

Schneier on Security: Fun with Secret Questions - kibwen
http://www.schneier.com/blog/archives/2010/04/fun_with_secret.html

======
jtheory
Entertaining (though I've already read this one...).

I have a more interesting game I play with bank security questions that's more
useful, though -- and applies to the most common usage (where the bank
provides the question to you).

Simply this -- for each question, imagine how easily you could guess the
answer even knowing _nothing_ about the account owner. I'm not talking about
real analysis here, just roughly mapping out the answer space.

For example, "In what city/town did ___?" is a common question. Well, if it's
a US bank, probably you're dealing with US cities, and there are fewer than
20K. (Already, whoa: a _three character_ alphanumeric password has 10 times
the possibilities). Then of course cities should be weighted by population, so
since NYC is biggest... well, New York has 8.3 million of the USA's 311.6
million population, the answer to this question will be New York City about
2.6% of the time.

"What's the first name of your [specified grandparent]?" is another good one.
How diverse are first names, generally, particularly a few generations back?
Of course there's a long tail, but otherwise... not that diverse, and it's
trivial to find stats on most common names in the early 1900s. I've never
chosen this question even before I started thinking hard about security,
because it was blazingly obviously a bad question -- the banks would ask for
my maternal grandfather's name, and _I was named after him_.

Fun, no?

~~~
suresk
Here is a worse one:

> What is the make of your first car?

The number of relatively common car makers is really low, and when you factor
in the fact that most people don't get a really high-end car as their first
car, 5 or 6 makers are going to cover a really high percentage (Ford,
Chevrolet, Toyota, and Honda would cover most, I'd guess). If you factor in
make AND model, we're still talking in the low hundreds of possibilities.

Good security questions are really, really hard to come up with and should,
IMHO, really only be used as an addition to a password - not as a way around
one.

~~~
antidoh
> What is the make of your first car?

Winston Churchill.

~~~
jtheory
If you're clued in on security, you can certainly use the fields to enter
unrelated answers. A random 20 characters would be better than Winston
Churchill.

But it probably goes without saying that if following the instructions (and
putting in an actual answer...) makes you insecure, the model is broken.

------
bajsejohannes
I almost always pick something like "What's your favorite color?" and answer
with random noise (say "a3tcuh487wchaowiudh23doch3298ahraui"). The rationale
is that if I forget my password, I'll likely forget the secret question as
well. I only want the secret question to be as hard, or harder, to guess than
my password.

I wonder though, if the human at the other end will accept "just a bunch of
letters and numbers" as a correct answer.

------
tokenadult
Original date of this article: April 30, 2010. Too bad it wasn't April 1st.

Q: What is your mother's maiden name?

A: I never use my mother's REAL maiden name in a security question; that is
much too easy to look up with Google.

------
tingley
When I'm allowed to pick the question, I invariably pick "Which is it?", and
the answer is a series of random words.

Now you know, identity thieves.

~~~
mike-cardwell
Call centre: Can you please provide the answer to the secret question.

Social engineer: _sigh_ , I know this is going to sound really strange, but I
just pick random words when I set up secret questions, and I'm not sure what I
used with you. If it helps, it will just be a set of random words that make no
sense...

Call centre: Ok, I've spoken to my supervisor and he said that, seeing as you
kind of know what it's like, and seeing as you have the name and address, I
can reset your password. What number would you like me to SMS it to?

------
T-hawk
My bank has a particularly horrible one:

"What sports team do you most like to see lose?"

Especially considering it's a regional bank in the northeast US, you can
probably hit well over 90% of accounts using less than a dozen answers.

------
wherewhenwhy
Why the hell is anyone answering "What was your mother's grandfather's
maiden/first name" or "What city were you born in" with real answers, or even
real names/cities??

------
chris_wot
While entertaining, choosing the question "What is the air speed velocity of a
laden swallow?" is not particularly good security.

~~~
harshreality
That applies to many of them. It's clearly just for fun. Quotes are no good.
If it's a quote from media like music, movies, book, or TV, the response can
usually be googled, if it's not known already. If it's a personal quote,
someone who knows you might know it.

------
polynomial
While I have a hard time imagining Bruce just lifted someone else's blog post
without crediting (more likely it was passed on to him in conversation?), this
post predates Schneier's by over a year:
[http://tcoverride.blogspot.com/2011/05/security-
questions.ht...](http://tcoverride.blogspot.com/2011/05/security-
questions.html).

~~~
maxerickson
Check the Schneier date again.

~~~
polynomial
lol, repost. My bad.

------
Argorak
Thats brilliant. A big opportunity to introduce call centre agents to Monty
Python quotes!

------
jasomill
Q: Ennyn Durin aran Moria. Pedo mellon a minno.

A: Mellon!

