Technology Review
Research finds that the answers to secret questions used to retrieve forgotten passwords are easily guessed.
Brian Green's experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.
"My first thought was that I might have a keylogger on my computer," Green wrote in a description of the event. Yet his own research into the incident--and the attacker's ability to change his account passwords multiple times--led Green, who is himself a game designer, to a different conclusion: "My 'secret question' has an all-too-common answer . . . This wasn't something I considered when I filled it out way back when."
The incident bares similarities to the high-profile case involving Alaska governor and former vice-presidential candidate Sarah Palin. In September 2008, hackers used the name of the location where Palin and her husband met to gain access to her Yahoo e-mail account via the "secret question" password-recovery mechanism.
Palin and Green are not alone. In research to be presented at the IEEE Symposium on Security and Privacy this week, researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.
"Secret questions alone are not as secure as we would like our backup authentication to be," says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. "Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords."
The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions "What is your favorite town?" and "What is your favorite sports team?" were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.
But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet's name, the researchers found.
By watching how passwords are entered, a company hopes to make log-ins more secure.
Today's password schemes are unworkable and offer little security for users.
on the sensitivity of the access that you're trying to protect. If I'm really not too concerned about someone else being able to impersonate me (say, in order to post comments on Tech Review), I may be happy to trade security for simplicity of password recovery.
On the other hand, I don't want my bank account to be accessible this way - and, I wouldn't use any business that was so lacking in security as to offer it as an option.
The same Microsoft researchers published at CHI09 a more interesting paper. In this paper, they proposed an alternative solution for password recovery.
They proposed to use trustees who would authenticate you. When signing for an account, you designate some trustees. Each trustee receives access to a recovery code. To get back your lost password, you have to provide a given number of such recovery codes. In other words, you have to ask it to your trustees.
Unfortunately, the system has some drawbacks.
See http://eric-diehl.com/blog/?x=entry:entry090518-183818
For those interested, our full paper can be accessed here:
http://research.microsoft.com/apps/pubs/default.aspx?id=79594
Several different options to this
1. Answer with an unrelated item (e.g. answer "My Favorite Book" with your dog's name)
2. Have a prefix and a suffix for every answer (e.g. answer "My High School" with "yourgenericprefix + 'high school' + yourgenericsuffix" -- "Technology Mountain View HS Review")
3. (my preferred option) answer all secret questions with a string from http://grc.com/password.htm, saving that answer in your password-database-of-choice (e.g. KeePass, Roboform, YAPS, etc.). The answer to the question has no relationship to the question, but you have to save the answer so you can paste it back in.
4. Follow Schneier's recommendation.
I'm wondering if anyone has had success allowing users to create their own security question and answer?
This in conjunction with another piece of data (ie monthly direct deposit amount for a banking site) may be a better way to make this process more secure.
Thoughts? Results?
This article states that even questions such as "What is your first name?" are secure. Read on how...
http://www.passwordtote.com/articles/security-question-systems-done-properly.htm
Re: Services should do this....
No, the questions aren't secure, it's the follow up reset method that is secure, e.g. the questions don't reset the password, they just send an email to the address on file with instructions to reset the password. That is the best way to handle the situation, without a doubt, since they must be who they say they are, and have access to the email account on file, to be authorized to reset the password. But if they don't use that email address anymore (which happens often)... they are up the creek.
But of course this method is only as secure as the security of their mail system... which is often the most insecure system around, because no one thinks email requires high level security...
So your banking security may only be as secure as your email account security!
OT, but I've always wondered how many organizations properly handle the potential PII that these "self-help" systems capture...
Comments on other posts:
1. Easy questions like first name that send an email may not be secure if the attacker compromises the email account. So security is dependent on what I've done on another site.
2. Making up fake security questions is too frustrating for some people who don't want to go through the steps of resetting a password.
3. Don't allow users to make their own questions as they will most likely use easily compromised questions.
There are no 'good' secret questions. They all pose a risk or make it difficult for the user. A new method is needed. But until then, http://goodsecurityquestions.com has some useful guidelines and questions.
It is why the questions are simple, I don't want my bank account to be accessible this way - and, I wouldn't use any business that was so lacking in security as to offer it as an option.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
lkrndu
36 Comments
Really Secret Answers
The writer hints at one solution when he says he sometimes just types in a random answer for a secret question.
After all the secret question bit is sort of like having two padlocks in series to close a gate. Forget one key, have the reserve hidden somewhere only you know about.
Just like a physical key, a secret question 'answer' might be something absurd, or a random character string. One might WRITE DOWN that answer and carry it as if it WERE a physical key, for emergencies.
As they say, a hacker would have to pry it - PHYSICALLY - out of my dead...
Or is that 'cheating'?
Reply
lasertekk
146 Comments
Re: Really Secret Answers
Exactly. An absurd answer to the wrong question. It works for me, since most sites seem to have the same questions. I'll even volunteer it. It's a line from a movie. Good luck.
Reply
chadwickmeyer
6 Comments
Re: Really Secret Answers
Remember, these back door systems are primarily in place for the average incompetent user (and they are legion). Those who suggest a bunch of fancy tricks are missing the point (preaching to the choir), since your suggestions are far beyond the abilities of these average users. If you are the type to choose a random password, salt your answers and then store them in your own keychain, you aren't the type to forget your password in the first place. It's the people that pick passwords like "emily" that lose them.
Clearly the goal of these systems is to reduce customer service costs. But it's a flawed system and those who implement it are lazy , and are playing willy nilly with people's privacy. You shouldn't use a site that offers these backdoors if you could be harmed by the hack (unless you are confident about your own salting schemes I guess).
Reply
Wunderbarb
11 Comments
Re: Really Secret Answers
The problem with random strings or absurd answers is that they are more difficult to remember than logical ones. Just a reminder of the problem, the user has lost a password that he regularly uses. We are now asking him to remember something he uses more rarely!!!
It is why the questions are simple, in order to increase the likelihood to remember the right answer. Which is also their weakness and vulnerability to social engineering.
Reply