Study Shows "Secret Questions" Are Too Easily Guessed

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Old news ?

[Anonymous Coward]

I guess everyone from the /. community already knew this.
I frequently fill out my "secret questions" with total random nonsense, like:

"What is bla times 12381?", A: "2823848232abc!"

I guess, if I can't guess it afterwards, noone else should be able too ;=) (providing the answer isn't easily brute forced)

Its a flawed concept

[Anonymous Coward]

They tell you to chose a difficult to guess password, checking that it is made up of letters and numbers, does not contain your name, etc. Then they ask you for an "easily remembered answer" to a question. This in effect is a secondary back-door password, which you are told to select with the opposite criteria to the main one.

Re:Don't use them

[nemesisrocks]

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Not bad if used with email

[Zouden]

Secret questions are only less secure than passwords if they tell you the password right away. But if they reset the password and email the new one to a pre-specified email account then just guessing the answer isn't enough; you'd have to have access to the victim's email account too.

This doesn't really work that well if the password is actually for someone's email account, though.

What did they really expect?

[Aladrin]

The questions have to be so easy that the owner will -never- forget them... That means they pretty much have to be a defining characteristic in a person's life.

Favorite color, birth city, mother's maiden name, location of first job, favorite pet, etc etc.

While my friends couldn't name a couple of those, it'd be stupidly easy for them to get those answers from me in a normal conversation. Even strangers, around friends, have a good chance at it.

Also, my bank takes this a step further... Sometimes when you log in, it asks you one of the security questions after you put in the name and password. I've never felt this made much sense, but oh well.

Re:Don't use them

[Shin-LaC]

Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

Re:Don't use them

[4D6963]

Also, neither would you. Hence, disabling this whole huge security hole.

Fixed it for you. If you look at a security as a bunch of security components put together either in line or in parallel, you'll realise that when you put in parallel something somewhat secure like a password and something not very secure like asking a question, then the system is only as secure as the weaker of the two securities. You don't need to know much about someone to know or guess where they were born or what their favourite TV show it, I mean that's the kind of information people put on their Facebook profile for the whole world to see to begin with.

Re:random answers

[4D6963]

Yep, security-savvy users do that because they know that's just wrong, the problem is companies pushing that security measure when it actually undermines their security efforts. It's like they're really asking for accounts to be broken in.

encrypted password file

[mcelrath]

I just keep a gpg-encrypted file with all my passwords. When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file. This file is heavily backed up. I cannot imagine a scenario where I would lose a password, or the answers to "secret questions".

The only time I've had a problem is with stupid websites that require registration (and I don't care about, so didn't write down the gibberish I wrote in their registration form) and some time later I decided to come back to that stupid site.

Re:Don't use them

[Xest]

Not only that but when I have used them I've found them annoying as they're often case sensitive and it's easy to forget what you entered or how you entered it. What is your dog's name? Which dog? What is your date of birth? What date format?

They're just bad all round, often the questions you get to choose from either fall into the category of far too easily guessed/socially engineered such as where were you born which 90% of people you've ever met can tell from something like your accent or where you work and live if you never moved away or they fall into the category of being too ambiguous such that when it comes back to remembering how you entered it 3 tries will probably get you locked out.

Creating a list of questions that truly are secret and of which at least one is common to everyone is near impossible. You could start asking things like "Who at your workplace would you most like to sleep with" but I don't think most people would want to answer such intrusive questions!

Re:Don't use them

[Swizec]

While this is mostly true it ignore the fact that someone will notice a password change next time they log on.

So they've noticed a breach post facto when anything the hacker wanted to do was already done. Like I dunno, send a bunch of bad things in your name, steal your sensitive data and so on. Yeah, knowing they might have done this really helps preventing it from happening.

Re:I agree

[will_die]

Who the hell else would know that?
Every other web site that you visited that asked that question.

Re:Not bad if used with email

[Tukz]

So I was wondering. I forget my password to Site A, and go through a password recovery and answers a secret question only I know about, and then they send me a new password, or password recovery instructions, to my email.

This is where I get a bit confused. Why go though the entire Secret Question thing, if the system is going to send it to my email anyway?

Why not skip the secret question part, and just send me a email with instructions or new password right away?

Only thing it may protect against, is a stolen email account, but then you're screwed anyway, since it mails you....

Re:Don't use them

[3247]

While you may not be able to disable it, nothings stops you from having your mother's maiden name generated by apg.

Re:Don't use them

[Jurily]

Hence, rendering the whole facility useless, and causing you extra inconvenience.

Disabling an insecure security feature is not an inconvenience.

bogus answers

[DNS-and-BIND]

I always put a fake name as my Mom's maiden name. Why does anyone need to know that? It's just an ordinary word, and I always list it the same.

The problem comes with those idiot services that try to be too clever by half, and ask a battery of questions ("what was the name of your first grade teacher" "what was your first dog's name") and other such worthless trivia. These fields are required, and cannot be skipped. One day, the site decides to be clever again (I can picture some nerd furiously beating off as he thinks about his great idea) and asks me what's my favorite color when I log in. I mean, if I forget my password, that's my problem. But using these personal questions as some sort of CAPTCHA or user verification is just stupid.

Re:Spot on

[Anonymous Coward]

I don't understand your banking system at all. Here in Finland depending on the bank, you have a customer number or something else and a password plus/or a random number from your secret number card that your bank sent you.
I don't get it what's so hard to implement this in all banks. A little piece of paper with a hundred random 4-digit single use numbers on it and a database of these on the server. There's no way anyone oculd get to any of my bank accounts without physical access. Even with a keylogger or some other way they would only get my "username" and an allready used password.

Too easily guessed?

[Anonymous Coward]

Due to the stupid questions that have been asked.

Quite a few sites have begun adding "Roll your own question" options as well.
These ones are much safer to use.

But of course, if you do have one of those sites with the usual crap, just don't answer them directly.
Moms maiden name? How about Steve?
First Pets Name? Tyrannosaurus Fuckyou?
Favourite colour? Urple. (bonus points for those who get the reference.)

But then you have stupid idiots like Sarah Palin who enter their own question with something so easily identifiable. (a fucking zipcode? Holy hell woman)
So, back to square one it seems. Damn my 2 sided thoughts always balancing out.

Re:Not bad if used with email

[tylerni7]

If you were just emailed a new password without having to provide the answer to a short question, obnoxious people could reset your password every 8 hours or something.

Re:encrypted password file

[ortholattice]

"When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file."

Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts, then remember what she called it, where she stored it, and how to run it everytime she is asked one of these retarded questions. Oh, and also how to save the output to her gpg file after remembering what her gpg file was called and where she stored it and what its password is.

If you (presumably) guard your passwords carefully (in this same gpg file?), why do you even bother saving the answer to the "secret question"? Just type a bunch of random keyboard characters (bang hard, using the opportunity to release the pent-up frustration), don't save it, and be done with it. Isn't that faster than going through the perl script rigamarole?

For most things - various user forums, etc. - I don't give a damn about all this password/secret question paranoia. If they crack it, so what? I haven't changed my slashdot password since day one, its easy for me to remember, and if someone cracks it and "steals" my "identity" here, well, I would probably find it amusing.

There are a relatively small number of things, such as bank accounts and trusted access to other people's networks (and yeah, my servers' roots) whose passwords I protect very carefully. Almost none of those things involve extra secret questions in case I forget the password, or if they do I've give a gibberish answer I don't save.

(OK, I have a CISSP cert, and those hyperparanoia-filled meetings I have to go to to keep it up sometimes make me want to scream).

Re:Don't use them

[John Hasler]

Sensible man. Now as long as he keeps that piece of paper secure (by keeping it in his wallet with his driver's license, perhaps) his account is secure. Until the Web site is cracked.

Re:Why don't...

[mokus000]

If they truly know you, I'd hope they got to that point because you trust them. When trust is misplaced, all bets are off when it comes to security.

Re:encrypted password file

[Anonymous Coward]

Your house is hit by an EMP, and all of your electronics stop functioning. Any offsite backups are also hit.

Foolishness aside, there's something to be said for being able to get back into your account without needing any of your current technology.

Ok, stop the smart ass solutions

[fph il quozientatore]

So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"

And before that...

[itsdapead]

Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Trump that: E.E. 'Doc' Smith pointed out sometime in the 1930s that what the world really, really needed was a foolproof way of establishing someone's identity. Unfortunately, his solution was to have some omnipotent aliens come up with a magic identity bracelet, which isn't particularly helpful.

That's the real problem - these dumb-ass methods of establishing identities come about because there is no good solution on offer to let a service provider check that you are who you say you are - and no way do we trust our wonderfully tech-savvy governments or industries to set up and run one.

Re:Not bad if used with email

[Tukz]

I usually employ the "send and click link" method.

You request a password change, the system sends you an email with a link you need to visit, to confirm you did indeed request a password change. Only then does it generate a new, random, password and mails it to you.

No one can change your password, without your acceptance. No need for secret questions.

Re:duh, don't answer the question!

[GargamelSpaceman]

Not filling them out is dangerous. If you don't fill them out then a question is selected by default. No answer is still an answer. A reasonable guess to 'the answer' is nothing, or rather, I didn't fill it out.

I imagine an operator asking: What is your mother's maiden name? Then the perp being stumped, and after a period of silence, the operator determining that the question was answered correctly.

And a machine is almost guaranteed to be that dumb.

Re:Don't use them

[dfm3]

I can't believe you were modded funny instead of insightful. I do something like this for all my "secret questions", and write the answers down in a secure place.

Years ago we had a family member who started using the personal information of their relatives to commit fraud and identity theft. They knew us well enough to know the correct answers to most of the standard questions. Thus we've always seen the use of such questions as a security risk.

Re:I agree

[OhHellWithIt]

They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

I assume you are making a joke. One source is public records. If you're married in the U.S., there is a marriage record on file in the courthouse of the county where you're married. This record is open to the public, and (at least in the state where I live), it lists the names of the couple's parents, as well as the places of birth of the couple. That tells me where you were born.

The courthouse of the county where you were born will have your mother's maiden name on your birth record -- which I believe is also a public record -- and, if I remember correctly, also your father's birth info.

I've started using a friend's mother's maiden name. The big problem comes when I can't remember whether the account was set up before or after I started this practice.

As for most of the other special questions I've seen, they are either easily guessed by someone who knows me fairly well, or they are such obscure things that I may well forget them in about ten years -- long before I expect Alzheimer's has kicked in. You'd think I shouldn't have to worry about people who know me, but remember that most frauds are perpetrated by people who know the victim.

Re:encrypted password file

[mcelrath]

So why bother saving the answers to secret questions? If you're not going to lose the password, surely you won't need the answers to the secret questions. And if you lose access to the password file, you've also lost the answers to the secret questions.

Just in case. You never know when a password gets grabbed by e.g. a keylogger, network sniffer, or insecurity on the server side.

Re:delimited passwords

[afex]

i've never understood this approach...if someone hacks your amazon account and sees that it's "amazon*ninasinmypants", don't i now know that your bank's password is "chase*ninjainmypants" and your ebay password is "ebay*ninjainmypants"? This is a serious question btw - i'm sure there's a good reason for doing this as i've heard of many people doing it, but i just never got it...

Re:Don't use them

[SQLGuru]

You could always use the same answer for every question (regardless)

From your bank:
What was the name of your first pet? PASSPHRASE@bankdomain.com12345

From your e-mail:
What is your mother's middle name? PASSPHRASE@emaildomain.com12345

From your favorite blog:
What is your favorite color? PASSPHRASE@blogdomain.com12345

Not easily guessable without prior knowledge of the pattern, but easy enough for you to derive as needed. Now, the question would be whether or not they forward-only encrypt the answer and verify it much like a password or if it's stored in clear text that any numbnutz with DB access could poke around. Hopefully it's treated as secure as a password, but I could see a lot of places not treating it that securely (which is probably mentioned in the articles that I didn't read).

Re:bogus answers

[DMUTPeregrine]

And yet your PIN is still just 4 numbers. Everywhere.