How are 'Secret Questions' Secure? 116
Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?
Create your own question (Score:5, Interesting)
Re:Create your own question (Score:2, Insightful)
Re:Create your own question (Score:2, Insightful)
Re:Create your own question (Score:1)
Normal password retrieval method:
1. Click the "I forgot my password button"
2. Enter your email address
3. Click Ok to get a confirmation mail sent
4. Go to your email account and read the mail
With secret questions it becomes:
1. Click the "I forgot my password button"
2. Enter your email address
3. Answer the secret question correctly
4. Click Ok to get a confirmation mail sent
5. Go to your email account and read the mail
Re:Create your own question (Score:1)
Re:Create your own question (Score:3, Funny)
Re:Create your own question (Score:1)
Re:Create your own question (Score:2)
OBPennyArcade (Score:3, Funny)
That has its own problems:
http://www.penny-arcade.com/comic/2006/07/12 [penny-arcade.com]
Re:OBPennyArcade (Score:3, Funny)
So, there may be other reasons not to use this sort of system.
But, fundamentally, it's a horrible security measure and should be taken
Re:Create your own question (Score:2)
Re:Create your own question (Score:2)
Q: What is your password?
A: <my password>
Interestingly, Dan Bernstein's is:
Q: How many idiotic ACCC policies can dance on the head of a pin?
A: <dunno, you'll have to ask him>
Re:Create your own question (Score:2, Interesting)
Agreed, but we can go further.
The time I was reverse scamming a Nigerian 419'er comes to mind.
I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.
The secret question this scammer had chosen was "Where were you born"?
The next few e
Re:Create your own question (Score:2)
Receptionist: What are you wearing?
Client: I don't think that's an appropriate question.
Re:Create your own question (Score:1)
You just have to ask yourself the question... (Score:5, Funny)
Re:You just have to ask yourself the question... (Score:1)
I think (Score:2)
Re:You just have to ask yourself the question... (Score:2)
For example (This is not one I actually use) a friend in school when faced with the classic question "Why is a mouse when it spins?" did not know the "correct" answer (The higher, the fewer) so came up with an equally nonsensical answer (The faster it spins, the much). It is
Re:You just have to ask yourself the question... (Score:3, Informative)
There's no question mark there, which is why Tycho goes on to question whetever it is a question or a statement.
Re:You just have to ask yourself the question... (Score:2)
When I was in high-school, people would ask 'You know what?' and my answer was 'What is dead.' and then 'He got run over.' I usually eventually explained that my first girlfriend (hey, she asked me out, okay?) had a cat that had kittens... And she didn't name them fast enough. So I named them Spot, What and Horace. She was pretty pissed.
The sites that need it, shouldn't use it. (Score:5, Insightful)
Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.
For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.
For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.
One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".
Sean
Re:The sites that need it, shouldn't use it. (Score:5, Funny)
I'll bet she couldn't WAIT to get married!
On a related note, we must be cousins.
Re:The sites that need it, shouldn't use it. (Score:3, Funny)
Re:The sites that need it, shouldn't use it. (Score:1)
Re:The sites that need it, shouldn't use it. (Score:2)
Probably related to this guy [wikipedia.org], heh?
Re:The sites that need it, shouldn't use it. (Score:2)
The whole point was that it was never going to use the account again. If it needs to order something else from the site, it'll just create a new account. Thus, there is no need to store the made-up passwords; when the session is over, the account will become inaccessible due to the era
Re:The sites that need it, shouldn't use it. (Score:1)
Re:The sites that need it, shouldn't use it. (Score:4, Informative)
KeePass [sourceforge.net]
Re:The sites that need it, shouldn't use it. (Score:2)
I have a friend who's first name is him mother's maiden name. It's an odd name as well, and people usually ask "where did that come from". A while back he actually had to come up with a plausable story so he wasn't giving away a "secret" every time somebody asked. Annoying. Now you have to know him pretty well to get that info.
I don't thi
Re:The sites that need it, shouldn't use it. (Score:2)
Yup. Any site for which having the ability to recover a lost password is important *either* had lots of personal and financial information about me already which could be used for that purpose, or it has my email address and could easily mail me a password-changing token. (Sure, that scheme could in principle be vulnerable to attacks - but far less so than using my mother's maiden name and my
Why you have to provide the real answer? (Score:4, Insightful)
Your pet's name? / your GF nickname,
Your pet? / Ultraviolet
And so on...
Paul B.
Re:Why you have to provide the real answer? (Score:4, Interesting)
Re:Why you have to provide the real answer? (Score:4, Interesting)
Re:Why you have to provide the real answer? (Score:1)
Re:Why you have to provide the real answer? (Score:2)
SSN numbers (Score:1)
The bigger issue is that they aren't really indented to be private, and at this point clearly aren't.
Re:Why you have to provide the real answer? (Score:1)
As far as the webforms are concerned my mom's maiden name is Evans, and my favorite pet is Aragog.
Some systems won't accept the real answer (Score:2, Funny)
Re:Why you have to provide the real answer? (Score:2)
Being called a dummy by someone... (Score:2)
Paul B.
Re:Being called a dummy by someone... (Score:2)
(obviously your proposal being dumb and my nick being cute are unrelated)
Re:Why you have to provide the real answer? (Score:2)
'Course, you have to treat your answer to that question like a password, because its secrecy has roughly the same security implications as your actual password. So if you provide your mother's maiden name in place of "favorite pet" - so what? If someone's got some info on you and they're trying to get into your account, they're going to try tha
Good enough security (Score:3, Insightful)
It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).
You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.
Let the user choose their own question (Score:4, Insightful)
Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.
Re:Let the user choose their own question (Score:2)
Most people don't have enough imagination to come up with a secure password, let alone a unique question that's answerable twelve months from now. I bet if you were to look at some of the "write-your-own" question sites currently out there, the majority of the 'questions' you'd find will be "your password is 'xyzzy'". At least "city of birth" or "elementary school name" require a
"What is my password?" (Score:3, Funny)
Re:Let the user choose their own question (Score:1, Interesting)
You have to have some way of identifying yourself (Score:2)
The more passwords you have, the less attempts are necessary.
Worse still: These "passwords incase you forget your password" are things lots of people might know.
Passwords are only as strong as their secrecy, and since two is no better than half as good, these systems are _less_ secure than having a single password.
They do, however, have a benefit- and that's the cost of creating a new account. Users that have forgo
"Make up a question" (Score:2)
"What is your password?"
Email/Reset Password (Score:5, Insightful)
Re:Email/Reset Password (Score:2)
1) When you sign up with the website for an account you are forced to give them your email
2) You don't visit the site for a long time and forget your password.
3) You go to the website and click on the "forgot my password" link
4) You fill in the form with the email account you used to sign up
5) The system checks to see if the email is associated with an account
6) If there is an account that matches the email it sends a reset link to that email
Re:Email/Reset Password (Score:2)
"Damn, what was my hotmail password?"
"Damn, what was my Yahoo password?"
"Damn, what was my Gmail password?"
Re:Email/Reset Password (Score:2)
Re:Email/Reset Password (Score:2)
My wife changed her email address to reflect her new surname when we got married. Many online email providers (such as we use) have policies in place that delete unused accounts.
Uh oh, phishing alert... (Score:1, Funny)
Um, can't answer that, its my secret question.
Why follow the rules? (Score:3, Informative)
For example:
Question: "What's your mother's maden name?"
Answer: "Sheatemybrotherssoul"
Re:Why follow the rules? (Score:3, Funny)
An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.
Re:Why follow the rules? (Score:2)
Since there are exactly seven black Jewish guys in existence today, I now know your friend's password! Ha!
Re:Why follow the rules? (Score:2)
stupid (Score:2, Informative)
Greater men than you have tried.. (Score:2)
No? (Score:3, Insightful)
Re:No? (Score:2)
Re:No? (Score:2)
There AREN"T!! (Score:2)
What they need do it is to create a dual password system, where there's a master password which can change anything, and a secondary password which can change anything but the master password. You would always log in using the secondary password. Concerning the master password, write it down, stick it in a very sa
There was a comedian... (Score:2, Funny)
Cheap form of 2-factor authentication (Score:1)
Re:Cheap form of 2-factor authentication (Score:1)
My solution (Score:2)
If I lose both the files then I am screwed since I don't even know what the answers are!
Datamining, yes. (Score:2)
Why secret questions? (Score:3, Interesting)
I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.
One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.
I'm no expert, but ... (Score:2)
Frankly I think it's a way for the company issuing the account to get just a little bit more information about you. Mother's maiden name? Name of high school? I think birth city is another common one. Sounds like a way of linking you to other people.
Personally I always pick the most obtuse question and give it a completely false answer. Then, as usual,
It's a vulnerability (Score:2)
Re:It's a vulnerability (Score:1)
Re:It's a vulnerability (Score:2)
Not really - your site isn't pretending to be another site. It just happens to ask the same questions as another site.
While everyone should (in princple) pick unique passwords for every site, most people are probably less likely to make up a different answer to the question "what is your favorite sports team" for every website.
Re:It's a vulnerability (Score:2)
Mnemonic Passwords need more evangelism (Score:2, Insightful)
It is agreed (Score:2)
Make your own answer (Score:2)
Funny secret question situation... (Score:5, Funny)
Question: How do I masturbate in the shower?
Answer: With my SpongeBob SquarePants friend.
Question: What is the most sexually satisfying farm animal?
Answer: The Llama.
I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.
Re:Funny secret question situation... (Score:2)
Re:Funny secret question situation... (Score:1)
Don't give the right answer! (Score:1)
Well, who says it's a security feature? (Score:1)
Actually, existence of secret questions is to make you feel your account is more secure.
If it were truly a secure system, they would not be willing to change your password over the phone, because phone conversations are not encrypted. The only thing you could do would be to have your account locked/frozen over the phone, and possibly mail a signed form with a secondary password, and a signature guarantee (like a notary's seal) to request a token be mailed to your address of record, and then you change
I Routinely neutralise this... (Score:2)
How are 'Secret Questions' Secure? (Score:1)
One-way hash the answer (Score:3, Insightful)
Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.
Bad experience with secret questions on Paypal (Score:1)
All it takes is a little bit of creativity. (Score:2)
Huhu (Score:2)
Two quick observations (Score:1)
Two quick observations:
Where I am required to answer one of these "your pet's name" questions, I do so accurately, but with my hands slightly off. Let's say there's three tiers of paranoia about an account and for stuff I don't care about I just move both hands one charater to the right while typing my secret answer. For medium stuff I move them apart from each other and for what I deem critical i move the right hand up and the left one in (reality is different but that's the gist). Incidentily, I do the
My secret answer (Score:2)
They fail when you're famous (Score:1)