Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Study Shows "Secret Questions" Are Too Easily Guessed 303

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.
This discussion has been archived. No new comments can be posted.

Study Shows "Secret Questions" Are Too Easily Guessed

Comments Filter:
  • by slart42 ( 694765 ) on Tuesday May 19, 2009 @05:13AM (#28008885)

    I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

      Until now......

    • Re: (Score:3, Insightful)

      Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.
      • Re:Don't use them (Score:5, Insightful)

        by Shin-LaC ( 1333529 ) on Tuesday May 19, 2009 @05:27AM (#28008979)
        Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.
        • Re:Don't use them (Score:5, Informative)

          by zonky ( 1153039 ) on Tuesday May 19, 2009 @05:33AM (#28009019)
          Password safe [] , add the question and give a randomly generator combination as the answer. Problem solved.
          • And here's me thinking I might skip the whole password safe type thing and just wing it. At least until my job required me to sign up for some HSBC corporate banking stuff. Turns out that while you do give a password, they never, ever, ask you for it. 4 weeks later when they get around to telling you your application has been approved, you have dredge back up all the bogus 90210 crap you typed in: Mothers maiden name, shoe size at 11 years of age, what you ate for breakfast on the 13 of Sep

            • Re:Don't use them (Score:4, Insightful)

              by SQLGuru ( 980662 ) on Tuesday May 19, 2009 @11:44AM (#28012615) Journal

              You could always use the same answer for every question (regardless)

              From your bank:
              What was the name of your first pet? PASSPHRASE@bankdomain.com12345

              From your e-mail:
              What is your mother's middle name? PASSPHRASE@emaildomain.com12345

              From your favorite blog:
              What is your favorite color? PASSPHRASE@blogdomain.com12345

              Not easily guessable without prior knowledge of the pattern, but easy enough for you to derive as needed. Now, the question would be whether or not they forward-only encrypt the answer and verify it much like a password or if it's stored in clear text that any numbnutz with DB access could poke around. Hopefully it's treated as secure as a password, but I could see a lot of places not treating it that securely (which is probably mentioned in the articles that I didn't read).

        • Re: (Score:3, Insightful)

          by 3247 ( 161794 )

          While you may not be able to disable it, nothings stops you from having your mother's maiden name generated by apg.

        • Re:Don't use them (Score:4, Interesting)

          by Opportunist ( 166417 ) on Tuesday May 19, 2009 @06:45AM (#28009385)

          It can be used sensibly. You can come up with a paragraph in a book (I have one), use the first letters, use the sentences up to the last one as the question and the last sentence as the answer.

          Not foolproof, but generally good enough. At least when the system allows you to ask your own question.

        • by Splab ( 574204 )

          Thats why my secret question when possible is a string of random characters with the answer always being another string of random chars (makepasswd --char=15).

          Yes that means I won't be able to ever recover my password if forgotten, but neither will anyone else.

        • Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

          It is what Bruce Schneier described he does in the article behind the last link.

      • Re:Don't use them (Score:4, Insightful)

        by 4D6963 ( 933028 ) on Tuesday May 19, 2009 @05:34AM (#28009025)

        Also, neither would you. Hence, disabling this whole huge security hole.

        Fixed it for you. If you look at a security as a bunch of security components put together either in line or in parallel, you'll realise that when you put in parallel something somewhat secure like a password and something not very secure like asking a question, then the system is only as secure as the weaker of the two securities. You don't need to know much about someone to know or guess where they were born or what their favourite TV show it, I mean that's the kind of information people put on their Facebook profile for the whole world to see to begin with.

      • Re:Don't use them (Score:5, Insightful)

        by Jurily ( 900488 ) <jurily@g m a i l . com> on Tuesday May 19, 2009 @06:40AM (#28009361)

        Hence, rendering the whole facility useless, and causing you extra inconvenience.

        Disabling an insecure security feature is not an inconvenience.

      • Re: (Score:3, Funny)

        Being forced to enter "Ajkdua9uMNDiau9dfuJdjA(D82*27UAd89Z&DADAUIdjk" as your pet's name is certainly an inconvenience. At many sites you must actually enter it twice.

      • "Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience."

        Not really, he just keeps OIYNTDttye7it867t&%&^%&^T( in a text file near his root directory called passwords.txt ;)
      • by CarpetShark ( 865376 ) on Tuesday May 19, 2009 @09:39AM (#28010859)

        Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

        Think how the dog feels, running to his bowl for food every time the fax machine starts a handshake.

    • Re:Don't use them (Score:5, Interesting)

      by Anonymous Coward on Tuesday May 19, 2009 @05:27AM (#28008981)

      Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"

    • Re:Don't use them (Score:5, Insightful)

      by Xest ( 935314 ) on Tuesday May 19, 2009 @05:43AM (#28009085)

      Not only that but when I have used them I've found them annoying as they're often case sensitive and it's easy to forget what you entered or how you entered it. What is your dog's name? Which dog? What is your date of birth? What date format?

      They're just bad all round, often the questions you get to choose from either fall into the category of far too easily guessed/socially engineered such as where were you born which 90% of people you've ever met can tell from something like your accent or where you work and live if you never moved away or they fall into the category of being too ambiguous such that when it comes back to remembering how you entered it 3 tries will probably get you locked out.

      Creating a list of questions that truly are secret and of which at least one is common to everyone is near impossible. You could start asking things like "Who at your workplace would you most like to sleep with" but I don't think most people would want to answer such intrusive questions!

    • My pet's name is JDianD_6S8pXOHMK8m2C!

      If I lose my password, I probably lost my computer(or my memory?), which means creating a new account is less hassle than what I'd be going through at the time.

      But... I've never lost a password yet. The only troubles I've had with passwords is when sites get hacked. They give you short new ones by email, but the new ones sometimes don't work when you try to change them(to something more secure), so then you're stuck with them. :/

      If you actually use the secret questions

    • Re:Don't use them (Score:4, Interesting)

      by pkretek ( 247414 ) on Tuesday May 19, 2009 @05:50AM (#28009137)

      I always sha those stupid questions with a related answer and some number: echo -n MyPet01|shasum -

    • Re: (Score:2, Informative)

      by Anonymous Coward

      I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

      The name of my first pet, a hamster, was

      Spotty'delete from secretquestions;--

    • Re: (Score:3, Insightful)

      by dfm3 ( 830843 )
      I can't believe you were modded funny instead of insightful. I do something like this for all my "secret questions", and write the answers down in a secure place.

      Years ago we had a family member who started using the personal information of their relatives to commit fraud and identity theft. They knew us well enough to know the correct answers to most of the standard questions. Thus we've always seen the use of such questions as a security risk.
  • Old news ? (Score:2, Insightful)

    by Anonymous Coward

    I guess everyone from the /. community already knew this.
    I frequently fill out my "secret questions" with total random nonsense, like:

    "What is bla times 12381?", A: "2823848232abc!"

    I guess, if I can't guess it afterwards, noone else should be able too ;=) (providing the answer isn't easily brute forced)

  • by Anonymous Coward
    They tell you to chose a difficult to guess password, checking that it is made up of letters and numbers, does not contain your name, etc. Then they ask you for an "easily remembered answer" to a question. This in effect is a secondary back-door password, which you are told to select with the opposite criteria to the main one.
    • by digitig ( 1056110 ) on Tuesday May 19, 2009 @07:19AM (#28009555)
      To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?
  • by Spad ( 470073 )

    This is why when I'm forced to have a secret question / answer I always use gibberish.

    I reason that in the unlikely event I forget my password I'd rather have the hassle of going through a more long-winded retrieval process than having random people able to reset my password.

    We did this to a friend when I was still at school - "Forgot" his Yahoo Mail password, guessed his secret answer and reset his password. No malicious intent, we just enjoyed winding him up, but I reckon a good 15 or 20 people that I kne

  • Radomness and strangeness are your friends when it comes to this sort of thing. I don't think too many people would guess one of mine (obviously no longer in use)

    Q: How many Alsations mime to rice ?
    A: Egyptian Eskimo Chess

    Of course it helps if such systems at least allow you to set up your own questions as that is entirely memorable to me :)

    It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a ha

    • by dword ( 735428 )

      I use the same answer to "Secret Questions" all over the place... now I realize, that's just as bad as using the same password!

    • by jez9999 ( 618189 )

      It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a half decent system !

      Was it L. Ron Hubbard's prediction for the date/time of the end of the universe?

  • by Zouden ( 232738 ) on Tuesday May 19, 2009 @05:21AM (#28008931)

    Secret questions are only less secure than passwords if they tell you the password right away. But if they reset the password and email the new one to a pre-specified email account then just guessing the answer isn't enough; you'd have to have access to the victim's email account too.

    This doesn't really work that well if the password is actually for someone's email account, though.

    • Re: (Score:3, Insightful)

      by Tukz ( 664339 )

      So I was wondering. I forget my password to Site A, and go through a password recovery and answers a secret question only I know about, and then they send me a new password, or password recovery instructions, to my email.

      This is where I get a bit confused. Why go though the entire Secret Question thing, if the system is going to send it to my email anyway?

      Why not skip the secret question part, and just send me a email with instructions or new password right away?

      Only thing it may protect against, is a stole

      • Re: (Score:3, Interesting)

        Primarily, I believe that is useful for sites that reset the password when you request it. Some do that and send you a new password, instead of looking it up. This is mostly if they encrypted it and discarded the original password. That way some random person is less likely to unset your password unexpectedly.

        My bank uses similar logic, for an authorized computer designation. They track the computer I'm logged in from, and if I change computers, I have to click to email (or text message) a secondary key for

      • by tylerni7 ( 944579 ) on Tuesday May 19, 2009 @07:53AM (#28009787) Homepage
        If you were just emailed a new password without having to provide the answer to a short question, obnoxious people could reset your password every 8 hours or something.
        • Re: (Score:3, Insightful)

          by Tukz ( 664339 )

          I usually employ the "send and click link" method.

          You request a password change, the system sends you an email with a link you need to visit, to confirm you did indeed request a password change. Only then does it generate a new, random, password and mails it to you.

          No one can change your password, without your acceptance. No need for secret questions.

    • This doesn't really work that well if the password is actually for someone's email account, though.

      Exactly. If I was malicious wouldn't attack someone's bank account directly. I'd crack their email account and then likely get dozens of passwords at once. I'd likely get information about other accounts they have that I wasn't aware of, oh you have an investment account from your last jobs pension, how nice.

      Once you have the email account you can then with a lot of sites tell them that you forgot the password and have them resend it to the compromised email address. The problem with security questions IM

  • by Aladrin ( 926209 ) on Tuesday May 19, 2009 @05:25AM (#28008967)

    The questions have to be so easy that the owner will -never- forget them... That means they pretty much have to be a defining characteristic in a person's life.

    Favorite color, birth city, mother's maiden name, location of first job, favorite pet, etc etc.

    While my friends couldn't name a couple of those, it'd be stupidly easy for them to get those answers from me in a normal conversation. Even strangers, around friends, have a good chance at it.

    Also, my bank takes this a step further... Sometimes when you log in, it asks you one of the security questions after you put in the name and password. I've never felt this made much sense, but oh well.

    • The questions have to be so easy that the owner will -never- forget them...

      Unless, of course, they force you to use security questions that (1) you don't have an answer to, or (2) you have an answer that doesn't satisfy their assumptions about possible answers; then you have to make up an answer on the spot that you won't remember a week later.

      (1) "Who is your favorite author?" I have a handful of authors I like, but I don't go to the trouble of choosing a "favorite" one, so I had to pick one at random and forgot to write it down, so I couldn't answer the question a year later.


  • People who use unsecure password will use unsecure retrieval question. Guess what is the problem? Worse, once their uber secure password is stored on their navigator, they will use a simple question. In the end, the user is almost ever the problem.
    I usually use something personal enough so that nobody else, even my girlfriend, knows the answer.
  • My question is: (Score:2, Informative)

    Who has more water that we expect to?

  • by rolfwind ( 528248 ) on Tuesday May 19, 2009 @05:31AM (#28009003)

    What is the surprise? They don't have to follow the same rules as passwords (letters and at least 1 number, etc) that many sites enforce. Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.

    If someone was really wanted to go on a phishing expedition, they would open a site that requires registration, security questions, and all that, and then try the information on the webmail of the people who just registered. Probably would work phenomally as well.

    If websites wanted to be truly secure, they would ask for a mailing address or at least a phone number to confirm resetting things (thinking of financial accounts, not stupid forums). They confirm the same inane, easily duplicable facts in real life, but at least they have to reach you at a confirmed safe location.

  • I agree (Score:5, Funny)

    by jez9999 ( 618189 ) on Tuesday May 19, 2009 @05:34AM (#28009027) Homepage Journal

    Secret questions are way to easily guessed. They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

  • by mcelrath ( 8027 ) on Tuesday May 19, 2009 @05:39AM (#28009055) Homepage

    I just keep a gpg-encrypted file with all my passwords. When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file. This file is heavily backed up. I cannot imagine a scenario where I would lose a password, or the answers to "secret questions".

    The only time I've had a problem is with stupid websites that require registration (and I don't care about, so didn't write down the gibberish I wrote in their registration form) and some time later I decided to come back to that stupid site.

    • by ortholattice ( 175065 ) on Tuesday May 19, 2009 @07:54AM (#28009791)

      "When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file."

      Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts, then remember what she called it, where she stored it, and how to run it everytime she is asked one of these retarded questions. Oh, and also how to save the output to her gpg file after remembering what her gpg file was called and where she stored it and what its password is.

      If you (presumably) guard your passwords carefully (in this same gpg file?), why do you even bother saving the answer to the "secret question"? Just type a bunch of random keyboard characters (bang hard, using the opportunity to release the pent-up frustration), don't save it, and be done with it. Isn't that faster than going through the perl script rigamarole?

      For most things - various user forums, etc. - I don't give a damn about all this password/secret question paranoia. If they crack it, so what? I haven't changed my slashdot password since day one, its easy for me to remember, and if someone cracks it and "steals" my "identity" here, well, I would probably find it amusing.

      There are a relatively small number of things, such as bank accounts and trusted access to other people's networks (and yeah, my servers' roots) whose passwords I protect very carefully. Almost none of those things involve extra secret questions in case I forget the password, or if they do I've give a gibberish answer I don't save.

      (OK, I have a CISSP cert, and those hyperparanoia-filled meetings I have to go to to keep it up sometimes make me want to scream).

  • Why don't... (Score:5, Interesting)

    by Jamamala ( 983884 ) on Tuesday May 19, 2009 @05:44AM (#28009089)
    You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

    Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P
    • I used to fill in gibberish for the secret question answer. Now I use an alternate password, since that is *really* what I want--another way in if my account gets hijacked--not a password reminder.

      Oh, and as far as hashing a standard answer goes, you could also just convert some letters to numbers (as is common with passwords), or have the answer be the real answer written once forward and backward, i.e., you can implement encoding algorithms yourself without needing to pull up the command prompt (which

    • Re: (Score:2, Insightful)

      by mokus000 ( 1491841 )

      If they truly know you, I'd hope they got to that point because you trust them. When trust is misplaced, all bets are off when it comes to security.

  • My Qs (Score:4, Funny)

    by Daimanta ( 1140543 ) on Tuesday May 19, 2009 @05:46AM (#28009107) Journal

    Q What is the highest prime number?
    Q In 60 characters, prove Goldbach's conjecture
    Q How many palindromic primes are there in base-10?
    Q What is the lowest Sierpinski numer?
    Q Solve the Happy Ending problem for arbitrary n
    Q Prove or disprove that the Euler-Mascheroni constant is irrational in 60 chars.

    Crack my account and I'll use your idea ^^

    • by pjt33 ( 739471 )

      Q What is the highest prime number?

      There isn't one.

      Yes, I see your point. It would take quite a while to enumerate all the possible answers.

      Q What is the lowest Sierpinski numer?

      22,699. Am I right?

      • Q What is the lowest Sierpinski numer?

        22,699. Am I right?

        Well, it's 10223, 21181, 22699, 24737, 55459, 67607 or 78557. That looks manageable for a brute-force attack.

    • Re: (Score:2, Funny)

      No these are far too easy. Want we want are SECRET QUESTIONS, not answers. Mine is, "The answer is 42. What is the question?".
  • by Rosco P. Coltrane ( 209368 ) on Tuesday May 19, 2009 @05:47AM (#28009117)

    If I'm allowed to choose the question, I use the time-tested method that was used in 80s games, which is "word in page x, line x, x-th word". If I'm not, it's usually a "pet" or "mother's name" question and I use the characters names or animals in the book.

    I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.

    I usually remember most passwords I use all the time, but for the accounts I seldom use, the book title is the only thing I need to remember to recover my passwords. Given the size of my library and the fact that the book is a huge, boring French novel, tough luck even for a burglar to find it.

  • The worst are the ones that force you to have a "secret" question. Oh like its that hard for an acquaintance to guess your high school, or your mother's maiden name?

    Usually I just create a second password (I'm sure somewhere my mother's maiden name is inwyd15), but even that is one more thing that can get loose.

    • by dword ( 735428 )

      But... wait a moment! What if a company can sue you for providing them with false information? They want to check your account on another provider that tells you your password instead of changing it when you go to "Forgot my password". They check the details of your account with them, see they're bogus and try them. If they work, it's the company's lucky day. If they don't, they can try to sue you to obtain the information from you or to make you change your question and answer. Then, they can scare you by

  • bogus answers (Score:3, Insightful)

    by DNS-and-BIND ( 461968 ) on Tuesday May 19, 2009 @06:40AM (#28009367) Homepage
    I always put a fake name as my Mom's maiden name. Why does anyone need to know that? It's just an ordinary word, and I always list it the same.

    The problem comes with those idiot services that try to be too clever by half, and ask a battery of questions ("what was the name of your first grade teacher" "what was your first dog's name") and other such worthless trivia. These fields are required, and cannot be skipped. One day, the site decides to be clever again (I can picture some nerd furiously beating off as he thinks about his great idea) and asks me what's my favorite color when I log in. I mean, if I forget my password, that's my problem. But using these personal questions as some sort of CAPTCHA or user verification is just stupid.

    • by Shados ( 741919 )

      Even worse, in my opinion, is some bank's web sites, like mine: It doesnt let me have a password of more than 8 characters, and special characters are not allowed (only alpha and numbers, not even space!).

      Then in the name of security, they put these stupid questions. Fix the passwords first anyone?

  • by Opportunist ( 166417 ) on Tuesday May 19, 2009 @06:42AM (#28009373)

    I dimly remember I saw something like this on /. before...

    It's a no brainer. Or at least it should be. Most of those "secret" questions draw from a limited set of possible answers. Worse, ALL those answers will be found in a dictionary. Because they invariably ask for (*drumroll*) a real, usually English, word.

    Now, what do we tell people, what did we tell them for ages? DO NOT use words that can be found in a dictionary. Yet for the "secret answer" (which is in almost all cases as good as the real password) we ask for a word that can be found in one.

    Is it me or is this like, you know, STUPID?

    There is no "secure" word. Not even your pet's name. My first pet was called ;drop table *;, btw. Yeah, I'm such a geek... sorry 'bout your database, btw.

    • Is it me or is this like, you know, STUPID?

      Only if it is implemented in such a way that knowing the answer is as good as knowing the password.

      There's no reason it can't be used as part of a belt & braces approach (of course, if someone's stolen your belt then its possible that they've stolen your braces as well) and/or where the worst thing that it can trigger is to get a new temporary password mailed to your known address.

      It also depends what the stakes are and comes down to a risk analysis between the potential security risk vs. the inconve

  • Study... (Score:3, Funny)

    by nog_lorp ( 896553 ) on Tuesday May 19, 2009 @06:52AM (#28009421)

    Is this the study that was conducted by 4chan during the election? Where they found that 100% of Sarah Palins have easily guessed Yahoo mail security questions?

  • I always use the first name of my first real girlfriend. But then, that's not going to be much use for many slashdotters. But then, you can also use the first name of your faux girlfriend. Her name is even more secret !

  • When I have to fill out a "secret question" with an answer that's all too easy to look up, I just make up an answer no one will figure out but me. If someone trying to get into my account tries to guess what was "the color of my first car", how are they going to know the answer if I made up a word that doesn't even exist?
  • Just pick one word you use to answer all questions, like "love2canoo" or something. Why put in answers people can guess? Just make up a single answer that answers all questions.

    For example:

    1) Mother's maiden name: love2canoo
    2) First pet: love2canoo
    3) First car: love2canoo

    That way everyone trying to guess your answers will always be wrong. I'm not sure why people think they really need to answer those things truthfully. Lie, and others trying to use the truth will fail.

    • Use a reasonably secure password that you don't use for any other purpose as the answer to all the questions

      i.e. use it as an alternative password, not as an bypass

  • I don't get this. I don't fill out secret question answers if I don't have to, prefering to just have the regular password, but if I do fill them out, for-gods-sake my answer wouldn't be the answer to the actual question, it would be something random like the password!

    Answering the actual question is obviously flawed security.

    Pete Boyd

    • Re: (Score:3, Insightful)

      Not filling them out is dangerous. If you don't fill them out then a question is selected by default. No answer is still an answer. A reasonable guess to 'the answer' is nothing, or rather, I didn't fill it out.

      I imagine an operator asking: What is your mother's maiden name? Then the perp being stumped, and after a period of silence, the operator determining that the question was answered correctly.

      And a machine is almost guaranteed to be that dumb.

  • by fph il quozientatore ( 971015 ) on Tuesday May 19, 2009 @08:28AM (#28010051)
    So, it seems every slashdotter is submitting his best SHA1 fancy trick to answer the security question. But I think you missed the problem. The problem is not securing the accounts of smart tech-savvy people, as they should already know how to do it themselves. It is "how do we make sure that Joe the Plumber, Granny, and Sarah do not set dumb-ass security questions leading their account to be pwned in less than ten seconds?"
  • And before that... (Score:3, Insightful)

    by itsdapead ( 734413 ) on Tuesday May 19, 2009 @08:33AM (#28010107)

    Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

    Trump that: E.E. 'Doc' Smith pointed out sometime in the 1930s that what the world really, really needed was a foolproof way of establishing someone's identity. Unfortunately, his solution was to have some omnipotent aliens come up with a magic identity bracelet, which isn't particularly helpful.

    That's the real problem - these dumb-ass methods of establishing identities come about because there is no good solution on offer to let a service provider check that you are who you say you are - and no way do we trust our wonderfully tech-savvy governments or industries to set up and run one.

  • The only time I've run into these being used is as a second layer after they send a hashed URL to my email address, so the attacker would have to have known which email account on which server I was using, then discovered the password to my mail account or set up a MITM attack on my mail server, before they even got to the secret question part.

  • So that means the average person should be able to guess the name of my first pet in 6 guesses, right? Go ahead. Try.

  • What I do (Score:2, Interesting)

    by DeHackEd ( 159723 )

    Regretably a few sites I visit regularly (including my bank) may prompt me for these questions, so a question of "Mash the keyboard!" and an answer of "alsjdgiosadln" no longer works.

    Instead, as someone already stated, I select a secret question of "What is my password?" and if it's necessary for a second, "Type my password backwards." (answer: drowssap)

    And finally, if it's a question to be asked by a human (tech support for an ISP I know of does this now), the question is something silly. As fun as "What

  • delimited passwords (Score:3, Interesting)

    by Anonymous Coward on Tuesday May 19, 2009 @09:28AM (#28010729)

    i, too, have always deplored the secret question. so many sites force you to use them but they are really just insecure back doors into your account.

    my solution? for years i've been treating passwords and secret questions as two fields each, delimited by a non-alphanumeric. for example: say my mother's maiden name is "harris", i and i'm entering it as a secret answer on i would answer "amazon*harris". for passwords, i have a standard password, for example, "ninjasinmypants". at, my password would be "amazon*ninjasinmypants". that way my password is different from site to site, but still easy to remember.

    add some password common-sense, e.g. not using dictionary words, and you end up with pretty strong passwords that are easy to remember.

  • by the_raptor ( 652941 ) on Tuesday May 19, 2009 @10:07AM (#28011181)

    Here in Australia the Federal government department Centrelink (who are responsible for welfare, student support etc) make you answer a secret question every time you log on to their online system. Which is moronic as your user name is your customer ID you aren't supposed to give out, and they enforce strong passwords.

    Funny thing is that when you set a decent secret question you probably won't remember the answer over a year later (to clever for my own good). Of course their system is "smartly" designed and you can't get rid of your old questions just make new ones. So now I have about five questions I can't remember the answer to and twenty that are along the lines of "What is your name?" and I just hit refresh until I get an easy one.

    Remember folks if you make your security too tight people will just write their passwords on a sticky note and put it on their monitor.

Forty two.