherLastName::First/Girlfriend/Name--moms_maiden

Example secret answer: Kochoyan::Arev/Petrosyan--lusine_markosyan

Of course it doesn't have to be all human names, and formatting also adds a
thin layer of security.

~~~
cmwelsh
I prefer to treat secret questions exactly like passwords.

Example secret question: What is the random string I just generated?

Example secret answer: JmoPZGDg3JxpgRTTrHrXD5t5jVfvSm

~~~
bluedino
That's fun when you have to tell the answer to someone on the phone, like a
customer service agent.

~~~
cmwelsh
They can see it in front of them so you can read it back to them in less than
15 seconds. They'll probably zone out while you're reading it anyway.

~~~
JoshTriplett
I had that exact experience, along with the representative telling me that it
wasn't actually stored or checked case-sensitively, so I didn't need to bother
identifying capital/lowercase.

------
morgante
I'm glad to see someone quantifying that "secret" questions are a basically
useless security measure and inherently harmful.

Probably the worst example of these security questions is Tradeking. Normally,
I just answer the security question with a random password stored in
1Password. Unfortunately, Tradeking has the genius practice of displaying your
answers as a multiple choice—when 84209t920tq3g is offered as an option for a
hometown, it's pretty obvious. Needless to say, this caused me to close my
account immediately.

------
mark_l_watson
I don't like personal knowledge questions. I try to give obscure answers and
note my answered in my encrypted password file. So there is no benefit: I lose
my encrypted file and I lose my obscure answers to these questions.

------
maartenscholl
I hash the personal question using a common hashing algorithm together with
(another) passphrase.

