Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Study Shows "Secret Questions" Are Too Easily Guessed

kdawson posted more than 5 years ago | from the name-of-your-late-great-aunt's-fifth-parakeet dept.

Security 303

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

cancel ×

303 comments

Sorry! There are no comments related to the filter you selected.

Don't use them (5, Funny)

slart42 (694765) | more than 5 years ago | (#28008885)

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

Re:Don't use them (2, Funny)

Anonymous Coward | more than 5 years ago | (#28008927)

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

Until now......

Re:Don't use them (3, Insightful)

nemesisrocks (1464705) | more than 5 years ago | (#28008929)

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Re:Don't use them (4, Insightful)

Shin-LaC (1333529) | more than 5 years ago | (#28008979)

Unfortunately, many sites require you to set up a secret question for password recovery. Disabling that facility is actually desirable if you want to enjoy the strength of password security.

Re:Don't use them (4, Informative)

zonky (1153039) | more than 5 years ago | (#28009019)

Password safe [sourceforge.net] , add the question and give a randomly generator combination as the answer. Problem solved.

Re:Don't use them (1)

digitalchinky (650880) | more than 5 years ago | (#28009153)

And here's me thinking I might skip the whole password safe type thing and just wing it. At least until my job required me to sign up for some HSBC corporate banking stuff. Turns out that while you do give a password, they never, ever, ask you for it. 4 weeks later when they get around to telling you your application has been approved, you have dredge back up all the bogus 90210 user@example.com crap you typed in: Mothers maiden name, shoe size at 11 years of age, what you ate for breakfast on the 13 of September 1993, the names of your 4 previous pets that departed our dear earth as a result of unfortunate microwave accidents, that kind of thing.

I'm a tad more careful now. My crap has gained a little more consistency so to speak.

Re:Don't use them (2, Insightful)

3247 (161794) | more than 5 years ago | (#28009279)

While you may not be able to disable it, nothings stops you from having your mother's maiden name generated by apg.

Re:Don't use them (1)

AvitarX (172628) | more than 5 years ago | (#28009335)

I would say that many sites unfortunately require you to enter a secret question to log in, rendering it very difficult.

When I am at a new computer I have a very hard time entering my birth city (is it where I popped out, what's on my birth certificate, the major metro I was in, or the state I was born, adding a layer of subterfuge).

Some even have rules for the secret question, making it even harder.

The customer support people actually recommended I use the same thing for every question when they had to re-grant me access to my bank account.

Re:Don't use them (3, Interesting)

Opportunist (166417) | more than 5 years ago | (#28009385)

It can be used sensibly. You can come up with a paragraph in a book (I have one), use the first letters, use the sentences up to the last one as the question and the last sentence as the answer.

Not foolproof, but generally good enough. At least when the system allows you to ask your own question.

Re:Don't use them (1)

Splab (574204) | more than 5 years ago | (#28009477)

Thats why my secret question when possible is a string of random characters with the answer always being another string of random chars (makepasswd --char=15).

Yes that means I won't be able to ever recover my password if forgotten, but neither will anyone else.

Re:Don't use them (3, Insightful)

4D6963 (933028) | more than 5 years ago | (#28009025)

Also, neither would you. Hence, disabling this whole huge security hole.

Fixed it for you. If you look at a security as a bunch of security components put together either in line or in parallel, you'll realise that when you put in parallel something somewhat secure like a password and something not very secure like asking a question, then the system is only as secure as the weaker of the two securities. You don't need to know much about someone to know or guess where they were born or what their favourite TV show it, I mean that's the kind of information people put on their Facebook profile for the whole world to see to begin with.

Re:Don't use them (0)

Anonymous Coward | more than 5 years ago | (#28009067)

While this is mostly true it ignore the fact that someone will notice a password change next time they log on.

Re:Don't use them (2, Insightful)

Swizec (978239) | more than 5 years ago | (#28009133)

While this is mostly true it ignore the fact that someone will notice a password change next time they log on.

So they've noticed a breach post facto when anything the hacker wanted to do was already done. Like I dunno, send a bunch of bad things in your name, steal your sensitive data and so on. Yeah, knowing they might have done this really helps preventing it from happening.

Re:Don't use them (1)

theeddie55 (982783) | more than 5 years ago | (#28009033)

Also, neither would you. Hence, rendering the whole facility useless, and causing you extra inconvenience.

Of course he'll know it, he wrote it down on a piece of paper with his password.

Passwords *should* be written down (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28009163)

I have a list of some ~150 accounts and passwords on paper in an unlocked cupboard. They are forum accounts, accounts to online communities (digg, etc.), online stores, to my less important emails, to some FTP servers, etc. etc...

I don't need to worry about harddrive breaks or hackers - everything is on paper and offline. I don't need to worry about my family members wanting to log into my driveThruRPG online store account - why would they want to? And even if they did they could do nothing without my paypal account.

There are only a few passwords that aren't on the list - my private e-mail, my work e-mail, my paypal, logins to my home and work computers and login to the encrypted partition on my hard drive.

I don't use the same password in any two places. Only flaw of this is that if I were to lose that list (probably due to my house burning down) I would have to recover a lot of passwords. However, in such event the password recoveries would be the last thing to worry about...

Re:Don't use them (0)

Anonymous Coward | more than 5 years ago | (#28009129)

Actually, slart42's first pet really was named OIYNTDttye7it867t&%&^%&^T(

Re:Don't use them (1)

zombie_monkey (1036404) | more than 5 years ago | (#28009229)

On many sites, there is no way to disable supplying a hidden question and answer. Which is why I always input a random sequence of characters for both with the maximum length allowed, and I can safely forget about that attack vector.

Re:Don't use them (5, Insightful)

Jurily (900488) | more than 5 years ago | (#28009361)

Hence, rendering the whole facility useless, and causing you extra inconvenience.

Disabling an insecure security feature is not an inconvenience.

Re:Don't use them (1)

TranceThrust (1391831) | more than 5 years ago | (#28009619)

The alternative of answering those questions truthfully and thus keeping this facility useless, would render password-protected access useless; pick your poison.

Re:Don't use them (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28008981)

Some services let you choose the question as well as the answer. In that case, I always set the question to "What is my password?"

Re:Don't use them (5, Interesting)

pbhj (607776) | more than 5 years ago | (#28009187)

I bet it stores the answers as plain text instead of hashing it like your pass. You're probably basically giving the support guys your password, hope you don't use it elsewhere ... but no, of course no one would make a system that retarded

Re:Don't use them (1)

Antique Geekmeister (740220) | more than 5 years ago | (#28009539)

It usually is plain text, because when I've gotten people on the phone to change my passwords, they've accepted 'close enough!' answers for the street I grew up on or my high school. Exact spelling on such things can matter if it were kept encrypted.

Re:Don't use them (1)

AvitarX (172628) | more than 5 years ago | (#28009357)

they usually don't let you use your password as the answer(not that I've tried).

Re:Don't use them (1)

Jurily (900488) | more than 5 years ago | (#28009379)

In that case, I always set the question to "What is my password?"

You also give a fake one as answer, right?

Re:Don't use them (1)

MirthScout (247854) | more than 5 years ago | (#28009587)

When I can create my own question and answer I use:
What is answer number 1?
What is answer number 2? ...

Re:Don't use them (0)

Anonymous Coward | more than 5 years ago | (#28009041)

I've lost a password to a Yahoo account, guess how to renew the password? Answer my secret 'kc0cxewr2gsk5' question. Answer? Probably 'z1oimh6zw'. Had no choice but to stop using Yahoo mail because of the secret question requirements.

Re:Don't use them (4, Insightful)

Xest (935314) | more than 5 years ago | (#28009085)

Not only that but when I have used them I've found them annoying as they're often case sensitive and it's easy to forget what you entered or how you entered it. What is your dog's name? Which dog? What is your date of birth? What date format?

They're just bad all round, often the questions you get to choose from either fall into the category of far too easily guessed/socially engineered such as where were you born which 90% of people you've ever met can tell from something like your accent or where you work and live if you never moved away or they fall into the category of being too ambiguous such that when it comes back to remembering how you entered it 3 tries will probably get you locked out.

Creating a list of questions that truly are secret and of which at least one is common to everyone is near impossible. You could start asking things like "Who at your workplace would you most like to sleep with" but I don't think most people would want to answer such intrusive questions!

Re: What date format? (0)

Anonymous Coward | more than 5 years ago | (#28009237)

If you know about date formats, you know there is only one. ISO 8601.

Re: What date format? (1)

Xest (935314) | more than 5 years ago | (#28009333)

That's a standard that defines a format, not a format by itself, regarldess it's also one of many standards, although many of those are obsolete now. Still, there are plenty more than just one single date format however you cut it!

But the point is that on some days you'll use 20/3/2009, other days you'll use 20/03/2009, then you might use 20th March 2009 and all that's assuming just a single date ordering from days to years which is common in Britain but not so in the US which uses months, days, years or Europe which mostly follows years, months, days.

Re:Don't use them (1)

BikeHelmet (1437881) | more than 5 years ago | (#28009121)

My pet's name is JDianD_6S8pXOHMK8m2C!

If I lose my password, I probably lost my computer(or my memory?), which means creating a new account is less hassle than what I'd be going through at the time.

But... I've never lost a password yet. The only troubles I've had with passwords is when sites get hacked. They give you short new ones by email, but the new ones sometimes don't work when you try to change them(to something more secure), so then you're stuck with them. :/

If you actually use the secret questions from time to time, I suggest you lock your passwords away with KeePass [keepass.info] and put a good master password on it instead. Random hexadecimal passwords of random lengths are way harder to guess than a secret question!

Re:Don't use them (4, Interesting)

pkretek (247414) | more than 5 years ago | (#28009137)

I always sha those stupid questions with a related answer and some number: echo -n MyPet01|shasum -

Re:Don't use them (2, Informative)

Anonymous Coward | more than 5 years ago | (#28009185)

I don't think many people would guess the name of my first pet was OIYNTDttye7it867t&%&^%&^T(

The name of my first pet, a hamster, was

Spotty'delete from secretquestions;--

Old news ? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28008895)

I guess everyone from the /. community already knew this.
I frequently fill out my "secret questions" with total random nonsense, like:

"What is bla times 12381?", A: "2823848232abc!"

I guess, if I can't guess it afterwards, noone else should be able too ;=) (providing the answer isn't easily brute forced)

random answers (1)

Better.Safe.Than.Sor (836676) | more than 5 years ago | (#28008909)

Question: What is your favorite color?
Answer: 37Uhy78jn

Good luck on nailing that anytime soon.
Next . . .

Re:random answers (3, Funny)

rolfwind (528248) | more than 5 years ago | (#28009031)

Question: What is your favorite color?

#0099CC

Re:random answers (1, Funny)

Anonymous Coward | more than 5 years ago | (#28009065)

Ha! Now I've got your password, sucker!

Re:random answers (2, Funny)

Fex303 (557896) | more than 5 years ago | (#28009087)

Question: What is your favorite color?

#0099CC

Great. Now I have to change the combination on my briefcase...

Re:random answers (2, Insightful)

4D6963 (933028) | more than 5 years ago | (#28009035)

Yep, security-savvy users do that because they know that's just wrong, the problem is companies pushing that security measure when it actually undermines their security efforts. It's like they're really asking for accounts to be broken in.

Re:random answers (1)

theeddie55 (982783) | more than 5 years ago | (#28009045)

good luck remembering that when you forget your password.

Cryptic Crossword Clue (1)

AliasMarlowe (1042386) | more than 5 years ago | (#28009513)

I prefer to make up a cryptic crossword clue, but one which only I could know the answer to. Here's an example: "Red Cross indebted to largesse (9)". Don't bother trying to guess the answer - it involves two uncommon languages, and some personal quirks. It's also more than 9 characters long.
For those "first pet" idiot questions, I typically choose an extinct species, but not any of the well-known ones, and add a non-alphameric character (like Elrathia^kingi or Charnia_masoni, although I have not used those particular examples). An analogous approach works for "mother's maiden name" and other such security challenges.
This approach has served me for years, and I can always remember the passwords...

Re: random answers (1)

French31 (1311051) | more than 5 years ago | (#28009729)

Question: What is your favorite color?
Answer: Blue. No, 37Uhy-- Auuuuuuuuuuuugh!

Its a flawed concept (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28008913)

They tell you to chose a difficult to guess password, checking that it is made up of letters and numbers, does not contain your name, etc. Then they ask you for an "easily remembered answer" to a question. This in effect is a secondary back-door password, which you are told to select with the opposite criteria to the main one.

Re:Its a flawed concept (3, Informative)

digitig (1056110) | more than 5 years ago | (#28009555)

To be fair, most of the systems I have seen that have secret question type security don't let you in on the basis of the secret question, they email a replacement password to you, and only use the secret question to reduce DOS attacks and minimise the sending of plain-text passwords. Surely in that case it's only an issue if the cracker has already compromised your email account?

Duh (1)

Spad (470073) | more than 5 years ago | (#28008923)

This is why when I'm forced to have a secret question / answer I always use gibberish.

I reason that in the unlikely event I forget my password I'd rather have the hassle of going through a more long-winded retrieval process than having random people able to reset my password.

We did this to a friend when I was still at school - "Forgot" his Yahoo Mail password, guessed his secret answer and reset his password. No malicious intent, we just enjoyed winding him up, but I reckon a good 15 or 20 people that I knew could have guessed his answer correctly.

That's spot on (1)

TractorBarry (788340) | more than 5 years ago | (#28008925)

Radomness and strangeness are your friends when it comes to this sort of thing. I don't think too many people would guess one of mine (obviously no longer in use)

Q: How many Alsations mime to rice ?
A: Egyptian Eskimo Chess

Of course it helps if such systems at least allow you to set up your own questions as that is entirely memorable to me :)

It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a half decent system !

Re:That's spot on (1)

dword (735428) | more than 5 years ago | (#28009043)

I use the same answer to "Secret Questions" all over the place... now I realize, that's just as bad as using the same password!

Re:That's spot on (0)

Anonymous Coward | more than 5 years ago | (#28009183)

Yea, you just have to run into one hacked/untrustworthy service and they can reset all accounts :)

Re:That's spot on (1)

jez9999 (618189) | more than 5 years ago | (#28009051)

It also confused the hell out of my bank when my memorable date was too far in the future for it's system to cope with. That soon made me switch banks to one with a half decent system !

Was it L. Ron Hubbard's prediction for the date/time of the end of the universe?

Not bad if used with email (4, Insightful)

Zouden (232738) | more than 5 years ago | (#28008931)

Secret questions are only less secure than passwords if they tell you the password right away. But if they reset the password and email the new one to a pre-specified email account then just guessing the answer isn't enough; you'd have to have access to the victim's email account too.

This doesn't really work that well if the password is actually for someone's email account, though.

Re:Not bad if used with email (4, Insightful)

Tukz (664339) | more than 5 years ago | (#28009247)

So I was wondering. I forget my password to Site A, and go through a password recovery and answers a secret question only I know about, and then they send me a new password, or password recovery instructions, to my email.

This is where I get a bit confused. Why go though the entire Secret Question thing, if the system is going to send it to my email anyway?

Why not skip the secret question part, and just send me a email with instructions or new password right away?

Only thing it may protect against, is a stolen email account, but then you're screwed anyway, since it mails you....

Re:Not bad if used with email (2, Interesting)

QuestorTapes (663783) | more than 5 years ago | (#28009629)

Primarily, I believe that is useful for sites that reset the password when you request it. Some do that and send you a new password, instead of looking it up. This is mostly if they encrypted it and discarded the original password. That way some random person is less likely to unset your password unexpectedly.

My bank uses similar logic, for an authorized computer designation. They track the computer I'm logged in from, and if I change computers, I have to click to email (or text message) a secondary key for that machine, to my previously registered email/cellphone.

I don't need to provide the secondary key if I'm logging in from the same computer as last time. But when I change computers, they invalidate the secondary key for the previous computer.

Re:Not bad if used with email (4, Insightful)

tylerni7 (944579) | more than 5 years ago | (#28009787)

If you were just emailed a new password without having to provide the answer to a short question, obnoxious people could reset your password every 8 hours or something.

Re:Not bad if used with email (1)

ILongForDarkness (1134931) | more than 5 years ago | (#28009393)

This doesn't really work that well if the password is actually for someone's email account, though.

Exactly. If I was malicious wouldn't attack someone's bank account directly. I'd crack their email account and then likely get dozens of passwords at once. I'd likely get information about other accounts they have that I wasn't aware of, oh you have an investment account from your last jobs pension, how nice.

Once you have the email account you can then with a lot of sites tell them that you forgot the password and have them resend it to the compromised email address. The problem with security questions IMHO is that a lot of the questions are something that you could ask someone or could come up in normal conversation. Hey what elementary school did you go to? Oh you have an uncle on your mothers side, whats his name? (now I know your mothers maiden name). Etc. It is the same thing that you hear about not using words for passwords. It makes them easier to guess.

What did they really expect? (2, Insightful)

Aladrin (926209) | more than 5 years ago | (#28008967)

The questions have to be so easy that the owner will -never- forget them... That means they pretty much have to be a defining characteristic in a person's life.

Favorite color, birth city, mother's maiden name, location of first job, favorite pet, etc etc.

While my friends couldn't name a couple of those, it'd be stupidly easy for them to get those answers from me in a normal conversation. Even strangers, around friends, have a good chance at it.

Also, my bank takes this a step further... Sometimes when you log in, it asks you one of the security questions after you put in the name and password. I've never felt this made much sense, but oh well.

Re:What did they really expect? (1)

NewbieProgrammerMan (558327) | more than 5 years ago | (#28009115)

The questions have to be so easy that the owner will -never- forget them...

Unless, of course, they force you to use security questions that (1) you don't have an answer to, or (2) you have an answer that doesn't satisfy their assumptions about possible answers; then you have to make up an answer on the spot that you won't remember a week later.

(1) "Who is your favorite author?" I have a handful of authors I like, but I don't go to the trouble of choosing a "favorite" one, so I had to pick one at random and forgot to write it down, so I couldn't answer the question a year later.

(2) What is your maternal grandmother's first name? "Ora" --> "Sorry, your answer is too short." WTF? IT'S HER NAME!

By now, most places seem to have figured out it's not a good idea to make you choose from a narrow set of predefined questions, but that's been replaced by making me choose a fucking image and make up some bullshit text and passkey to go with it on the spot.

Breaking news (1)

damaki (997243) | more than 5 years ago | (#28008971)

People who use unsecure password will use unsecure retrieval question. Guess what is the problem? Worse, once their uber secure password is stored on their navigator, they will use a simple question. In the end, the user is almost ever the problem.
I usually use something personal enough so that nobody else, even my girlfriend, knows the answer.

Re:Breaking news (3, Funny)

Zero__Kelvin (151819) | more than 5 years ago | (#28009017)

"I usually use something personal enough so that nobody else, even my girlfriend, knows the answer."

You just gave it all away! Now we know that the question was "what is your sexual orientation" ...

Re:Breaking news (1)

BenoitRen (998927) | more than 5 years ago | (#28009315)

Damn furries.

Re:Breaking news (1, Funny)

Anonymous Coward | more than 5 years ago | (#28009647)

I thought the question was "What is my offline name?"

Re:Breaking news (0)

Anonymous Coward | more than 5 years ago | (#28009109)

The problem I've experienced is that these sites have three or four short lists of questions with obvious answers from which you must choose. When users are confronted with several websites which have slightly different lists of questions with obvious answers, are they supposed to develop and memorize a mapping from the different stupidly obvious questions they selected to questions that are more secure?

My bank went with this type of so-called extra security measure, and I entered long strings of profane insults as answers. Now I keep most of my money with another institution that has demonstrated some intelligence in regards to security.

My question is: (2, Informative)

dvh.tosomja (1235032) | more than 5 years ago | (#28008993)

Who has more water that we expect to?

Re:My question is: (0)

Anonymous Coward | more than 5 years ago | (#28009141)

A preposition is not a good word to end a secret question with.

Secret Question are easier than the password (4, Interesting)

rolfwind (528248) | more than 5 years ago | (#28009003)

What is the surprise? They don't have to follow the same rules as passwords (letters and at least 1 number, etc) that many sites enforce. Plus, if they don't let you make your own question, they pretty much stick to the same stupid, generic 5-8 questions they all have.

If someone was really wanted to go on a phishing expedition, they would open a site that requires registration, security questions, and all that, and then try the information on the webmail of the people who just registered. Probably would work phenomally as well.

If websites wanted to be truly secure, they would ask for a mailing address or at least a phone number to confirm resetting things (thinking of financial accounts, not stupid forums). They confirm the same inane, easily duplicable facts in real life, but at least they have to reach you at a confirmed safe location.

I agree (5, Funny)

jez9999 (618189) | more than 5 years ago | (#28009027)

Secret questions are way to easily guessed. They should just stick to the most reliable password of all, mother's maiden name. Who the hell else would know that?

Re:I agree (5, Insightful)

will_die (586523) | more than 5 years ago | (#28009173)

Who the hell else would know that?
Every other web site that you visited that asked that question.

Spot on (5, Interesting)

pjt33 (739471) | more than 5 years ago | (#28009181)

Shame I just used my mod points. There are plenty of cultures in which women don't change their names when they marry, and even in those where they do they tend not to change them unless they marry, which is becoming less common. Fortunately banks are starting to wake up, and maybe in a decade they'll all have semi-sensible account security.

Re:Spot on (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28009517)

I don't understand your banking system at all. Here in Finland depending on the bank, you have a customer number or something else and a password plus/or a random number from your secret number card that your bank sent you.
I don't get it what's so hard to implement this in all banks. A little piece of paper with a hundred random 4-digit single use numbers on it and a database of these on the server. There's no way anyone oculd get to any of my bank accounts without physical access. Even with a keylogger or some other way they would only get my "username" and an allready used password.

encrypted password file (3, Insightful)

mcelrath (8027) | more than 5 years ago | (#28009055)

I just keep a gpg-encrypted file with all my passwords. When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file. This file is heavily backed up. I cannot imagine a scenario where I would lose a password, or the answers to "secret questions".

The only time I've had a problem is with stupid websites that require registration (and I don't care about, so didn't write down the gibberish I wrote in their registration form) and some time later I decided to come back to that stupid site.

Re:encrypted password file (4, Insightful)

ortholattice (175065) | more than 5 years ago | (#28009791)

"When sites ask these retarded questions, I just generate a long random alphanumeric string (using a little perl script), and save it in my gpg file."

Well, that's clever, everyone should do that. I'll have to teach my grandmother to write perl scripts, then remember what she called it, where she stored it, and how to run it everytime she is asked one of these retarded questions. Oh, and also how to save the output to her gpg file after remembering what her gpg file was called and where she stored it and what its password is.

If you (presumably) guard your passwords carefully (in this same gpg file?), why do you even bother saving the answer to the "secret question"? Just type a bunch of random keyboard characters (bang hard, using the opportunity to release the pent-up frustration), don't save it, and be done with it. Isn't that faster than going through the perl script rigamarole?

For most things - various user forums, etc. - I don't give a damn about all this password/secret question paranoia. If they crack it, so what? I haven't changed my slashdot password since day one, its easy for me to remember, and if someone cracks it and "steals" my "identity" here, well, I would probably find it amusing.

There are a relatively small number of things, such as bank accounts and trusted access to other people's networks (and yeah, my servers' roots) whose passwords I protect very carefully. Almost none of those things involve extra secret questions in case I forget the password, or if they do I've give a gibberish answer I don't save.

(OK, I have a CISSP cert, and those hyperparanoia-filled meetings I have to go to to keep it up sometimes make me want to scream).

You do have secrets... (0)

masterfpt (1435165) | more than 5 years ago | (#28009079)

We all have our little secrets. It's not hard to find a question/answer nobody else could figure out... Unless you are such a nice, innocent and transparent person, like Sarah.

Anyways, this is an old topic and /.ers are intelligent people...

Re:You do have secrets... (4, Funny)

pjt33 (739471) | more than 5 years ago | (#28009191)

Yes, but "Where are the bodies buried?" [xkcd.com] isn't really the question you want to choose for password recovery.

Why don't... (5, Interesting)

Jamamala (983884) | more than 5 years ago | (#28009089)

You just submit the hash of your answer as the real answer? This would outwit a sizeable proportion of attacks by people who know you, as they might be unlikely to guess that you'd do this, and even if they do, they'd still have to guess the hash type.

Then again, if they truly know you, then maybe they'd guess you'd be this paranoid :P

Re:Why don't... (1)

physicsphairy (720718) | more than 5 years ago | (#28009415)

I used to fill in gibberish for the secret question answer. Now I use an alternate password, since that is *really* what I want--another way in if my account gets hijacked--not a password reminder.

Oh, and as far as hashing a standard answer goes, you could also just convert some letters to numbers (as is common with passwords), or have the answer be the real answer written once forward and backward, i.e., you can implement encoding algorithms yourself without needing to pull up the command prompt (which should work just as well for deterring guesses).

My Qs (3, Funny)

Daimanta (1140543) | more than 5 years ago | (#28009107)

Q What is the highest prime number?
Q In 60 characters, prove Goldbach's conjecture
Q How many palindromic primes are there in base-10?
Q What is the lowest Sierpinski numer?
Q Solve the Happy Ending problem for arbitrary n
Q Prove or disprove that the Euler-Mascheroni constant is irrational in 60 chars.

Crack my account and I'll use your idea ^^

Re:My Qs (1)

pjt33 (739471) | more than 5 years ago | (#28009343)

Q What is the highest prime number?

There isn't one.
Non-existent.
Fictional.

Yes, I see your point. It would take quite a while to enumerate all the possible answers.

Q What is the lowest Sierpinski numer?

22,699. Am I right?

Re:My Qs (1)

digitig (1056110) | more than 5 years ago | (#28009621)

Q What is the lowest Sierpinski numer?

22,699. Am I right?

Well, it's 10223, 21181, 22699, 24737, 55459, 67607 or 78557. That looks manageable for a brute-force attack.

Re:My Qs (2, Funny)

MightyDrunken (1171335) | more than 5 years ago | (#28009739)

No these are far too easy. Want we want are SECRET QUESTIONS, not answers. Mine is, "The answer is 42. What is the question?".

I use a physical book. (4, Interesting)

Rosco P. Coltrane (209368) | more than 5 years ago | (#28009117)

If I'm allowed to choose the question, I use the time-tested method that was used in 80s games, which is "word in page x, line x, x-th word". If I'm not, it's usually a "pet" or "mother's name" question and I use the characters names or animals in the book.

I also use the book as a source for passwords for the many accounts I have everywhere on the internet. I spell out the login name in the book (say "Mylogin") by looking for the first word starting with "M", then the next word with "y", then the nex word with "l", etc... until I find a word that starts with "n", use the very next word that's 8 characters or more, append the line number, and that's my password.

I usually remember most passwords I use all the time, but for the accounts I seldom use, the book title is the only thing I need to remember to recover my passwords. Given the size of my library and the fact that the book is a huge, boring French novel, tough luck even for a burglar to find it.

Re: the book is a huge, boring French novel (2, Funny)

neonsignal (890658) | more than 5 years ago | (#28009197)

That's a bit much. I rather enjoyed reading Les Miserables.

Re: the book is a huge, boring French novel (0)

Anonymous Coward | more than 5 years ago | (#28009375)

That's a bit much. I rather enjoyed reading Les Miserables.

OT I know, but did your really enjoy the ~5 pages spent describing some villains who then contribute 1/2 a page of actual plot?

Having said that, overall I did like it, but I think Dumas' "Three Musketeers" is a far more enjoyable read.

Re:I use a physical book. (2, Funny)

dword (735428) | more than 5 years ago | (#28009453)

Even better: check out the definition of paranoid [slashdot.org] I just found on Slashdot!

Re:I use a physical book. (0)

Anonymous Coward | more than 5 years ago | (#28009609)

I love it. He's got an ultra-top-secret method of hiding his passwords, but he just posted said ultra-top-secret method to one of the most popular tech sites on the intertubes.

Only one problem with one time keys (1)

Kupfernigk (1190345) | more than 5 years ago | (#28009495)

Did you ever read John Le Carrés "A Perfect Spy"? In that, the one time key was a copy of Simplicissimus. Lose the book, career over. (I'm paranoid too, I used to use Weingreen's Hebrew Grammar until the day I had to rescue it from the Oxfam pile...)

Re:I use a physical book. (0)

Anonymous Coward | more than 5 years ago | (#28009765)

Similar to my method. Generally speaking desks and work areas tend to have books, printers, speakers, and so on just sitting around- and a lot of them have some sort of code- the model number, or the ISBN, or a SKU, or whatever. All I need to do is pick one of these, and then remember the source object. There's no notes, there's no indicators, and it's easy to remember something like 'printer' or 'Oxford English Dictionary.'

Duh. (0)

Anonymous Coward | more than 5 years ago | (#28009211)

The really sad thing is that it takes

    research from Microsoft and Carnegie Mellon University

and that they have the balls to

    present[ed] [it] at the IEEE Symposium on Security and Privacy

no shit sherlock (1)

saiha (665337) | more than 5 years ago | (#28009277)

The worst are the ones that force you to have a "secret" question. Oh like its that hard for an acquaintance to guess your high school, or your mother's maiden name?

Usually I just create a second password (I'm sure somewhere my mother's maiden name is inwyd15), but even that is one more thing that can get loose.

Re:no shit sherlock (1)

dword (735428) | more than 5 years ago | (#28009485)

But... wait a moment! What if a company can sue you for providing them with false information? They want to check your account on another provider that tells you your password instead of changing it when you go to "Forgot my password". They check the details of your account with them, see they're bogus and try them. If they work, it's the company's lucky day. If they don't, they can try to sue you to obtain the information from you or to make you change your question and answer. Then, they can scare you by telling you that you should do the same with all your accounts. Bam! They now have confidential information that you trust them with and allows them to login using your account on their competitor's website. The answer may be confidential, but the TOSes usually specify that you must provide accurate, truthful information and they reserve the right to peek into the answer of your secret question, for your own protection.

I know it's a stretch, but, considering the lawsuits we've seen on Slashdot lately, I'm still wondering why nobody tried this yet!

Come to think of it, I own a website that requires your email address as username... brb, checking "my" email accounts.

Study Shows "Secret Questions" Are Too Easy (0, Redundant)

Yogiz (1123127) | more than 5 years ago | (#28009359)

That's why I only use one secret question.

"What is my password for this site?"

bogus answers (2, Insightful)

DNS-and-BIND (461968) | more than 5 years ago | (#28009367)

I always put a fake name as my Mom's maiden name. Why does anyone need to know that? It's just an ordinary word, and I always list it the same.

The problem comes with those idiot services that try to be too clever by half, and ask a battery of questions ("what was the name of your first grade teacher" "what was your first dog's name") and other such worthless trivia. These fields are required, and cannot be skipped. One day, the site decides to be clever again (I can picture some nerd furiously beating off as he thinks about his great idea) and asks me what's my favorite color when I log in. I mean, if I forget my password, that's my problem. But using these personal questions as some sort of CAPTCHA or user verification is just stupid.

Re:bogus answers (1)

Shados (741919) | more than 5 years ago | (#28009681)

Even worse, in my opinion, is some bank's web sites, like mine: It doesnt let me have a password of more than 8 characters, and special characters are not allowed (only alpha and numbers, not even space!).

Then in the name of security, they put these stupid questions. Fix the passwords first anyone?

Yesterday wants its news back (2, Informative)

Opportunist (166417) | more than 5 years ago | (#28009373)

I dimly remember I saw something like this on /. before...

It's a no brainer. Or at least it should be. Most of those "secret" questions draw from a limited set of possible answers. Worse, ALL those answers will be found in a dictionary. Because they invariably ask for (*drumroll*) a real, usually English, word.

Now, what do we tell people, what did we tell them for ages? DO NOT use words that can be found in a dictionary. Yet for the "secret answer" (which is in almost all cases as good as the real password) we ask for a word that can be found in one.

Is it me or is this like, you know, STUPID?

There is no "secure" word. Not even your pet's name. My first pet was called ;drop table *;, btw. Yeah, I'm such a geek... sorry 'bout your database, btw.

Study... (2, Funny)

nog_lorp (896553) | more than 5 years ago | (#28009421)

Is this the study that was conducted by 4chan during the election? Where they found that 100% of Sarah Palins have easily guessed Yahoo mail security questions?

I got one (1)

bytesex (112972) | more than 5 years ago | (#28009439)

I always use the first name of my first real girlfriend. But then, that's not going to be much use for many slashdotters. But then, you can also use the first name of your faux girlfriend. Her name is even more secret !

boring... (0)

Anonymous Coward | more than 5 years ago | (#28009479)

So now we need studies to show that "secret questions" are insecure.

Is computer science getting boring?

Seen this on one webmail site (0)

Anonymous Coward | more than 5 years ago | (#28009487)

what is your favorite color?

Any guess???????

No duh (0)

Anonymous Coward | more than 5 years ago | (#28009551)

No duh,
No duh,
No duh,
No duh,
No duh.

By the way, can you guess what my secret answer might be?

In all seriousness, with social networking sites, don't you think someone's secret answer can be found there? Pet's name, for example?

Where was I born? (0)

Anonymous Coward | more than 5 years ago | (#28009635)

I remeber having to make a choice of crappy questions and the result is that I put a load of gibberish as the answer.

So I forget password one day and get asked the question...then after several attempts start shouting at the PC - What do you mean my favorite sport is not squash? And don't tell me I wasn't born in a hospital ward!

Too easily guessed? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28009679)

Due to the stupid questions that have been asked.

Quite a few sites have begun adding "Roll your own question" options as well.
These ones are much safer to use.

But of course, if you do have one of those sites with the usual crap, just don't answer them directly.
Moms maiden name? How about Steve?
First Pets Name? Tyrannosaurus Fuckyou?
Favourite colour? Urple. (bonus points for those who get the reference.)

But then you have stupid idiots like Sarah Palin who enter their own question with something so easily identifiable. (a fucking zipcode? Holy hell woman)
So, back to square one it seems. Damn my 2 sided thoughts always balancing out.

lemon (0)

Anonymous Coward | more than 5 years ago | (#28009727)

You can also opt for a default answer, with a variable question.
Let's say you choose a simple answer that is easily remembered, like the name of the street you live in, i.e. Oakley road.
No matter what question you choose, your answer will always be Oakley road.
For example:
Question : What is your mother's name?
Answer : Oakley road.

In this case you only have to remember what question you chose.
Safe? Depends. It's sure as hell a lot harder to guess than actually answering the question.

A very simple trick (1)

Drakkenmensch (1255800) | more than 5 years ago | (#28009779)

When I have to fill out a "secret question" with an answer that's all too easy to look up, I just make up an answer no one will figure out but me. If someone trying to get into my account tries to guess what was "the color of my first car", how are they going to know the answer if I made up a word that doesn't even exist?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>