

Security questions are salt - jgrahamc
http://blog.jgc.org/2012/08/security-questions-are-salt.html

======
Cushman
Paraphrasing a great comment on this idea from the Schneier thread (sorry, I
can't find it):

"Hi, I need to make a change to my account."

"All right, ma'am, I'll have you just answer this security question first:
What is the make of your first car?"

 _sigh_ "So, look, this is going to sound really stupid, but for these
questions I always use random words, and I lost the paper where I wrote them
down... I'm really sorry, I just don't remember what they are. It's not a real
car make, if that helps, it's just some random nonsense words."

"Uh, let me just talk to my supervisor." [hold] "What can I help you with
today?"

------
btilly
Same comment that I left there.

If multiple sites use the same security question, they will contain the same
answer. Therefore if one site has been compromised, someone could use it to
login as you at another site.

To fix that you need to add the site itself to the data to hash.

------
phase_9
I don't understand why people are trying to come up with such complex
solutions to Password and Security Question retrieval when portable and open
source solutions, like Keepass[1][2] exist.

Just store your "random" Security Question answers alongside the login
credentials - they'll be encrypted safely.

\--

[1] <http://www.keepass.info/>

[2] <http://www.keepassx.org/>

~~~
icebraining
The advantage of these systems is that you recreate them using nothing but
basic, generally available tools and your memory.

Keepass, on the other hand, is useless unless you have the database file with
you.

~~~
phase_9
So store it in Dropbox and have a copy on a USB Key you carry with you (along
with a portable version[1] of Keepass)

Also, on the same subject, it's the "all you need is your memory" bit that
makes me smile. If you could rely on your memory then why would you need to
have these hashing functions in the first place? (:

[1] <http://portableapps.com/apps/utilities/keepass_portable/>

~~~
icebraining
_So store it in Dropbox and have a copy on a USB Key you carry with you (along
with a portable version[1] of Keepass)_

If I'm at a cybercafe somewhere, there's a high degree of probability that it
won't let me just run some untrusted binary from my USB stick or the web.

Also, carrying an USB stick still defeats the point of being able to recreate
them with _nothing_. I've lost more than one USB stick in my life.

 _Also, on the same subject, it's the "all you need is your memory" bit that
makes me smile. If you could rely on your memory then why would you need to
have these hashing functions in the first place? (:_

If you can't rely on your memory, how will you know the master password to
open the Keepass container?

Simply put, it's hard to remember a password for each and every site, but it's
easy enough to remember a single algorithm (plus a master password) for all of
them.

~~~
fr0sty
> If I'm at a cybercafe somewhere, there's a high degree of probability that
> it won't let me just run some untrusted binary from my USB stick or the web.

1\. You shouldn't be typing in high value passwords at <random cyber-cafe>.

2\. You can get KeyPassDroid for your smartphone.

3\. writing your master-password down somewhere may be useful to your next of
kin.

~~~
icebraining
1\. I don't use this system for high value passwords - I have only four or
five of those and I can memorize them (and keep a written down copy in a safe
place).

2\. I don't have a smartphone

3\. Not really, due to (1).

------
roel_v
And now you don't remember if you used an uppercase, or where you put spaces,
or where you put a dash, or whether you used 1st or 'first', and then you're
screwed, because for the hash you need you input to be byte-for-byte the same.

Password management is _not_ a technical problem. All these 'solutions' to
passwords being 'insecure' massively miss the point - which is that people
just forget things, especially when they need to remember dozens or hundreds
of them. Use a password manager and get rid of these nonsensical hacks.

------
engtech
The simplest solution I've had is to keep a notebook where I for every page I
write down the security questions and my answer. This is done because I have a
bad memory, not as an attempt to salt, but it is a good point that we should
try to answer these questions differently every time.

This is used for the few times where I have to do password recovery / phone
support, I just grab the book.

For normal password usage I use automated hashing system in Firefox.

~~~
pavel_lishin
I write down the security questions/answers in the "notes" field in LastPass.
Books burn down, LastPass doesn't.

~~~
engtech
Over the last 15 years I've had 3 hard drive failures and 0 burned houses.

ymmv

------
corin_
You've updated to make it easier to say over the phone, but it doesn't help
for being asked over the phone. Can you trust the person you're talking with
to accurately say "What is the make of your first car?", or might they read
"What was your first car?" or similar. Even if you specify to them over the
phone "please read the question word for word", maybe their system is one with
a few built-in standard questions, and all they see on their screen is "first
car".

~~~
pavel_lishin
Why bother generating a hash based on your password and secret question? Just
pick five random words and store those in your password manager as well, along
with the question.

    
    
        # gsort -R /usr/share/dict/words | head -n 2
        inductory
        thingstead
    

"What was the make and model of your first car" - turns out, I was driving a
brand new Inductory Thingstead, and changing the minute details of the secret
question (or me changing the password) won't affect anything.

(One potential downside is having to tell an operator that your car was a
"trichroic somatopsychic", which would just take extra time to spell out,
unless they see the answer in plaintext.)

~~~
mseebach
I want my password store to be able to generate these for me. Then it would a
variation on "correct horse battery stable".

> unless they see the answer in plaintext

I think they do.

~~~
pavel_lishin
That might actually be an interesting feature add-on.

<http://i.imgur.com/9LYi9.png>

~~~
mseebach
And to avoid being faced with trying to explain how your mother was born to a
... rather eccentric family, it would be cool if it could generate something
that's plausibly a family name, pet name, car, mascot, teacher's name etc.

Good thing about security questions is that they don't have to stand up to
offline attacks, so a few tens of thousands of options for each might well be
sufficient.

~~~
pavel_lishin
An option for names could be a pretty good choice, but after that, the number
of options could balloon. Mascot, pet's name, car brand, street name, TV show,
city, etc., etc. You won't catch every edge case.

If I'm talking to someone on the phone and giving them my secret answer, I
doubt they're going to be giving me the third degree about why my mother's
maiden name is "antireligious electrocardiograph", especially if the computer
accepts it.

------
alanbyrne
It really sucks that we have to go to such lengths to make the services we use
that are "secured to industry standards" un-hackable.

I die a little inside every time some site emails me my own password.

~~~
wlesieutre
MSDN emailed me my password once.

------
rmc
FTR, some EU countries have viewed standard security questions (e.g. date of
birth) as not being sufficent protection for personal data, and hence it could
be illegal to store personal data that way.

If you're in the EU, and are storing personal data, you are _legally required_
to protect it. Think carefully about how you set up your EU based web app.

Example: In Ireland it's probably against the Data Protection Acts to use a
date of birth/mother's maiden name as a 'security question' for personal data.
(cf.
[http://www.dataprotection.ie/viewprint.asp?DocID=1212&St...](http://www.dataprotection.ie/viewprint.asp?DocID=1212&StartDate=1+January+2012)
[http://www.dataprotection.ie/viewdoc.asp?DocID=1062&m=f](http://www.dataprotection.ie/viewdoc.asp?DocID=1062&m=f)
)

------
brianjyee
The worst is when they use security questions that have answers that change
like "what is the first name of your best friend?"

~~~
pavel_lishin
I still can't get back into my very first e-mail account. How the hell do I
know who I loved most in sixth grade? I got a different crush every monday,
and was convinced we were made for each other.

------
chiph
This changes the situation from "What was that password again?" to "What
algorithm did I use for this site?", and given that I'm already pissed off at
having forgotten my password, the likelihood of my remembering this goes down
significantly. Which makes me even more pissed-off.

IOW: When designing a scheme like this, the fact that you'll be angry when
trying to actually use it at some point in the future becomes an important
design constraint.

------
dohko
I don't understand how this would solve the problem that security questions
are trying to solve. Basically, you just want something that you remember
and/or infer easily in case you forget your password. If you use a passphrase
as a salt to build a hash along with your security question then you are not
really solving the problem. You still will have to remember the passphrase in
order to build the hash. What if you forget it? Therefore you really haven't
solved the problem. For what's it worth I don't believe in security questions
and agree that they can be inferred by a reasonably motivated person with
rather ease. There is no silver bullet, but it is probably way less risky to
just allow password reset by confirmation codes to cell phones.

------
jvdongen
Security questions are basically passwords and thus suffer from the same
issues.

I'd a neat (imo) idea for this, though not everyone agreed:
<http://news.ycombinator.com/item?id=4349116>

