Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How are 'Secret Questions' Secure?

Cliff posted more than 8 years ago | from the security-versus-usability dept.

116

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

cancel ×

116 comments

Sorry! There are no comments related to the filter you selected.

Create your own question (4, Interesting)

Mostly a lurker (634878) | more than 8 years ago | (#15803459)

how would you implement a secure facility to change passwords?
Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.

Re:Create your own question (2, Insightful)

BandC (917027) | more than 8 years ago | (#15803515)

Even if they create the question themsleves, people will tend to create the same question for many websites so knowing one question/answer pair of one person for one website will lead to knowing it for most/all sites. Therefore, I'm not sure if that's the answer.

Re:Create your own question (2, Insightful)

afaik_ianal (918433) | more than 8 years ago | (#15803689)

And they also tend to use the same password for most/all sites, so it's really a moot point anyway.

Same password? (0)

Anonymous Coward | more than 7 years ago | (#15805320)

And you are an idiot if you do that. At least have a few different "security levels" with different passwords. Read/listen more about this technique at http://grc.com/securitynow [grc.com]

Trivial - who cares they get the default uid and passwd.

Shopping - they have my CC; each gets their own username, and the password is a mix of the username + the same symbols and numbers in key locations.

Bank, Broker - different uid, different strong password, changed monthly.

Highly secure accounts - one-time password protected via a hardware device. I wish I could pay my broker for this.

None of these are stored in a browser. My master uid/passwd list is maintained in an encrypted file (TrueCrypt) and stored on USB and disk drives at home and work and on a remote friends computer. Without the key file and password, it is completely secure. Heck, do you want a copy?

Re:Create your own question (1)

Decado (207907) | more than 7 years ago | (#15807746)

They are not supposed to be secure on their own, just a bit more secure than not having them.

Normal password retrieval method:

1. Click the "I forgot my password button"
2. Enter your email address
3. Click Ok to get a confirmation mail sent
4. Go to your email account and read the mail

With secret questions it becomes:

1. Click the "I forgot my password button"
2. Enter your email address
3. Answer the secret question correctly
4. Click Ok to get a confirmation mail sent
5. Go to your email account and read the mail

The secret questions method when correctly used has all the same steps as the method without and the extra step of the secret question. While the secret question itself is relatively trivial to break for anyone who knows you and is deliberately targeting you, a random hacker who just happened to break into your email probably doesn't know your mothers maiden name or the town in which you were born thus making your data slightly more secure. This is where it is intended to help, to add some difficulty in the step of getting from a compromised email address to compromising everything else.

Of course, many sites mail you the answer you entered to the secret questions, so it is probably still sitting in your email archive somewhere and thus easy to find particularly if you use a site like gmail where your entire mail history is available to anyone who gets your mail account.

Anyway, that is how the secret questions work. Yes your friends and people who know you can get them easily, but for a random hacker who gets access to 10,000 mailboxes through some exploit the fact that he needs to give a couple of hours to find some trivial information about you is probably enough to save you or at the very least slow drastically the speed with which he can proceed.

Re:Create your own question (2, Funny)

Red Alastor (742410) | more than 8 years ago | (#15803631)

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
Sometimes you cannot write your own so either you type random junk on the keyboard if you are sure you'll never forget your password or you understand the question in a twisted way. What's your favourite animal ? Dubya !

Re:Create your own question (1)

jesboat (64736) | more than 7 years ago | (#15804017)

Random junk works well enough if you're sure (and rightly so) that you'll remember your passwords and if you're sure the service won't decide to change them. That has happened to me, and resulted in switching cell phone providers because my account with the old provider was therefore no longer accessible. (Their service left something to be desired anyway.)

OBPennyArcade (2, Funny)

schon (31600) | more than 8 years ago | (#15803816)

Best is to allow the user to create their own question.

That has its own problems:

http://www.penny-arcade.com/comic/2006/07/12 [penny-arcade.com]

Re:OBPennyArcade (2, Funny)

lazlo (15906) | more than 7 years ago | (#15805734)

I recall a friend who had a "create your own question" security system at.. I believe it was his bank. Anyhow, it was a question that was asked by call center employees. He had far too much fun with that. He said "I love it! Every time I call my bank, they have to ask me 'Jack, why are you such a fucking pussy?', and every time I have to reply 'Because I am what I eat.'"

So, there may be other reasons not to use this sort of system.

But, fundamentally, it's a horrible security measure and should be taken out and shot.

Re:Create your own question (0)

Anonymous Coward | more than 8 years ago | (#15803843)

I prefer to enter my own question... only I don't enter a question but a clue to remember my password (cryptic enough to be of no use to anyone else)

Re:Create your own question (1)

frovingslosh (582462) | more than 7 years ago | (#15803973)

Nonesense. You don't have to create your own question, you just need the ability to do what the site already lest you do, create your own answer. Mother's maiden name? Qgxyz7rtl. First pets name? Qgxyz7rtl. My Highschool? Qgxyz7rtl. Favorite TV show? Qgxyz7rtl. The only problem is coming up with a system where every minimum wage help desk monkey doesn't know your answer to every website that you have a password on, but that's not too hard to come up with.

Re:Create your own question (1)

jrockway (229604) | more than 7 years ago | (#15804290)

When I went to UIC, we were required to have a challenge/response in case we forgot our password. Mine was:

Q: What is your password?
A: <my password>

Interestingly, Dan Bernstein's is:

Q: How many idiotic ACCC policies can dance on the head of a pin?
A: <dunno, you'll have to ask him> :)

Re:Create your own question (2, Interesting)

Anonymous Coward | more than 7 years ago | (#15804068)

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to.
Agreed, but we can go further.

The time I was reverse scamming a Nigerian 419'er comes to mind.

I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.

The secret question this scammer had chosen was "Where were you born"?

The next few emails worked this question into the conversation, using a generous donation to the church in his birth town as the guise. Once I had the town it was trivial to get the password, log in and add an autoreply message to his email. Anyone who emailed him after that time got back my autoreply warning them away.

After the reverse scam I checked his account a few times and the autoreply was still there right up until the account was closed.

Moral to this story: No matter what the question there will probably be a social engineering method to obtain the answer. A good solution along with a user defined question that would raise alarm bells is to simply Audit password retrival attempts.

If someone asks for your secret question and attempts to answer it then place an email in the account giving details of the attempt plus the IP those attempts came from. -- Posting as AC as hacking an email accoumt, even for reverse scamming is a serious crime in my country.

Re:Create your own question (1)

illuminatedwax (537131) | more than 7 years ago | (#15804174)

A friend of mine had a bank account where he was able to make up his own "personal information" question that he would be asked over the phone. A correct question/response went like this:

Receptionist: What are you wearing?
Client: I don't think that's an appropriate question.

Re:Create your own question (1)

Hegh (788050) | more than 7 years ago | (#15805957)

Since many sites don't do this, and I'm not a fan of the "secret question" either, I just enter a long string of garbage for the answer. Something even more difficult to guess than a password. If I forget the password...well, I just won't then, will I? :-P

You just have to ask yourself the question... (5, Funny)

Joff_NZ (309034) | more than 8 years ago | (#15803465)

What is delicious? [penny-arcade.com]

Re:You just have to ask yourself the question... (1)

SpectreHiro (961765) | more than 8 years ago | (#15803701)

Damn, beat me to the punch.

I think (1)

idonthack (883680) | more than 7 years ago | (#15804254)

That comic is delicious. Mmmm. I love waking up to the fresh taste of Penny Arcade on Mondays, Wednesdays, and Fridays.

Re:You just have to ask yourself the question... (1)

Tyger (126248) | more than 7 years ago | (#15804663)

I actually do something like that for places that let you enter any question. I enter some off the wall question that could be answered any way and does not easily relate to anything, but with how I think I know the answer right away.

For example (This is not one I actually use) a friend in school when faced with the classic question "Why is a mouse when it spins?" did not know the "correct" answer (The higher, the fewer) so came up with an equally nonsensical answer (The faster it spins, the much). It is an answer I'd think of nearly right away, but nobody else would probably have even heard it answered that way before.

Re:You just have to ask yourself the question... (2, Informative)

Rakshasa Taisab (244699) | more than 7 years ago | (#15804864)

You just messed up a one line joke...

There's no question mark there, which is why Tycho goes on to question whetever it is a question or a statement.

Re:You just have to ask yourself the question... (1)

Aladrin (926209) | more than 7 years ago | (#15805207)

You know, this is totally off-topic, but that reminds me...

When I was in high-school, people would ask 'You know what?' and my answer was 'What is dead.' and then 'He got run over.' I usually eventually explained that my first girlfriend (hey, she asked me out, okay?) had a cat that had kittens... And she didn't name them fast enough. So I named them Spot, What and Horace. She was pretty pissed.

The sites that need it, shouldn't use it. (4, Insightful)

jafo (11982) | more than 8 years ago | (#15803466)

Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.

For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.

For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.

One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

Sean

Re:The sites that need it, shouldn't use it. (4, Funny)

karnal (22275) | more than 8 years ago | (#15803563)

My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

I'll bet she couldn't WAIT to get married!

On a related note, we must be cousins.

Re:The sites that need it, shouldn't use it. (2, Funny)

Detritus (11846) | more than 8 years ago | (#15803759)

I had a Polish friend whose name was so unpronounceable, that I used to kid him and say his family was too poor to afford any vowels. People used to stare at his name tag, while the language part of their brain went into shock.

Re:The sites that need it, shouldn't use it. (1)

ModMeFlamebait (781879) | more than 7 years ago | (#15806338)

If I had mod points, I'd mod you up even though I'm Polish (and yes, my last name has vowels but my given name is fun for foreigners :) )

Re:The sites that need it, shouldn't use it. (1)

TERdON (862570) | more than 7 years ago | (#15806656)

avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh

Probably related to this guy [wikipedia.org] , heh?

Re:The sites that need it, shouldn't use it. (0)

Anonymous Coward | more than 8 years ago | (#15803660)

One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".
 
...which means you now have to have an insecure file on your computer storing your different made-up answer for each site, since giving every site the *same* made up answer to the same question would solve exactly nothing.

So now you have a file that somebody can obtain and crack open, which neatly lists every site you use and how to get into it.

I hope to god that's encrypted and password-protected out the wazoo.

Re:The sites that need it, shouldn't use it. (0)

Anonymous Coward | more than 8 years ago | (#15803746)

Or... you just remember your pass and forget about the answer you gave to your "secret question"?

-Zoltán

Re:The sites that need it, shouldn't use it. (1)

JesseMcDonald (536341) | more than 8 years ago | (#15803747)

...which means you now have to have an insecure file on your computer storing your different made-up answer for each site, since giving every site the *same* made up answer to the same question would solve exactly nothing.

The whole point was that it was never going to use the account again. If it needs to order something else from the site, it'll just create a new account. Thus, there is no need to store the made-up passwords; when the session is over, the account will become inaccessible due to the erasure of both the original password and the correct answer to the "secret" question.

Re:The sites that need it, shouldn't use it. (1)

JesseMcDonald (536341) | more than 8 years ago | (#15803781)

My apologies, it would appear that it was actually referring to the use of a password "vault" to store the answer. In any event, since the point is to eliminate the use of the "secret" question, one could simply enter something long and random and then fail to record it anywhere. The effect would be the the same as storing it in the "vault", since the security of the answer would be the same as that of the password itself, and the answer is only useful (on most sites) for resetting the password. It is unlikely that either "vault" entry would be lost or compromised alone; in general both would be affected.

Re:The sites that need it, shouldn't use it. (3, Informative)

pyrrhonist (701154) | more than 8 years ago | (#15803790)

..which means you now have to have an insecure file on your computer storing your different made-up answer for each site... I hope to god that's encrypted and password-protected out the wazoo.

KeePass [sourceforge.net]

Re:The sites that need it, shouldn't use it. (1)

Skynyrd (25155) | more than 8 years ago | (#15803797)

One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

I have a friend who's first name is him mother's maiden name. It's an odd name as well, and people usually ask "where did that come from". A while back he actually had to come up with a plausable story so he wasn't giving away a "secret" every time somebody asked. Annoying. Now you have to know him pretty well to get that info.

I don't think his parents thought of that possibility when they named him way back when.

Re:The sites that need it, shouldn't use it. (1)

munpfazy (694689) | more than 7 years ago | (#15804164)

The thing is that many sites really have no legitimate need to having password changing functionality in the site.


Yup. Any site for which having the ability to recover a lost password is important *either* had lots of personal and financial information about me already which could be used for that purpose, or it has my email address and could easily mail me a password-changing token. (Sure, that scheme could in principle be vulnerable to attacks - but far less so than using my mother's maiden name and my highschool.)

I generally make stuff up and then keep it in the same encrypted file where I store all my seldom used passwords. This totally defeats the purpose of such questions, but then again since the purpose is fundamentally stupid, that's not so bad.

But perhaps we're looking at this the wrong way round. From the point of view of an identity thief, or even better, an ex-lover-turned-stalker, these websites present a great opportunity. Hell, I'd bet twenty percent of the time you can find the answer to every possible security question just by looking through someone's publicly accessible websites and old usenet/email/message-board postings. If you stumble on a geneology buff who tells jokes about their favorite sports team and attends their 10th highschool reunion, you're pretty much done.

We just need to stop thinking like victims and start thinking like perpetrators. Then this becomes an upbeat story.

Why you have to provide the real answer? (3, Insightful)

PaulBu (473180) | more than 8 years ago | (#15803467)

Your mother maiden name? / your city of birth,

Your pet's name? / your GF nickname,

Your pet? / Ultraviolet

And so on...

Paul B.

Re:Why you have to provide the real answer? (3, Interesting)

Marillion (33728) | more than 8 years ago | (#15803529)

The one that bothers me is last four digits of social. In a privacy obsessed world, we've basically taken a nine digit key and reduced it to a four digit key.

Re:Why you have to provide the real answer? (3, Interesting)

Detritus (11846) | more than 8 years ago | (#15803798)

The leading digits can be guessed if you know when and where the social security card was issued.

Last four digits? How about all nine? (0)

Anonymous Coward | more than 7 years ago | (#15805336)

I was at Wal-Mart the other day getting a new watch battery. An employee came up with a herd of "new hires" and asked the lady behind the counter if she could borrow her scan gun. She asked each of these kids IN THE MIDDLE OF THE STORE for their social security numbers, which they sheepishly surrendered. (Best not make trouble on your first day wage slave!) She keyed their socials into the scan gun and it printed out a label with the new hire's name printed over a bar code for the time clock. Golly gee, I wonder what number was in that bar code.

This is Wal-Mart, the largest employer in the USA if I remember correctly. How many times have you lost an ID badge going about a cushy job? At least once, right? These people wrestle with boxes all over the store, there's no telling how many Wal-Mart badges have been lost. And each of them has the employee's social security number on the back?!? That's just fucking pathetic. Don't worry, I told the lady so before I left, fat lot of good that it will do...

SSN numbers (1)

0x4B (214493) | more than 7 years ago | (#15806332)

The first three digits are based on where the SSN was issued (typically where you're born), so they aren't useful anyway. I have the impression the middle pair isn't all that helpfor for some other reason, though I could be making that up.

The bigger issue is that they aren't really indented to be private, and at this point clearly aren't.

Re:Why you have to provide the real answer? (1)

aoteoroa (596031) | more than 8 years ago | (#15803675)

Wish I had mod points right now because I couldn't agree with you more. . . LIE!

As far as the webforms are concerned my mom's maiden name is Evans, and my favorite pet is Aragog.

Some systems won't accept the real answer (2, Funny)

boustrophedon (139901) | more than 7 years ago | (#15804355)

When I entered "Spot" as my pet's name, the system told me that my answer had to have at least six characters. I asked my boss if the company would pay for a larger dog.

Re:Why you have to provide the real answer? (1)

cookiepus (154655) | more than 7 years ago | (#15803955)

Because dummy, how would you remember what fake answer matches to what question. You might as well remember your damn password in the first place!

Being called a dummy by someone... (1)

PaulBu (473180) | more than 7 years ago | (#15804111)

... with a nick of cookiepuss must be the hight of my /. experience, but still -- you get more than one try to answer the "security" question, and if for all of them the secret answer is "Red" you have advantage over the bad guy who might try to work on actually guessing the real answer.

Paul B.

Good enough security (2, Insightful)

ChaosDiscord (4913) | more than 8 years ago | (#15803468)

It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).

You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.

Well, one way is... (0)

Anonymous Coward | more than 8 years ago | (#15803478)

Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?"

I agree that asking the same old "mother's maiden name", "street you grew up on", "city you were born in" etc. is pretty weak, esp. as you get asked these questions over and over.

But I do like the ones where they ask you to create a question/answer pair for yourself. That way, I can come up with some obscure or even meaningless type of question that only I would understand. Sure, someone can build up a database of these types of questions, but if I self-obfuscate the question AND the answer (using mnemonics, for example), it might be more difficult to make sense of it for anyone but me.

I always use the "Make up a question" option when it's available.

Let the user choose their own question (3, Insightful)

gclef (96311) | more than 8 years ago | (#15803480)

If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.

Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.

Re:Let the user choose their own question (1)

plover (150551) | more than 8 years ago | (#15803577)

They'll stop a bot, but they won't stop a human. That's about the best that can be said for user-defined security questions.

Most people don't have enough imagination to come up with a secure password, let alone a unique question that's answerable twelve months from now. I bet if you were to look at some of the "write-your-own" question sites currently out there, the majority of the 'questions' you'd find will be "your password is 'xyzzy'". At least "city of birth" or "elementary school name" require a spot of digging by an attacker.

Re:Let the user choose their own question (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15803803)

I just got burned by my credit card company coming up with their own arcane questions. I called them from my office to change my address. Before I got to an operator I toured the automatic options. Providing my soc # got me my balance, remaining credit limit, and last payment. Hmm, neat, but not what I called about so didn't record the specifics. I got an operator, prepared to provide my soc #, credit card number & confirmation code, birthdate, etc. Instead she asks me my member number. I didn't have that since it otherwise has no use. My bad. So to verify my identity she asked me a series of questions that were either useless, or shockingly poor security; ie. my ex-wife's birthday?!?! (something I've worked hard (kinda) to forget in the past few years) my exact credit balance and limit, (you know, the things the auto-voice JUST READ TO ME for the price of my soc #, which suddenly isn't sufficient to prove my identity) the exact amount of my last payment, ("uhhh, $24... something? Look, the stupid voice just read it to me...!") the exact amount of my last charge, the vendor of my last charge (aka a usenet provider, you know, the ones that bill as "BFGT Inc, LLC" or something equally forgetable) and/or the city of the last transaction ("Did I mention INTERNET USENET PROVIDER? I dunno, Silicone Vally?") I explained that I wasn't at home with my bill, which would have all that info which any mail grabber could read. I was instead in my office, with my card, you know, the thing that I could actually do thousands of dollars of damage with in under five minutes if I was an identity thief...

Sorry about the long post, but I had to get this out.

You have to have some way of identifying yourself (1)

mrsbrisby (60242) | more than 8 years ago | (#15803487)

That thing that identifies you that you know? Its called a password (or sometimes passphrase).

The more passwords you have, the less attempts are necessary.

Worse still: These "passwords incase you forget your password" are things lots of people might know.

Passwords are only as strong as their secrecy, and since two is no better than half as good, these systems are _less_ secure than having a single password.

They do, however, have a benefit- and that's the cost of creating a new account. Users that have forgotten their password might click the forgot-password button instead of create-new-account, and it might just keep the number of accounts low.

Unfortunately, it's usually better to just delete the old accounts, since that keeps the number of "accounts" closer to the number of "active accounts" _AND_ it means there are less targets to attack.

"Make up a question" (1)

dpbsmith (263124) | more than 8 years ago | (#15803499)

When this is an option, the question I like to use is:

"What is your password?"

Rooting customers. (0)

Anonymous Coward | more than 8 years ago | (#15803500)

" I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. "

So in other words to borrow a metaphor, someone has access to your box, and is root.

Email/Reset Password (4, Insightful)

dduardo (592868) | more than 8 years ago | (#15803521)

I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.

Re:Email/Reset Password (1)

martinkb (990418) | more than 8 years ago | (#15803543)

For that to work it needs to only let one e-mail work (so a hacker can't just enter his e-mail), and require that each account doesn't have the same e-mail.

Re:Email/Reset Password (1)

dduardo (592868) | more than 8 years ago | (#15803595)

I don't think you fully understand how this system works:

1) When you sign up with the website for an account you are forced to give them your email
2) You don't visit the site for a long time and forget your password.
3) You go to the website and click on the "forgot my password" link
4) You fill in the form with the email account you used to sign up
5) The system checks to see if the email is associated with an account
6) If there is an account that matches the email it sends a reset link to that email address. Otherwise the site tells you the email address is invalid
7) You login into your email account and follow the link in the email that was just sent to you
8) The site resets your password and asks you for a new password

Re:Email/Reset Password (1)

Baddas (243852) | more than 8 years ago | (#15803647)

woe betide the forgetful, who end up chaining multiple email accounts together in order to remember one password.

"Damn, what was my hotmail password?" ...

"Damn, what was my Yahoo password?" ...

"Damn, what was my Gmail password?"

Re:Email/Reset Password (1)

dduardo (592868) | more than 8 years ago | (#15803699)

If you forget your email password then that's your fault. For me, my email too important to forget the password.

Re:Email/Reset Password (0)

Anonymous Coward | more than 7 years ago | (#15803915)

Email, particularly webmail, is deeply insecure. It travels over the web in plain text, so it can be intercepted and read easily. The people who run your email servers can read any passwords you have emailed to you. And the third party spam filter guys they hire. And their consultants. And their janitors. If it's a bank account password it only travels encrypted and the bank takes keeping it secret seriously - email guys not so much. Gmail even will scan your password and serve you ads based on it*!

*Which is a really neat attack vector, now I think about it. Probably really hard to do though.

Uh oh, phishing alert... (1, Funny)

Anonymous Coward | more than 8 years ago | (#15803535)

How are 'Secret Questions' Secure?

Um, can't answer that, its my secret question.

Why follow the rules? (2, Informative)

goofyheadedpunk (807517) | more than 8 years ago | (#15803544)

Who says you have to answer that silly secret question with what it's actually asking for? You could think up a non-public answer ahead of time to the question, "What High School did you go to?" and give that non-public answer. Seems to be a bit more secure than giving an answer which is actually true.

For example:

Question: "What's your mother's maden name?"
Answer: "Sheatemybrotherssoul"

Re:Why follow the rules? (2, Funny)

AriaStar (964558) | more than 8 years ago | (#15803558)

Exactly. And every year or so, change what the answers are. Or, instead of your mother's maiden name, use an ex's mother's maiden name if you know it.

An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.

Re:Why follow the rules? (1)

plover (150551) | more than 8 years ago | (#15803588)

An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.

Since there are exactly seven black Jewish guys in existence today, I now know your friend's password! Ha!

Re:Why follow the rules? (1)

AriaStar (964558) | more than 7 years ago | (#15804336)

His password? You mean the answer to a security question? :) After a year, I'm sure he's changed it. I hope. I don't know since we fell out of contact last year. My favorite historical figure would have to be, um, you know, I can't think of anyone amusing enough at the moment.

stupid (2, Informative)

Anonymous brave dude (950545) | more than 8 years ago | (#15803594)

Whenever I am presented with one of these, I just mash on the keyboard for a bit. I remember my passwords.

Greater men than you have tried.. (1)

QuantumG (50515) | more than 8 years ago | (#15803605)

Schneier's take [schneier.com] and Penny Arcade's take [penny-arcade.com] . Just give up and enter junk for the questions. If you lose your password, call someone.

No? (3, Insightful)

gadzook33 (740455) | more than 8 years ago | (#15803616)

I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.

Re:No? (1)

Tweekster (949766) | more than 7 years ago | (#15804199)

To take that further, you could do a statistical analysis of what are common names, birth places and so on. A short 100 word dictionary would probably nail most people.

There AREN"T!! (1)

Antony-Kyre (807195) | more than 8 years ago | (#15803651)

They are not secure at all. They are a joke. Someone people are stupid enough to post certain personal information on their blogs or social networking sites. They are not secure in any way or form.

What they need do it is to create a dual password system, where there's a master password which can change anything, and a secondary password which can change anything but the master password. You would always log in using the secondary password. Concerning the master password, write it down, stick it in a very safe place at home provide you trust family members.

Secret questions a joke (0)

Anonymous Coward | more than 8 years ago | (#15803702)

Back when I was in a high school computer science class and bored, I tried logging onto someone else's MSN Messenger account. The password I had was bad, and I decided to click on the "forgot password" link. The question was... of all things, city of birth. Now, some 75% of people going to my school would (quite logically) be born in the same city as which the school is located in, and apparently, he was clueless enough to put that down as his answer. It reset his password and gave me the new one, I now had complete access to his Passport! account.

Another thing to note: If you asked someone for their password, (if they had any clue) they would simply ignore you or tell you to go away. Asking for their mother's maiden name, however, can be completely innocucious, and from my further experience with MSN and high school students, it was.

The inherit problem with the system is that passwords are supposed to be, by nature, secret. A "secret question", even though it claims to be secret, is still using a public article of data for its uses. Think about it, how many of those annoying formletters ask for your mother's maiden name? With "secret questions", that bit of data is almost as useful as your password. Sure, it'll lock you out of your account and you'd be able to figure out something was up, but until then, the attacker could easily transfer all of your funds to an unnamed Russian bank account.

In case anyone wants my city of birth, it's "8sge76g9br9t87rg8eg4f67dtwj53kg7t6r8g4b87"

There was a comedian... (2, Funny)

Ja5on15 (154638) | more than 8 years ago | (#15803708)

... that made a joke about this once. For security, he got to choose his own question and answer. The question the techs were suppose to ask him was, "What are you wearing?" with a response of "THAT'S TOTALLY INAPPROPRIATE!"

Cheap form of 2-factor authentication (1)

groffg (987862) | more than 8 years ago | (#15803772)

A plethora of relatively unimportant web sites require logins, and they offer a cheap and easily implementable way to reset those logins by asking for a piece of (often benign) personal info (birthdate or zip code, for example). Now, banks and brokerages are hopping on that bandwagon, though in a different way. They are using personal identifiers (mother's maiden name, favorite color, first job, etc) as part of a 2-factor authentication mechanism (as opposed to simply a password reset mechanism). Bank of America rolled this out about a year ago with their Sitekey service. Using this scheme, if you're logging into your account for your typical machine, then a cookie on that machine identifies that you're on your home/office workstation. You are required to enter your userid/pw and then you're logged in. But if you (or an ID thief or hacker) use a different machine, then you are additionally prompted to answer a question, like one of the questions cited above. Answering that question correctly installs the appropriate cookie on the new machine. This seems like a very cheap way of implementing 2-factor authentication, and not necessarily a bad idea. Other ideas include hardware tokens or single-use secondary keys, but those schemes tend to be more expensive. With the challenge-response scheme, a simple keylogger that is installed and that intercepts the login password is no longer enough for a hacker to access the account. It's a slight increase in security. It means that tech-savvy thieves will have to find ways around the system and non-tech thieves will resort to traditional measures, like social engineering, dumpster-diving, etc. In the end, financial institutions must still rely on a number of different security mechanisms, including lock-out periods for transferred funds, confirmation emails for certain account changes, notification of suspicious account activity, and so forth.

Re:Cheap form of 2-factor authentication (0)

Anonymous Coward | more than 7 years ago | (#15805202)

The BofA situation you describe is not 2-factor. Asking you for two passwords is still single-factor authentication. I've seen the companies (PassMark comes to mind) that claim to store a "device ID" token on your PC, that "authenticates" your PC, and claim that _this_ is the second factor, but if the "device ID" cookie doesn't exist, it drops back to asking you the secret questions. In other words, it's 2-factor except when it's 1-factor.

My solution (1)

grotgrot (451123) | more than 8 years ago | (#15803850)

I use Password Safe (Google it). I use two files - one is usernames and passwords and one is the stupid questions (and randomly generated answers). I avoid using the same question for two different sites. That effectively means I have two different usernames and passwords for each site.

If I lose both the files then I am screwed since I don't even know what the answers are!

Datamining, yes. (1)

Maljin Jolt (746064) | more than 7 years ago | (#15803863)

With good datamining, so called secret questions are totally insecure.

Why secret questions? (2, Interesting)

scdeimos (632778) | more than 7 years ago | (#15803939)

I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.

One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.

I'm no expert, but ... (1)

LoudMusic (199347) | more than 7 years ago | (#15803999)

Nearly as I can tell there is absolutely nothing secure about a secret question. By definition it is a way to circumvent a moderately secure password system.

Frankly I think it's a way for the company issuing the account to get just a little bit more information about you. Mother's maiden name? Name of high school? I think birth city is another common one. Sounds like a way of linking you to other people.

Personally I always pick the most obtuse question and give it a completely false answer. Then, as usual, don't forget my password.

Re:I'm no expert, but ... (0)

Anonymous Coward | more than 7 years ago | (#15807662)

Personally I always pick the most obtuse question and give it a completely false answer. Then, as usual, don't forget my password.

Especially with the birth date question. I actually keep a file of what date I give to each site/service. Then when I get a phone call, I ask them, and then I know who sold our information. Happens all the time and I never give the real one out. For initials, I do the same with the alphabet.

It's a vulnerability (1)

QuantumFTL (197300) | more than 7 years ago | (#15804027)

Secret questions are only as secure as the secret itself - if you just gave that answer off to some web site, what's to stop you from giving it to another? Imagine this - you have an account of someone you want to break into, and you know their email address. You send them an email (tailored to not be like spam at all) inviting them to some special promotion on a site you set up, complete with login and the same security question. Anyone who answers this, poof, they have given you access to whatever account it is that you seek.

Re:It's a vulnerability (1)

FLEB (312391) | more than 7 years ago | (#15804349)

That's just a phishing site. Just ask for their password.

Re:It's a vulnerability (1)

munpfazy (694689) | more than 7 years ago | (#15804845)

That's just a phishing site. Just ask for their password.

Not really - your site isn't pretending to be another site. It just happens to ask the same questions as another site.

While everyone should (in princple) pick unique passwords for every site, most people are probably less likely to make up a different answer to the question "what is your favorite sports team" for every website.

Mnemonic Passwords need more evangelism (2, Insightful)

Bloodwine77 (913355) | more than 7 years ago | (#15804191)

I first ran across the idea of mnemonic passwords here on Slashdot awhile back, and now all my passwords are created using the method. I know Joe Average can understand them, because my PHB's have no problem with them. Well, except for them mouthing the phrases aloud sometimes while typing in the password. Still, that's better than them forgetting it or writing it down on a sticky pad. Mnemonic passwords are easier to remember and eliminate the use of dictionary words for passwords. I'm sure almost everybody here knows about them, but I'll give a simple example for those who may not know and have not googled yet. Choose a phrase for a password. For example, a password for Slashdot could be, "I need to get out of the basement more instead of reading Slashdot". Take the first letter of each word and you get "intgoofbmiors". Then develop a personalized letter replacement scheme that you are use with all your passwords (like switching "i" with either "1" or "!"). So "intgoofbmiors" can become "!ntg00fbm!0r$" When typing out the password say the phrase in your head as you type and it'll flow quite well with minimal frustration. I used to use only a handful of passwords between several systems and sites so that I could remember them, but now I can manage a wider array of passwords thanks to picking phrases that somehow relate to each system or site that I use.

Re:Mnemonic Passwords need more evangelism (0)

Anonymous Coward | more than 7 years ago | (#15807715)

I used to use only a handful of passwords between several systems and sites so that I could remember them, but now I can manage a wider array of passwords thanks to picking phrases that somehow relate to each system or site that I use.

I how you don't mean you use the same passwords for any two sites?

Believe it or not, some services store your password unencrypted!!! Why, for two reasons.

  • It allows them to upgrade from one system to another as the technology for the hashes are not portable. ISPs and others do this as Windows does not document their hashes making them portable like a brick.
  • Plain text passwords pass through systems all the time. They see the need to secure it.

So even if a support person can't see your password, it is lurking in memory and over the wire in multiple places and someone could try it on another system. For this reason you should use different passwords in each realm of activity.

BTW, I am not saying you did. But you didn't say you didn't.

It is agreed (1)

The_Shadows (255371) | more than 7 years ago | (#15804296)

I hate "Secret questions." I'd rather keep track of my passwords. I've only once lost an account due to a forgotten username/password combo. And that wasn't an important account. I always fill the secret answer with pure giberish. Hitting 30+ random keys is a great workaround for me. Especially the stupid new sites that require not one but two secret questions.

Make your own answer (1)

bscott (460706) | more than 7 years ago | (#15804367)

The problem only arises if you assume that people give honest answers because if they don't, it's as hard as keeping track of multiple passwords for every site. Each one has different question lists, after all, and the answers to some questions can change over the years (before I came up with my own scheme below, I set up an account with "Best Friend's Last Name" as the question - she's now my wife, so her last name is different... but when I infrequently have to log in, I have to think back to when I signed up to realize, it was around the time we first met!

My approach makes this a nonissue. (this is not quite my real method, but parallel) I just pick a question and set the answer as "I can't remember". Give the same answer every time, who cares what the question is, but don't make it something real. "Huh?" is good too, or "42".

Comedian Eugene Mirman has a funny bit about this authentication scheme - his credit card company let him choose a question, so he made them ask him "What are you wearing?" and he has to answer, "That's highly inappropriate!"...

Imagination. (0)

Anonymous Coward | more than 7 years ago | (#15804563)

Birthplace? InMyMommie:-)
Mother's Maiden Name? BritneySpears

Optional:
Number of computers + computers (ex. answer: 266788379 - "computers" on a telephone keypad + 2 because the person owned two computers)

Optional:
Swith your toolkit from .Centimeters. to .Inches. to .Millimeters. (Answer: Penis length in each unit, surrounded by dots. ex. answer: .15.6.152. )

It's plainly secure if you're not an idiot, I mean, who of us would use our hometown as our place or birth - let alone Earth.

Re:Imagination. (0)

Anonymous Coward | more than 7 years ago | (#15804627)

Actually

Noticing the decimals in that made me think of a better secret question:

"Personal Toolkit IP (CM/I/MM)"

= 127.size in centimeters.size in inches.size in millimeters.
= 127.15.6.152

How the hell is *that* kind of question-response not secure enough - all you need to do it *think* before giving an answer :)

Funny secret question situation... (5, Funny)

Hamster Lover (558288) | more than 7 years ago | (#15804722)

I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

Question: How do I masturbate in the shower?
Answer: With my SpongeBob SquarePants friend.

Question: What is the most sexually satisfying farm animal?
Answer: The Llama.

I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.

Re:Funny secret question situation... (1)

gEvil (beta) (945888) | more than 7 years ago | (#15805288)

Well, I think that clears up any questions about your name... : p

Don't give the right answer! (1)

arachnoprobe (945081) | more than 7 years ago | (#15804827)

I had the same thought - everybody knows my pets name etc. I always make up a fake answer (It's always the same answer, just different questions) - that way, even someone with super-personal info (significant other, parents..) can NOT know the right answer.

Well, who says it's a security feature? (1)

mysidia (191772) | more than 7 years ago | (#15804890)

Actually, existence of secret questions is to make you feel your account is more secure.

If it were truly a secure system, they would not be willing to change your password over the phone, because phone conversations are not encrypted. The only thing you could do would be to have your account locked/frozen over the phone, and possibly mail a signed form with a secondary password, and a signature guarantee (like a notary's seal) to request a token be mailed to your address of record, and then you change your password -- by logging into the web site over SSL and entering the authentication details on the token, along with your secondary password/secret question answer.

I Routinely neutralise this... (1)

gweihir (88907) | more than 7 years ago | (#15805007)

... by entering a random valuf from a strong password generator. If the site does not offer to mail me a new password if I forget (most do), then they are out of luck. I even have sites where getting a new password emailed is the only way of access I have.

Unintended option... (0)

Anonymous Coward | more than 7 years ago | (#15805292)

For some inexplicable, unintended loss of brain capacity, when the bank asked me the "Mother's maiden name" question, I gave them one of my *grand*mother's maiden names. They accepted it. I don't know if there's an inconsistency in the system somewhere that might bite me later, but I've not noticed any problems with anything banking-related, and it's been years since the mistake.

So, maybe the solution is to give an answer that is plausible but actually wrong (and make sure you remember it!). Then, if someone looks up the "correct" answer from other sources and tries to use it, they'll be unpleasantly surprised.

Of course, this assumes there's nothing illegal about doing it.

How are 'Secret Questions' Secure? (1)

Redjoy (939517) | more than 7 years ago | (#15805719)

Who ever said that you have to answer the 'Secret Question' truthfully? No matter what the 'Secret Question' is, I use the same answer. At work I have to answer 3 out of 5 different questions to get my password reset. When I set up the answers to those 5 questions, I just use the same answer for all of them. They have no relevance to actual data. Who are they to tell me what the answer should be? Example: Q. What is your mother's maiden name? A. My right toe. Q. What is the name of your pet? A. My right toe. etc.

One-way hash the answer (2, Insightful)

stungod (137601) | more than 7 years ago | (#15805924)

So encrypt the answers using a 1-way hash. If the intent here is to help you prove your identity on the site or recover from a forgotten password, why does any human need to know the answers?

Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.

Bad experience with secret questions on Paypal (1)

Zarxrax (652423) | more than 7 years ago | (#15806061)

A few months ago I was logging into paypal, and for some reason the site told me that I had been using the same password for too long, and I would be required to change it (and no, this wasn't a phishing site). I couldn't understand this at all, I had never heard of such a thing as being REQUIRED to change my password. I have a secure password that I use on all of my important accounts, and I remember it very well. Now though, they were forcing me to come up with something totally new. As you could expect, a few weeks later, I had forgotten the new password. Then comes the secret question screens... I couldn't remember if I had actually answered the secret questions when I made my account, or if I had just typed some random characters. Apparently I had typed random characters, because after 5 attempts, paypal LOCKED DOWN my account. Now, it's been months since this occurred, and after many phone calls, and even faxing them a ton of my private information that they requested, my account has STILL not been reinstated, with hundreds of dollars of my money locked up in there.

Re:Bad experience with secret questions on Paypal (0)

Anonymous Coward | more than 7 years ago | (#15806812)

> I had never heard of such a thing as being REQUIRED to change my password.

Requiring Users to change passwords periodically is a common security procedure. This will probably happen to you again if you continue to use computers.

All it takes is a little bit of creativity. (1)

techno-vampire (666512) | more than 7 years ago | (#15806512)

Some people have been recomending giving wrong answers, but there's a problem with that: unless you give the same wrong answer every time, it's no good. A friend of mine came up with a much better way to make his answers hard to guess but easy to remember. Whenever he can, he picks the question about his pet's name. Instead of just saying (Let's say for example) Rover, he ansers with this: mypetsnameisrover. Just as easy to remember, but no scammer's going to get it right even if they guess the right name.

Huhu (1)

stonecypher (118140) | more than 7 years ago | (#15806716)

I don't need the questions, so I just fill the response field with noise. 'S pretty secure.

Two quick observations (1)

Iron Condor (964856) | more than 7 years ago | (#15807012)

Two quick observations:

Where I am required to answer one of these "your pet's name" questions, I do so accurately, but with my hands slightly off. Let's say there's three tiers of paranoia about an account and for stuff I don't care about I just move both hands one charater to the right while typing my secret answer. For medium stuff I move them apart from each other and for what I deem critical i move the right hand up and the left one in (reality is different but that's the gist). Incidentily, I do the same thing for my passwords. Turns moderately secure passwords into sheer line-noise.

Thanks to these simple measures, my passwords are more secure than average which is all they need to be. There is no such thing as absolute security, but you only need to be more secure than the next guy. You'll never get rid of all termites, but you only need your house be less attractive than you neighbor's. You won't stop all burglaries, but you only need your house more burglar-proof than the one across the street. You cannot stop lightning, but you can make sure that you aren't the tallest thing out on the plain when the thunderstorm hits. All you have to do is be lower than a most other things and you're as safe as you could be.

Re:Two quick observations (0)

Anonymous Coward | more than 7 years ago | (#15807590)

I occasionally use a dvorak keyboard layout and typing in a common password produces a garbled mess when typed on a qwerty - especially when the letters w,v,z and s are involved.

Been there, done that. (0)

Anonymous Coward | more than 7 years ago | (#15807549)

As someone who *has* read other peoples email by knowing trivial information such as their pet name or city of birth (there are only soo many cities in a state...), I never ever put real information for the answers. It is just too easy to exploit.

If you don't want to put utter gibberish, or at least an answer that has no relevance to the question, then don't be suprised if someday those precious pictures of you and your tarzan-elf kit are leaked on the net.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>