Study Shows "Secret Questions" Are Too Easily Guessed 303
wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.
Re:Don't use them (Score:5, Interesting)
Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"
Secret Question are easier than the password (Score:5, Interesting)
What is the surprise? They don't have to follow the same rules as passwords (letters and at least 1 number, etc) that many sites enforce. Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.
If someone was really wanted to go on a phishing expedition, they would open a site that requires registration, security questions, and all that, and then try the information on the webmail of the people who just registered. Probably would work phenomally as well.
If websites wanted to be truly secure, they would ask for a mailing address or at least a phone number to confirm resetting things (thinking of financial accounts, not stupid forums). They confirm the same inane, easily duplicable facts in real life, but at least they have to reach you at a confirmed safe location.
Why don't... (Score:5, Interesting)
Then again, if they truly know you, then maybe they'd guess you'd be this paranoid
I use a physical book. (Score:5, Interesting)
If I'm allowed to choose the question, I use the time-tested method that was used in 80s games, which is "word in page x, line x, x-th word". If I'm not, it's usually a "pet" or "mother's name" question and I use the characters names or animals in the book.
I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.
I usually remember most passwords I use all the time, but for the accounts I seldom use, the book title is the only thing I need to remember to recover my passwords. Given the size of my library and the fact that the book is a huge, boring French novel, tough luck even for a burglar to find it.
Re:Don't use them (Score:4, Interesting)
I always sha those stupid questions with a related answer and some number: echo -n MyPet01|shasum -
Passwords *should* be written down (Score:1, Interesting)
I have a list of some ~150 accounts and passwords on paper in an unlocked cupboard. They are forum accounts, accounts to online communities (digg, etc.), online stores, to my less important emails, to some FTP servers, etc. etc...
I don't need to worry about harddrive breaks or hackers - everything is on paper and offline. I don't need to worry about my family members wanting to log into my driveThruRPG online store account - why would they want to? And even if they did they could do nothing without my paypal account.
There are only a few passwords that aren't on the list - my private e-mail, my work e-mail, my paypal, logins to my home and work computers and login to the encrypted partition on my hard drive.
I don't use the same password in any two places. Only flaw of this is that if I were to lose that list (probably due to my house burning down) I would have to recover a lot of passwords. However, in such event the password recoveries would be the last thing to worry about...
Spot on (Score:5, Interesting)
Shame I just used my mod points. There are plenty of cultures in which women don't change their names when they marry, and even in those where they do they tend not to change them unless they marry, which is becoming less common. Fortunately banks are starting to wake up, and maybe in a decade they'll all have semi-sensible account security.
Re:Don't use them (Score:5, Interesting)
I bet it stores the answers as plain text instead of hashing it like your pass. You're probably basically giving the support guys your password, hope you don't use it elsewhere ... but no, of course no one would make a system that retarded
Re:Don't use them (Score:4, Interesting)
It can be used sensibly. You can come up with a paragraph in a book (I have one), use the first letters, use the sentences up to the last one as the question and the last sentence as the answer.
Not foolproof, but generally good enough. At least when the system allows you to ask your own question.
Re:Not bad if used with email (Score:3, Interesting)
Primarily, I believe that is useful for sites that reset the password when you request it. Some do that and send you a new password, instead of looking it up. This is mostly if they encrypted it and discarded the original password. That way some random person is less likely to unset your password unexpectedly.
My bank uses similar logic, for an authorized computer designation. They track the computer I'm logged in from, and if I change computers, I have to click to email (or text message) a secondary key for that machine, to my previously registered email/cellphone.
I don't need to provide the secondary key if I'm logging in from the same computer as last time. But when I change computers, they invalidate the secondary key for the previous computer.
Re:Don't use them (Score:3, Interesting)
You are assuming that the answer actually is his password.
What I do (Score:2, Interesting)
Regretably a few sites I visit regularly (including my bank) may prompt me for these questions, so a question of "Mash the keyboard!" and an answer of "alsjdgiosadln" no longer works.
Instead, as someone already stated, I select a secret question of "What is my password?" and if it's necessary for a second, "Type my password backwards." (answer: drowssap)
And finally, if it's a question to be asked by a human (tech support for an ISP I know of does this now), the question is something silly. As fun as "What are you wearing?" would be, I have sympathy for the employees and instead have "The Joker is invading Gotham - what do I do?"
delimited passwords (Score:3, Interesting)
i, too, have always deplored the secret question. so many sites force you to use them but they are really just insecure back doors into your account.
my solution? for years i've been treating passwords and secret questions as two fields each, delimited by a non-alphanumeric. for example: say my mother's maiden name is "harris", i and i'm entering it as a secret answer on amazon.com. i would answer "amazon*harris". for passwords, i have a standard password, for example, "ninjasinmypants". at amazon.com, my password would be "amazon*ninjasinmypants". that way my password is different from site to site, but still easy to remember.
add some password common-sense, e.g. not using dictionary words, and you end up with pretty strong passwords that are easy to remember.
Centrelink are retards (how not to do security) (Score:3, Interesting)
Here in Australia the Federal government department Centrelink (who are responsible for welfare, student support etc) make you answer a secret question every time you log on to their online system. Which is moronic as your user name is your customer ID you aren't supposed to give out, and they enforce strong passwords.
Funny thing is that when you set a decent secret question you probably won't remember the answer over a year later (to clever for my own good). Of course their system is "smartly" designed and you can't get rid of your old questions just make new ones. So now I have about five questions I can't remember the answer to and twenty that are along the lines of "What is your name?" and I just hit refresh until I get an easy one.
Remember folks if you make your security too tight people will just write their passwords on a sticky note and put it on their monitor.