(Page 2 of 2)
Backup-authentication schemes should have two important characteristics, Schechter says. They should be reliable, allowing a legitimate user to regain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.
The study found that secret questions fall short on both accounts. Even for the most memorable questions--Yahoo's, as it turned out--the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.
"People tend to underestimate the likelihood of their forgetting some clever technique or glib answer," Schechter says.
For most of a decade, security expert Bruce Schneier has criticized secret questions for their vulnerability to attack. In 2005, Schneier wrote, "I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it."
Yet companies focused on reducing customer-service costs have introduced a back door into people's accounts that is easier to circumvent than attempting to guess the password, he says. "The weird security thing that is being done is that there is a backup system to reset your password that is less secure than the system that it's intended to support," Schneier says.
Schechter agrees that researchers will have to find a completely different mechanism for backup authentication--secret questions just don't cut it. "We would eventually like to see these questions go away," he says. "Unfortunately, since we didn't find many questions that were conclusively good, it's hard to recommend simply changing questions."
Schechter recommends not choosing questions that may have common answers. Schneier goes farther and says that he frequently just types in a random answer; if he needs to retrieve a password, he says, he will call the company.
Green, whose secret question asked the name of his high school, plans to use more secure e-mail in the future. And that may mean forgoing password retrieval. "Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission," he says.
By watching how passwords are entered, a company hopes to make log-ins more secure.
Today's password schemes are unworkable and offer little security for users.
on the sensitivity of the access that you're trying to protect. If I'm really not too concerned about someone else being able to impersonate me (say, in order to post comments on Tech Review), I may be happy to trade security for simplicity of password recovery.
On the other hand, I don't want my bank account to be accessible this way - and, I wouldn't use any business that was so lacking in security as to offer it as an option.
The same Microsoft researchers published at CHI09 a more interesting paper. In this paper, they proposed an alternative solution for password recovery.
They proposed to use trustees who would authenticate you. When signing for an account, you designate some trustees. Each trustee receives access to a recovery code. To get back your lost password, you have to provide a given number of such recovery codes. In other words, you have to ask it to your trustees.
Unfortunately, the system has some drawbacks.
See http://eric-diehl.com/blog/?x=entry:entry090518-183818
For those interested, our full paper can be accessed here:
http://research.microsoft.com/apps/pubs/default.aspx?id=79594
Several different options to this
1. Answer with an unrelated item (e.g. answer "My Favorite Book" with your dog's name)
2. Have a prefix and a suffix for every answer (e.g. answer "My High School" with "yourgenericprefix + 'high school' + yourgenericsuffix" -- "Technology Mountain View HS Review")
3. (my preferred option) answer all secret questions with a string from http://grc.com/password.htm, saving that answer in your password-database-of-choice (e.g. KeePass, Roboform, YAPS, etc.). The answer to the question has no relationship to the question, but you have to save the answer so you can paste it back in.
4. Follow Schneier's recommendation.
I'm wondering if anyone has had success allowing users to create their own security question and answer?
This in conjunction with another piece of data (ie monthly direct deposit amount for a banking site) may be a better way to make this process more secure.
Thoughts? Results?
This article states that even questions such as "What is your first name?" are secure. Read on how...
http://www.passwordtote.com/articles/security-question-systems-done-properly.htm
Re: Services should do this....
No, the questions aren't secure, it's the follow up reset method that is secure, e.g. the questions don't reset the password, they just send an email to the address on file with instructions to reset the password. That is the best way to handle the situation, without a doubt, since they must be who they say they are, and have access to the email account on file, to be authorized to reset the password. But if they don't use that email address anymore (which happens often)... they are up the creek.
But of course this method is only as secure as the security of their mail system... which is often the most insecure system around, because no one thinks email requires high level security...
So your banking security may only be as secure as your email account security!
OT, but I've always wondered how many organizations properly handle the potential PII that these "self-help" systems capture...
Comments on other posts:
1. Easy questions like first name that send an email may not be secure if the attacker compromises the email account. So security is dependent on what I've done on another site.
2. Making up fake security questions is too frustrating for some people who don't want to go through the steps of resetting a password.
3. Don't allow users to make their own questions as they will most likely use easily compromised questions.
There are no 'good' secret questions. They all pose a risk or make it difficult for the user. A new method is needed. But until then, http://goodsecurityquestions.com has some useful guidelines and questions.
It is why the questions are simple, I don't want my bank account to be accessible this way - and, I wouldn't use any business that was so lacking in security as to offer it as an option.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
lkrndu
36 Comments
Really Secret Answers
The writer hints at one solution when he says he sometimes just types in a random answer for a secret question.
After all the secret question bit is sort of like having two padlocks in series to close a gate. Forget one key, have the reserve hidden somewhere only you know about.
Just like a physical key, a secret question 'answer' might be something absurd, or a random character string. One might WRITE DOWN that answer and carry it as if it WERE a physical key, for emergencies.
As they say, a hacker would have to pry it - PHYSICALLY - out of my dead...
Or is that 'cheating'?
Reply
lasertekk
146 Comments
Re: Really Secret Answers
Exactly. An absurd answer to the wrong question. It works for me, since most sites seem to have the same questions. I'll even volunteer it. It's a line from a movie. Good luck.
Reply
chadwickmeyer
6 Comments
Re: Really Secret Answers
Remember, these back door systems are primarily in place for the average incompetent user (and they are legion). Those who suggest a bunch of fancy tricks are missing the point (preaching to the choir), since your suggestions are far beyond the abilities of these average users. If you are the type to choose a random password, salt your answers and then store them in your own keychain, you aren't the type to forget your password in the first place. It's the people that pick passwords like "emily" that lose them.
Clearly the goal of these systems is to reduce customer service costs. But it's a flawed system and those who implement it are lazy , and are playing willy nilly with people's privacy. You shouldn't use a site that offers these backdoors if you could be harmed by the hack (unless you are confident about your own salting schemes I guess).
Reply
Wunderbarb
11 Comments
Re: Really Secret Answers
The problem with random strings or absurd answers is that they are more difficult to remember than logical ones. Just a reminder of the problem, the user has lost a password that he regularly uses. We are now asking him to remember something he uses more rarely!!!
It is why the questions are simple, in order to increase the likelihood to remember the right answer. Which is also their weakness and vulnerability to social engineering.
Reply