Become a fan of Slashdot on Facebook


Forgot your password?
Crime Security IT

Secret Security Questions Are a Joke 408

Hugh Pickens writes "Rebecca Rosen writes that when hackers broke into Mat Honan's Apple account last week, they couldn't answer his security questions but Apple didn't care and issued a temporary password anyway. This was a company disregarding its own measure, saying, effectively, security questions are a joke and we don't take them very seriously. But even if Apple had required the hackers to answer the questions, it's very likely that the hackers would have been able to find the right answers. 'The answers to the most common security questions — where did you go to high school? what is the name of the first street you lived on? — are often a matter of the public record,' writes Rosen, 'even more easily so today than in the 1980s when security questions evolved as a means of protecting bank accounts.' Part of the problem is that a good security question is hard to design and has to meet four criteria: A good security question should be definitive — there should only be one correct answer; Applicable — the question should be possible to answer for as large a portion of users as possible; Memorable — the user should have little difficulty remembering it; and Safe — it should be difficult to guess or find through research. Unfortunately few questions fit all these criteria and are known only by you. 'Perhaps mother's maiden name was good enough for banking decades ago, but I'm pretty sure anyone with even a modicum of Google skills could figure out my mom's maiden's name,' concludes Rosen. Passwords have reached the end of their useful life adds Bruce Schneier. 'Today, they only work for low-security applications. The secret question is just one manifestation of that fact.'"
This discussion has been archived. No new comments can be posted.

Secret Security Questions Are a Joke

Comments Filter:
  • Simple solution (Score:5, Insightful)

    by Anonymous Coward on Thursday August 09, 2012 @11:03AM (#40931583)

    Let people design their own question.

    • Re: (Score:3, Insightful)

      by MightyYar ( 622222 )

      But the lazy will make questions like "What is 2+2?" or other such nonsense.

      • Re:Simple solution (Score:5, Insightful)

        by fredprado ( 2569351 ) on Thursday August 09, 2012 @11:17AM (#40931799)
        And they are within their rights to do so and suffer the consequences for it.
        • Re:Simple solution (Score:5, Insightful)

          by Isaac-1 ( 233099 ) on Thursday August 09, 2012 @11:19AM (#40931847)

          And as long as you always answer 42, or 416 what is the problem with that?

        • Re:Simple solution (Score:5, Insightful)

          by MightyYar ( 622222 ) on Thursday August 09, 2012 @11:23AM (#40931909)

          I don't think that would fly. If a person's bank account gets hacked, the bank usually (always?) picks up the tab. It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers. If I were on the hook for security flaws at the bank, I'd never bank online.

          • Happened to me a week ago! My contact on the bank told me that it will take at least a month for the bank to pick up the tab but I checked my account last night and they gave me back the money ( about 1400 euros or 1700 USD ). If people wind up thinking that banks are not secure and you don't get reimbursed then who in their right mind will ever use one again ?
          • by jhoegl ( 638955 )
            Banks can require other methods, like security tokens, for online access.
            Hell I did it with Blizzard for what, $30 and I got a plush toy.
            If banks wanted to mitigate the risk, they could justify the cost easily.
            • Agreed. But obviously they have done a cost-benefit analysis and decided against this so far.

              I personally like the Google 2-step authentication. Send a temporary code to my phone.

              • by hawguy ( 1600213 )

                Agreed. But obviously they have done a cost-benefit analysis and decided against this so far.

                I personally like the Google 2-step authentication. Send a temporary code to my phone.

                I too like the Google 2-step authentication, but I'm probably screwed if someone steals my phone since they'll have access to my email and SMS verification. I have a 5 digit PIN on the phone, but I don't know how secure a phone PIN is against a determined hacker. If my phone is lost or stolen, hopefully I can send a remote wipe before they hack it.

                One thing that I do that inadvertently helps protect me against hack attacks is that I always use a unique email address when I sign up at a site, something like

            • Re:Simple solution (Score:5, Interesting)

              by Cinder6 ( 894572 ) on Thursday August 09, 2012 @12:05PM (#40932671)

              Hell I did it with Blizzard for what, $30 and I got a plush toy.

              This has always bothered me. My Blizzard and SWTOR accounts have much stronger authentication (from a user perspective; not sure about the underlying technical security measures) schemes than my bank account. My bank only allows a maximum of 14 characters in a password and severely limits you on what special characters you can use. They also have no form of secondary authentication, such as Blizzard's Authenticator. Finally, their security questions are a joke, all along the lines of those mentioned in TFS--"What is your mother's maiden name" and the like.

              My solution to bad security questions? Answer unasked questions. What's your mother's maiden name? Pepperoni pizza. What street did you live on? Empire State Building. Then use different answers for different sites, like you should your passwords. Just be sure you can keep track of them--either an encrypted file or a password manager program.

            • In Mexico, the two banks I use use two-factor authentication — A password (with some non-obviousness requirements, but yes, in the end they put stupid hard limits on the entropy, such as a maximum of 8 characters) and a security token. I have had one for over six years (lost the second one, but it lasted ~5 years on me) without a hiccup.

              They are now telling me it's safer to kill the tokens and use a SMS to my cell phone as the second factor. Right, as if there is phone coverage always, everywhere. As

          • It's in their interests to get people to bank online - it is significantly cheaper than hiring tellers.

            So like ATMs and how they were supposed to save everyone time and money because you didn't have to visit a bank with a live person but which now you have to pay to get your money out if the ATM isn't from your bank?
          • Re:Simple solution (Score:4, Insightful)

            by jmerlin ( 1010641 ) on Thursday August 09, 2012 @02:11PM (#40934943)
            What scares me the most, I think, is that several of the banks I've used have required ridiculously short passwords and relied heavily on these "security questions" as a second tier of authentication (as if that's more important than 64+ more bits of strength in the password). So you have to pick a password that's between 4 and 8 characters or some nonsense and answer some questions like "mother's maiden name" and "name of first employer" etc.

            What we need is some kind of authenticator or something. If you can't trust me to use a 24+ character password or provide me with a more secure means to log-in, I can't trust you to hold my money. It's that simple. Keyloggers still win against complex passwords. Blizzard solved the problem by using symmetric cryptographic protocols so a device that's highly unlikely to be compromised is the source of part of the key (a keychain or a smartphone app). Why can't banks do the same? What a damn shame.
      • Re: (Score:3, Interesting)

        by Anonymous Coward

        Mine is, "What do you hate about c++?" when it is optional. People are good at making up their own questions if they care. And security is only as good as you care about it. It is impossible to force people to use security despite the attempts.

    • Re:Simple solution (Score:5, Insightful)

      by NeutronCowboy ( 896098 ) on Thursday August 09, 2012 @11:11AM (#40931707)

      Even simpler solution: design your own answers. Yes, you'll get funny silences over the phone when you tell that the rep that you were born "On the moon", that the street you grew up on was "the yellow brick road", and that your mothers maiden name was Humpty Dumpty. The upshot is that no one can guess, the answers are meaningful to only you, there is only one answer (the fake, important name and place), and, because the answers are whatever you think they should be, applicable.

      • Re:Simple solution (Score:5, Insightful)

        by Hognoxious ( 631665 ) on Thursday August 09, 2012 @11:16AM (#40931795) Homepage Journal

        The problem is that if you don't use them very often (say only for a password reset) it's easy to forget what answers you gave.

        On trick is to give true answers, but for someone else, i.e. you answer as if you were Linus Torvalds or Queen Victoria. But then you still have to remember who ...

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Yup. I had an embarassing phone conversation with my state's tax department because a year earlier I set the secret question to "What is the password?" and a year later I had naturally forgotten the answer.

          • by bluefoxlucid ( 723572 ) on Thursday August 09, 2012 @11:41AM (#40932251) Homepage Journal
            For phone stuff I set security questions like "Would you like to have dinner some time?" or "Wanna have sex when I get off?" and call to tease the cute customer service girl.
          • by Dewin ( 989206 )

            Yup. I had an embarassing phone conversation with my state's tax department because a year earlier I set the secret question to "What is the password?" and a year later I had naturally forgotten the answer.

            This is a bad idea, since security questions are probably stored unencrypted or at least using a reversible cipher -- the people on the other end of support need to be able to compare your answer, and there needs to be some leeway especially with spoken answers and spelling variations.

            Unless, of course, y

        • by gosand ( 234100 ) on Thursday August 09, 2012 @12:33PM (#40933101)

          Use an algorithm.
          Use real answers, but replace vowels with the letter Q. (for example)
          Mother's maiden name: Smith => SmQth
          First pet: Spot => SpQt

          Just make up a general rule. This is what I do with my passwords. They are based on a rule that I can remember. Then you can apply that rule to any password.
          Like switch the first and last letters. Smith = hmitS, Spot = tpoS. Or use numbers. Or a combination. It quickly looks like nonsense, but if you use a rule then you can apply it. Or change it. If you have to change a password, then switch from using Q to W, then E, then R, then T, etc.

          You can even write down your rule in plain site. If I wrote down "flip Q" as a reminder, it would remind me to flip the first and last letters, then replace vowels with Q.

          And I just came up with this one for this post. The one I actually used is based on something nobody could guess, and has been altered over the years so that I am the only one that knows it. And it works! I still remember an intern at my first job left to go back to school in 1994, and he told me his unix password in case I needed to get into his account. It was CIrpotb, (Clearly I remember picking on the boy,) from Pearl Jam's song Jeremy.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        So now you have to remember nonsensical answers to every important site you use, in addition to a password. You can't use the same answers everywhere, because when one gets hacked, all other account security questions are vulnerable.

        In other words, passwords aren't secure, so lets use even more of them! This is like saying credit card numbers get stolen, so the solution is to add some more to the back of the card.

      • by PerfectionLost ( 1004287 ) <> on Thursday August 09, 2012 @11:18AM (#40931825)

        I had a friend who built an entire fake persona that she used to answer her security questions. Address, parents, pets, you name it.

        In hind site she was probably a little schizophrenic.

      • I use my GRANDmother's maiden name. Since she hasn't used it since circa 1925 I figure it will be very difficult to locate.

      • Hmm, i never thought i would have to give the answer to my security questions over the phone. I always fill them in with an 8 - 12 char alphanumeric jumble.
      • Re:Simple solution (Score:4, Informative)

        by Sqr(twg) ( 2126054 ) on Thursday August 09, 2012 @11:38AM (#40932163)

        Or go to [], and use the security question (all lower case and no punctuation) as URL and your own secret password. Set the character set to hex digits so that the answer is easy to read out over the phone.

      • Re:Simple solution (Score:5, Insightful)

        by Hatta ( 162192 ) on Thursday August 09, 2012 @11:55AM (#40932523) Journal

        That doesn't solve the real problem, that banks think that these question and answers provide any sort of security whatsoever. What is the difference between this Q&A scheme and a password? Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?

        We know that this is bad practice for passwords. Why do we tolerate it for "security questions"?

        • Specifically, these security questions are exactly identical to a password that is stored in the clear (no hash, no salt) and is intended to be communicated to humans, and for which an attacker only has to guess one out of 4 correctly?

          I agree with your general premise that these are just secondary passwords. That's actually how I treat them: I use my password manager to generate and remember random strings of characters as my security question answers. What was my first elementary school's name? "QQw9i?7JJq[m".

          However, these don't have to be stored in cleartext any more than your primary password. Ideally, the authenticating system should hash your reply and compare it to the hashed version from their database just like you would normall

    • by mkraft ( 200694 )

      That's actually being done by a number already by some companies. That still doesn't help though if someone enters a question with an easy answer.

      The "best" thing people can do is put in wrong answers to their security questions. Unfortunately if someone does so and forgets the answer, then that person can't get access to his or her account. Unless of course that person has an account with Apple or Amazon in which case the secret answers aren't needed. Hence the problem with the entire password system.

    • by Krneki ( 1192201 )

      Security questions are completely pointless. They were implemented because idiots used the same username / email adress and passwords across different websites. So once a hacker got all the info from a poorly secured website he was able to access all the user accounts.

      All you need is a username and password, if you want a 2nd security check use the email you can't replace in 5 min within the account (put a 2 months delay). If the user is so stupid to use the same password on the email let him pay the p

      • by shugah ( 881805 )
        Sounds good, but when you have a dozen different bank accounts, investment accounts, business and personal email accounts, several social media accounts (facebook, twitter, plus), login accounts on several different computer systems, screen lock codes (or gestures) for your smart phone, accounts for Craigslist, Paypal, eBay and several different online support/user/interest forums, it is simply impossible to remember strong and unique passwords for all of them. Not to mention ATM cards and chip + PIN cred
    • Re:Simple solution (Score:5, Informative)

      by Qzukk ( 229616 ) on Thursday August 09, 2012 @11:18AM (#40931831) Journal

      I once had an account on a site that asked me to select three questions from a list of a couple dozen then answer them.

      When I needed to recover my password, it asked me to select the same three questions from a list of a couple dozen then answer them again.

      I never managed to recover my password.

    • by taustin ( 171655 )

      Why do people always assume that they answer to the security question has to be correct? Or even remotely connected to the question, for that matter? Do all the internet searches you want, you'll never figure out that my high school was "Never give guns to ducks."

    • Re:Simple solution (Score:5, Insightful)

      by Hythlodaeus ( 411441 ) on Thursday August 09, 2012 @11:31AM (#40932043)

      The purpose of security questions is not security - its reducing customer service workload due to forgotten passwords.
      In most implementations its an overall reduction in security, since the security questions constitute a backdoor to the password, rather than an additional factor of authentication.

  • BYO (Score:5, Insightful)

    by wstrucke ( 876891 ) on Thursday August 09, 2012 @11:03AM (#40931589)
    I find the security questions I like best are the ones I can make up myself. I typically use nonsense phrases that only I know the answer to. Unfortunately most sites would prefer you pick one of several 'standard' questions like the examples OP provided.
    • Exactly! But even with standard ones you can make it secure enough. For example I never had a pet when I was kid, and for that reason I pick that one out and fill it with a name that mentally means something for me, but something that not even my best friend of 21 years can tell! Really the problem is not with the security measures it is with the end users. If you pick that question above and you had a pet that half of the world knew you had. Well then don't nag on how bad the the security is.
    • Re:BYO (Score:5, Funny)

      by HawkinsD ( 267367 ) on Thursday August 09, 2012 @11:18AM (#40931827)

      My favorite make-up-your-own pair, which a CSR at a bank was once forced to read to me over the phone:

      Q: "You're not going out dressed like that are you?"

      A: "You can't tell me what to do! You're not my real father!"

      • Re:BYO (Score:5, Funny)

        by captaindomon ( 870655 ) on Thursday August 09, 2012 @11:49AM (#40932423)
        From Bruce Schneier: Q: Do you know why I think you're so sexy? A: Probably because you're totally in love with me. Q: Need any weed? Grass? Kind bud? Shrooms? A: No thanks hippie, I'd just like to do some banking. Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men. A: Go forth, and kill. Zardoz has spoken. Q: What the hell is your fucking problem, sir? A: This is completely inappropriate and I'd like to speak to your supervisor. Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it. A: It's a good thing they're recording this call, because I'm going to have to report you. Q: Are you really who you say you are? A: No, I am a Russian identity thief.
    • Re:BYO (Score:5, Insightful)

      by X0563511 ( 793323 ) on Thursday August 09, 2012 @11:20AM (#40931865) Homepage Journal

      I'd rather just be able to disable the questions entirely, relying on a good password and if that is lost/whatever, account specific information being verified by a human on the phone.

      My problems with these "secret questions" are:
      1. They are obviously stored cleartext
      2. They can be used to "substitute" for your non-cleartext password
      3. Because 1+2=3, if someone breaks in and grabs a dump of the table, they now effectively have your account. These "insecurity questions" are more of a liability if you are not one to just lose passwords. Crutch for the stupid, barrier for the secure.

  • by MightyMartian ( 840721 ) on Thursday August 09, 2012 @11:03AM (#40931593) Journal

    I'm sorry. Apple cannot make mistakes anymore. Clearly this is just anti-Apple-types trying to give the greatest, most wonderful, most lauded, most glorious company that has ever or will ever exist.

    I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

    • I'm now turning my iPod up to 11 to drown out the filthy lies of the naysayers. Jobs be praised.

      Didn't they remove that function, in order to protect you from yourself?

    • by alen ( 225700 )

      they admitted that one of their CSRs didn't follow the rules

      everyone here writes bugs with code and works it out over time. lots of times in production. but someone else makes a mistake and its time to burn them at the stake.

      • by Isaac-1 ( 233099 )

        Part of the problem is the CSR had the option to not follow the rules, they should have a box to type the challenge response, and the computer should have enough logic to only accept a close match, not counting capitalization or minor spelling differences. If they can't get it right, escalate the call to a supervisor level who may then have more leeway.

    • >>>Clearly this is just anti-Apple-types

      I consider Apples to be like Chryslers, Lexuses, and Acuras. Severely-overpriced for what you get. BUT in this case you are being unfair. It wasn't Apple that dropped the ball but one of their minimum wage employees.

      Apple should fire the employee and any other employees who hand-out new passwords w/o proper authentication by the caller (answering the secret questions). If Apple fails to do that, THEN you can vilify them.

    • by nazsco ( 695026 ) on Thursday August 09, 2012 @12:35PM (#40933133) Journal

      IPads only goes up to 10. 11 would be too complicated, like a second mouse button.

  • by Jeremiah Cornelius ( 137 ) on Thursday August 09, 2012 @11:04AM (#40931597) Homepage Journal

    What is your quest?

    What is the air-speed velocity of a coconut-laden swallow?

  • by BMOC ( 2478408 ) on Thursday August 09, 2012 @11:04AM (#40931601)

    The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

    Favorite movie? Gigli
    First Car? Moon Rover
    Mother In Laws Name? Dead

    • by ( 2589739 ) on Thursday August 09, 2012 @11:07AM (#40931647)

      I usually just generate additional passwords and save them in KeePass.

    • The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

      Favorite movie? Gigli First Car? Moon Rover Mother In Laws Name? Dead etc..etc..

      Of course people will forget the right wrong answer, without chance to find it ever again. Which is likely the reason why companies have started to allow a way around those questions in the first place.

    • The best use of security question is to answer them dishonestly/humorously with responses you will remember, or can write down.

      This, a million times over.

      It's not the questions that are the problem, it's the idiots giving them obvious, straight answers.

    • This completely negates the purpose for me. If I can remember my nonsense answer, I can equally remember the actual password, and using a standard nonsense answer on for all logins is no different than using the same password for all logins, a big no-no.

  • Douglas Adams nailed it...again.

  • by mikestew ( 1483105 ) on Thursday August 09, 2012 @11:06AM (#40931627) Homepage

    Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

    Of course, that does no good if Apple simply ignores the security questions.

    • Google me all you want, the real answer to "mother's maiden name" for me is "{ah23#>K&Ep", which I store in 1Password.

      Of course, that does no good if Apple simply ignores the security questions.

      So to recover the password for your account you also stored in 1Password, you use a security question, the answer of which you take from 1Password. I can see no flaw in your reasoning.

      • Yes, that would be an accurate summary. Answers are generally required,and I'm not about to give the actual answer. I do not intend to ever use the answers, as I view security questions to be a hole and not a help, but they might as well be recorded.

    • by CAIMLAS ( 41445 )

      Of course, that does no good if Apple simply ignores the security questions.

      Everyone here seems to be missing that point.

      If they will reset your password over the phone while enabling you to add an email address to the account and without reasonably certainty you are who you say you are, they have thoroughly demonstrated they do not give half a shit about the security of your information. Period. There are banks like this as well. It would be trivial to take over someone's financial and digital life in today's world with a little knowledge of who they are.

  • When you fill out the "form" to define the security questions, Don't put the correct answers in.. purposely put a false answer, obviously one that only you know.. My dad makes up a "youngest son" to put in those security questions so there is no way someone can "scour" social network sites to find the answers.

  • by danbuter ( 2019760 ) on Thursday August 09, 2012 @11:09AM (#40931673)
    Jokes on them! I've never had a girlfriend!
  • What is your memorable place? seems to fit all those criteria, for example.

    • I wouldn't even know how to begin to answer that question. I don't have a single most memorable place, but a small collection of special places that are about equally memorable. How would I remember which one I used?

      This is no different than "what's your favorite..." questions. My favorite anything is not fixed. My favorites change over time, so I still end up having to outright guess what the right answer is.

  • lots of cartoon animal names you can use

    who says you have to use real answers to these questions?

  • Security questions are an opportunity for additional long passwords.

    Favorite color: ALQbpFcWvvFiJlnEh5uuC0lpJZFHAvIcMuXrOh46L3bc24V39m
    Where you grew up: 1t7jpfr7zzp87kOJTMOFw5qf1ReWKoxoeRu8U7vuz5TfPwypkU
    First pet: gzcPme09nDYPHXvfvyi8FbpP9hX5cjqMiVi0MWd61sxyCIJjaG

    Just use the prompt as the index for the key, which you've saved in your favorite key store, like keepassx.

  • Even if Apple had enforced their own policies it's still weak anyway. Recall the hacking of Sarah Palin's yahoo email. The attackers just looked up the answers to her security questions on the interwebs.
  • Mother's maiden name (Score:5, Informative)

    by AnalogDiehard ( 199128 ) on Thursday August 09, 2012 @11:18AM (#40931823)
    I use my mother's mother's mother's maiden name. Unless you know my family genealogy, it's a lot harder to get that from Google.

    I had to resort to adding layers of generations when my (now ex) wife attempted to open credit cards behind my back.
    • I use my mother's mother's mother's maiden name.

      Why? Are you legally obligated to give the correct answer?

  • by ledow ( 319597 ) on Thursday August 09, 2012 @11:19AM (#40931851) Homepage

    Just treat them like I do. Select any "question" and type another password into the answer box (one that you never give out).

    Should it come to a password reset password where you're asked for no, NOBODY will ever guess it and you'll be able to reset your password either automatically (if they allow you to), or via a customer service representative (who will be wondering why your mother's maiden name was AH8hfds86, but who cares?).

    Just as secure as anything else and requiring you to give out zero additional personal information, and totally UNABLE to be discovered by someone who happens to know you, for instance (unlike DOB, maiden names, etc.)

  • by macraig ( 621737 ) <mark.a.craig@gmai[ ]om ['l.c' in gap]> on Thursday August 09, 2012 @11:20AM (#40931853)

    Many security questions are a failure from the start due to poor selection. While one would expect that a security question would challenge an objective fact, many of them don't. Instead they challenge subjective facts, most often "favorite" things. What happens to a person's answers when his mental list of favorite things has changed? I've encountered some instances where these "favorite" questions were so prevalent that there wasn't even one objective question as a choice. While it's true that "favorites" might be less susceptible to data mining than objective facts, the last thing security questions should ever do is create the possibility that the legitimate user might be locked out because he can't recall what his "favorite" was at the time of the account's creation. This is akin to the bad habit of using e-mail addresses as usernames. What's more, many of these choose very poor subjects that lead to potentially ambiguous answers; there have been many occasions when I couldn't decide the correct answer to a "favorite" question even at the time of creation, much less a year later.

  • by gurps_npc ( 621217 ) on Thursday August 09, 2012 @11:23AM (#40931917) Homepage
    As I have said before (check my posts): Passwords are ways to keep the ignorant out, not the determined or skilled.

    We need real security - which comes from an obvious list of last attempts to log in. That way we know when and where (IP address tells all), someone tried to log into our accounts. If we don't recognize the times and places, then we can act.

    We certainly can't trust the websites themselves to protect us.

  • by Tarlus ( 1000874 ) on Thursday August 09, 2012 @11:26AM (#40931949)

    Question 1: Why did the chicken cross the road?
    Question 2: Why is six afraid of seven?

    * dodges tomatoes *

  • There is an easy workaround for this. You go to the trouble of using a high-entropy password for a certain web site, and then their web interface insists on knowing something like your dog's name, which would be a huge security hole. Well, whatever method you use for making a secure password (I use a hash function), just use that to generate your dog's name. So I'll tell google that my dog's name is bHo3HI38, and that it's QRYh3l34.

    Give up on wanting it to be memorable. That's pointless and self

  • by wkcole ( 644783 ) on Thursday August 09, 2012 @11:39AM (#40932197)

    They are de facto alternative shared secrets used for authentication, so that instead of there being just one password that will open an account there are more. Because the answers are mostly things we don't think of as particularly secret and many systems use the same sets of questions, the result is what everyone knows is bad practice: a weak password used in many places.

    The right fix for the "security question" mess is not better questions or trick answers, it is to eliminate the process that demands them. A human-mediated password reset process is always going to be subject to social engineering and if the humans mediating that process are low-skill CS reps whose work is only deemed to be worth the prevailing call center wages in Chennai or Manila, the social engineering is likely to be unchallenging. If you must offer a way for a user to recover an account for which they've forgotten the password, it should not be vulnerable to attack via research or pleading.

  • by Jafafa Hots ( 580169 ) on Thursday August 09, 2012 @11:48AM (#40932399) Homepage Journal

    ...that ask for your first pet, because while people can figure out my current and even some former pets, there's nobody I've probably even told in REAL life about my first pet, Aflie, a baby chick I had for a few days. So with that question I'm totally safe.

  • by gerardrj ( 207690 ) on Thursday August 09, 2012 @11:52AM (#40932473) Journal

    It's the answers. For the best security the answers should have nothing to do with the question, just like you see in all those old spy movies:

    Q: What is your favorite color
    A: walkaboutclock

    Q: What was the name of the street you grew up on?
    A: g!blix05

    When only the account holder can possibly know the answers then there can be no social engineering to bypass the security.

    None of this, of course, has any effect if policies and procedures at the vendor site allow for the questions to be bypassed. As I have posted elsewhere, we don't know the contents of the alleged call; the operator could have been threatened, blackmailed, bribed or even an accomplice.

  • those with memorable answers are precisely those most likely to be very important (i.e. likely public or easily accessible) information.

    You're stuck with "What is your mother's maiden name?" (visit an Genealogy website and search for the person to find out) or the alternative, "What was the phone number of the first person you ever dated?" (Something you yourself likely can't find.)

    I've noticed a sharp rise in these kinds of difficult-information questions in recent months. The problem is that if I have to go digging through my personal archives to find the information (if I can even find it at all), it's quite possible that I won't be able to find it when I need it later on, and likely that I won't simply remember it offhand.

    I know people that have taken to generating secure random passwords and using these as the answers to questions, then keeping a spreadsheet with (a) domain, (b) questions, and (c) the random password generated for each question. But of course then there's a spreadsheet hanging around that contains this information, and the labor overhead involved becomes a disincentive to take the questions seriously at all (which is why I also know a person that answers every single security question they're asked to answer with "None".)

    But seriously, at the practical level, who can answer:

    What was the first name of your third grade teacher?
    What was the nearest cross street to the home you lived in as a child?
    Who was your sports or other hero at eight years old?
    What was the name of your boss on your first job?

    All of these kinds of questions dig back into obscure things that haven't been important to most people in many years, not to mention that many people wouldn't have known in the first place, and/or the answers could be so ambiguous that you'll struggle to remember what you entered ("Superman?" "My dad?" "Neil Armstrong?") given the ambiguities and categorial thinking involved.

    I tend to think that the answer to security is a social one—calculate the risks and use "good enough" security, then assume that some percentage of security cases will fail and maintain resources/insurance to address the resulting cases in a way that allows you to continue to do business and gain users/customers. More or less what happens with banking right now.

  • by joebok ( 457904 ) on Thursday August 09, 2012 @12:54PM (#40933391) Homepage Journal

    These are things are not about security - they are about convenience. Primarily they are used for self-service password resetting. I don't think beefing up the "security" on convenience questions is really very helpful.

    If you are serious about your security, you should pick randomized strings to use as the answers to the convenience questions, then store them in a nice secure password safe.

If graphics hackers are so smart, why can't they get the bugs out of fresh paint?