
Why 'Secret Questions' Suck as a Security Measure - fourk
http://jamesburkhart.com/why-secret-questions-suck-as-a-security-measu
======
tomkarlo
I hate these questions. Except for some questions, like "Mother's Maiden
Name", there are a lot of them where I won't answer _exactly_ the same way
every time you ask me... Where did I got to college? There are three
conceptually equivalent answers (abbreviation with periods, abbreviation
without periods, full name) that I might be inclined to respond. Even
something as simple as the name of a dog or a make of car often has multiple
answers.

~~~
kgo
Better than nothing, but that's still easily brute-forcible, even by humans.

~~~
lukeschlather
No, it's not. I ran across one where apparently I had chosen "favorite
restaurant" 10 years ago. I tried 5 likely candidates, and several passwords I
use for these things. Nothing went.

~~~
kgo
But if even you can't guess the right answer, then that doesn't really count,
does it? Hacker can't get access to your account, but neither can you. Might
as well have entered sdaw4#$%@#$%#$5.

I'm talking about the scenario where someone either has your answer from
another corrupted site, or tracks down the information publicly, like the kid
who 'hacked' Palin's email.

Assuming you're using legit info, it's easy enough to try several reasonable
variations of, say, University of Iowa, in the way a human would abbreviate
it.

------
bcrescimanno
Put even more simply: what good is having the best password security on earth
if having a 'secret word' that's not subject to the same strict security
requirements will still open up an account. I always find it horribly ironic
when you're told over and over again, "don't use easy to guess things like
birthdays, child or pet names, or your mother's maiden name as a password
because it's easy to guess" only to have the next question be, "What is your
mother's maiden name?"

The whole concept has always been silly; glad to read a well-rationed argument
against it. But honestly, why should we even need such an argument?

------
watchandwait
I think Secret Questions are even worse that described in the post. It creates
a situation where one hacked web site can reveal critical personal
information, such as mom's maiden name, that can be used across a range of
sites and offline id theft vectors.

I also deeply resent random ecommerce sites asking for personal information
like the name of my dog or high school. My answer is always a random variation
of "none of your damn business." This has caused me some problems when I do
need to reset my password, but contacting support resolves it.

~~~
jimktrains2
Shouldn't the answers be hashed? It shouldn't be any worse than it would be
for a password (i.e.: it shouldn't reveal it).

~~~
_delirium
I've had banks ask me some of these questions over the phone as a verification
measure, so I end up assuming that the answers are available to phone reps in
the system somewhere. Possibly not true everywhere, but at various banks I've
been asked over the phone for: mother's maiden name, my city of birth, and at
Citibank, something labeled an "account password" that I had previously chosen
online, and didn't realize I would end up having to spell out orally over the
phone to a rep! (Fortunately it's not the same as the citibank.com login
password... it seems to be a password used _only_ for this purpose of phone
verification... but still, getting people in the habit of being willing to
spell a password out over the phone to a rep isn't encouraging great habits.)

~~~
thwarted
Even worse is when they ask for authentication with a yes/no question based on
something personal about the account. "Is your mother's maiden name Smith?"
"Are the last four digits of your social security number 1234?".

------
parfe
A seemingly good question I ran into was "Enter the last 5 digits of your
driver's license." I always have my driver's license with me, which sounds
good. The problem is NJ driver's license numbers are actually encoding of your
data. The last 5 digits are your birth month and year (MMYY) plus a digit that
maps to your sex (0 or 1 for a female, 5 or 6 for a male). My Facebook profile
contains the answer to the security question.

~~~
lukeschlather
Never mind if I move to another state and throw out my old driver's license.

------
michaelchisari
I always give a standard answer to every secret question that has nothing to
do with the question being asked.

~~~
Joakal
Wait until you encounter some service like Yahoo Mail who absolutely refuse to
change your password unless you remember the junk answers to the security
questions. Even if I provided an alternate email contact, the security
questions needed to be answered.

I stopped using them then.

~~~
michaelcampbell
Presumably if it's a standard answer, he'll not have forgotten any of them.

~~~
tomkarlo
That's back to the "I use the same password on all sites" problem, which is
essentially what he's doing - if he uses it on a site that's compromised, all
of his logins are now potentially exposed.

~~~
michaelchisari
That's true, although I do hash my answer with a domain-specific secret, I
should have mentioned that.

If at all possible, however, I don't fill out the secret question. There are
actually a good amount of major sites that let you skip that step.

I'd rather just be locked out if I forget the password, than have that be
another vector for taking over the account.

------
sinaiman
Are there _any_ positives for security questions?? Well, I suppose secret
questions are good for preventing brute force account recovery. You can't
expect to beat security questions in a timely way with an automated attack.
You would usually have to rely on manual search or social engineering, as
pointed out by the article. But the real question is, why even allow account
recovery via a publicly accessible web form in the first place?

So, I definitely agree with the article, there has to be a change. You sure
can beat security questions (at least in their current state), but it's
probably _much_ harder to get around something like email or SMS verification.

Chase.com and cardmemberservices.com are good examples of SMS/email account
verification done right, which I've used with great success, but both of these
sites already had my personal phone number, so SMS verification just makes
sense for them.

I suppose SMS verification is probably the closest thing we've got to real
user verification at the moment, am I silly to consider this the ideal venue
for account recovery?

The big issue, then, is it's definitely harder to get a user's phone number
than to get their mother's maiden name, but skipping all that extra input and
having a simple account recovery email should do the trick, shouldn't it? Most
of the times you're already collecting user emails.

Well, the biggest issue with email is that an email account can also be
compromised. Perhaps getting big email companies like Gmail to remove security
questions from their apps in lieu of SMS verification is the next step, while
everyone else just relies on email-based account recovery (unless SMS is an
option). If email security was more rock-solid, then email verification is all
we need, right?

~~~
reemrevnivek
Disagree - Security questions are much easier to brute force than passwords.
Assuming that you can send an answer to the database quickly and
automatically, and that you can select your dictionary based on the question,
most of the questions are easy.

Names? <http://www.census.gov/genealogy/names> is a good database for the US;
1,711 names will get you the top 50% of last names for "Mother's maiden name",
questions. 59 male names and 138 female names also represents 50% of the
population (Yes, we're pretty unoriginal). There are <100,000 first and last
names in total which cover 90% of the population. (not combinations)

Birthdates? There are 365 days in a year, so 36,500 numbers will cover this
one.

Last N digits of your drivers' license/social security number/credit card?
There are 10^N such numbers. N is often 4, which is a measly 1,000 numbers.

Pretty measly stats.

~~~
sinaiman
I see your point and suppose I stand corrected for the most common cases, so
then I'm really wondering what the benefits of security questions are. They
generally degrade the user experience and provide a publicly accessible avenue
for compromising a user account.

------
mithaler
I'm working for a client right now that's requiring us to collect no less than
three "shared secrets" from users who are signing up to buy a product. I can't
imagine they'd have less than a 90% dropoff at that point in the sale process.

Oh, they're also requiring that we encrypt the answers in the database. With
encryption keys stored on the same server. But that's a separate (and arguably
sillier) issue.

~~~
jrockway
_Oh, they're also requiring that we encrypt the answers in the database. With
encryption keys stored on the same server. But that's a separate (and arguably
sillier) issue._

Well, that's fine. Just keep the _decryption_ key somewhere else, or don't use
an algorithm that can be decrypted.

~~~
mithaler
While one-way encryption would be the obvious way to properly handle it, there
is a need in this project for customer support to be able to see the answers
to secret questions to verify them over the phone. And if we're automating
that, then anyone who's into the system already has everything they need to
recover the decryption key, even if it's elsewhere.

~~~
drdaeman
To verify the correctness, they can type provided answers and the computer
will do its job, checking the hashes. That is, in case phone support person
has immediate access to the computer (which is probably the case) and can type
fast enough.

The only thing required is a well-designed text normalization algorithm, which
will neglect all variations in case, spacing, punctuation, spelling (i.e.
"color" vs "colour") and other similar sort of issues.

(In edge cases, where this may fail, the plaintext answers could be recovered
by authorized person from off-site write-only-API "secret storage" server,
where the data should lay encrypted with asymmetric crypto. Less convenient,
but more secure.)

------
chokma
I also do not understand the usefulness of "secret" questions ... mostly the
correct answer would be far too easy, so every one with access to my website,
Twitter or Facebook pages would be able to answer it (or trick it out of me or
someone who knows me).

So now there are a lot of accounts with some very strange answers to their
secret questions - answers so far out that I would have to write them down
along with the complex password... which makes them completely redundant.

~~~
sabat
There are about four ways of authenticating a person, in traditional security-
think: something you know, something you have, something you are (fingerprint
et al), and somewhere you are.

The secret question is an attempt at the first method. However, "what's your
mother's maiden name" fails because it's so easily discovered through web
sites (Ancestry.com!) and via social engineering.

------
kmfrk
I recall being asked by PayPal what the last four digits of the last credit
(debit?) card I used was, when I needed my password.

Problem was that the card had been ditched months ago, so there was no way I
was going to remember that. I eventually remembered the password, but I wonder
how I would have gained access to my account otherwise.

Some people are too creative with password "security" for their own good.

------
asdfor
Bad implementations of a feature do not make the feature bad as well. If you
as a site owner allow for example a password reset based on just answering the
secret question, guess what: bad implementation. If you don't inform the users
what the secret question can be used for, guess what: bad implementation. If
your users choose to use a question that has an answer that can be found easy
its the same as having a user use for password the word 'password'. I can go
on and on about how you can get something like this wrong.

Lets say that my computer gets keyloged and the attacker gets the
account/password of site X and my email info aswell. Now the attacker wants to
take over both of the accounts. Lets see how things will go if no secret
question is involved: At best site X for a password change will require a
e-mail confirmation, probably by just providing the old password the attacker
will be able to change it. On top of that the site that hosts my e-mail can't
be linked to something else, because of that i guess by simply providing my
old password the attacker will get over my e-mail too.

HOWEVER if the sites require a secret question/answer verification the
attacker wont be able to take over my accounts. And i am able to change both
the password and get full control of the accounts.

Secret question/answer feature should be treated as a MASTER password. You
have your casual password which allows you to identify yourself to the system
etc but if you want to change some critical information of the account you
will have to provide you master password.

If both the site and the user make good use of the feature there is nothing
wrong with it.

------
sp_
I fully agree with the article and I am also one of the people that give bogus
(but consistent) answers to these questions. So for example for 'what is your
first pet' I fill in something like 'the last unicorn' or another phrase that
has never left my brain.

The article also reminds me of another anecdote.Many years ago in the last
millennium I checked out this German teenage forum (bravo.de) because well, I
was a German teenager. Anyway, on that forum you could not only give the
answer to the security question. They even allowed you to specify the question
you want.

That feature amused me a lot and I checked out other people's self-made
security questions. Being a teenager forum in the later 90s this is what
happened. A very substantial number of forum users had the security question
'what is my favorite Backstreet boy' or a variation thereof. And, well, pretty
much everybody loved Nick Carter. Nobody liked the others. In just one our I
was able to log on to many, many accounts just with the phrase 'Nick'.

------
jordo37
I agree with the point that secret questions suck, but the entire idea that
any sort of second password as high-security is flawed. Daily WTF did a great
write-up (<http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx>) on how
real two-factor authentication requires two distinct forms - one based on what
you know, and one based on what you have. Historically the "what you have" has
been one of those RSA tokens but now Google is doing some two-factor using
phones and it's easy to do this using text messaging as well (as someone
mentioned). With this availibility of cheap RSA devices and cell phones, I see
no reason why institutions such as banks - where I really care about the
security of my data - can't implement the same measures that Blizzard does for
World of Warcraft.

------
jdludlow
I use 1Password to generate a 50-character random "answer" for these nonsense
security questions. Then I store the question and the answer in a note tied to
the 1Password record.

If they really wanted to get clever, 1Password should offer an option to
perform this task automatically when you're filling out a registration form.

~~~
tzs
Why store them in a note, instead of as part of the form data for the page so
that 1Password can handle filling them in for you?

~~~
jdludlow
Yes, you're absolutely right. That's indeed what I'm doing in most cases.

------
fleitz
Just use a different password for secret questions. It thus becomes impossible
to guess or socially engineer.

~~~
edanm
Except that most peoples' passwords are incredibly easy to guess.

~~~
fleitz
Well then it's not going to do much good as you could guess their password
just as easily.

------
ryandvm
Also, it turns out that "What is your usual password?" is a bad secret
question.

~~~
CountHackulus
I did something like this recently. I got to enter my own secret question and
set it to "What's the usual?" meaning my usual password. Note, that this
wasn't the password I was using for the site.

Fast forward a few months, and I call the site's billing department. The
decide to verify my account by asking me my secret question. Queue the CS rep
on the other end being extremely confused when I successfully name out a long
string of characters that he thought was just corrupt data.

~~~
parfe
Your method is likely storing a plain text string that would grant access to
other accounts you own.

~~~
CountHackulus
True, but they're all throwaway account I don't care about. Things I do care
about all have their own unique password.

Excellent point about the plaintext though.

------
redacted
I have a 'Secure Note' in my OS X Keychain which contains answers to every
Secret Question. The answers are 12 digit random passwords (generated by
Keychain) containing letters, numbers, and symbols.

------
naz
Facebook is quite clever about this. To verify your identity under some
circumstances, Facebook shows you pictures of your friends and asks you to
identify them. It is up to you to figure out the best way to authenticate your
users.

~~~
michaelcampbell
It's almost a clever idea, but what FB really does is show you pictures that
have been TAGGED as your friends, when in reality it's up to whomever tagged
them to be correct. And I've seen plenty of pictures of woodland animals,
circus and carnival performers and other less respectable items tagged as my
friends when they clearly are not. So, it can be worse than secret questions
when you try to create an account somewhere and the secret question is "who is
this?" and the picture is of a horse in heat doing what nature dictates.

~~~
apperoid
However, I have heard that they do have some kind of face recognition
technology in place to only show you real faces for verification.

~~~
InclinedPlane
Yeah, that's BS, I've gone through the process and had to identify friends by
things like their elbow (lucky enough I knew the context of the picture and
could figure it out).

------
iujyhgtfhj
My bank has a good one - you have to supply three pairs of associated words or
phrases

It's upto you what to use as questions and answers

