Koz and Effect

Security Questions

You’ve seen them. The Security Question. Sign up for an account, pick a password, then fill in the answers for a few questions so that the system can identify you in case you lose your password.

The problem with these is that the answers to the questions are weaker alternatives to the passwords themselves.  Both require the user to identify themselves via a string that only they should know. The questions however, has two flaws:

1. The answers to the questions are generally not considered confidential. “Your mother’s maiden name” is a piece of information that may not be commonly known, but is not exactly often considered secret either. Same for the names of the schools you attended. With the rise of social networks and the vast amounts of personal data individuals fill out in these, it’s become easier than ever for someone else to answer these questions correctly.

2. The answers are not random character strings. Think of all of the times you were told that a good password must contain symbols and numbers or what have you. This is a good practice, and it’s to help ensure that (to some degree) the password is as random as possible. Security questions often prompt for a word however, and this greatly lessens the amount of possible correct answers. An eight character password, using just lowercase letters, numbers, and ten different symbols, gives a possibility of over 20 trillion combinations, a steep hill for a brute force attack. Yet the English language has, at the high end of estimates, barely a million words. Quite a lot, but far less daunting. (This is a very simplistic example, but I believe the point stands.)

There’s been a lot of talk on the first point, but Light Blue Touchpaper has a really neat post focusing on the second. They reference a recently published paper that goes into the details on how successful drive-by brute forcing of accounts via the security questionnaire is, and it’s surprisingly high.

So what does one do about it?

1. Refuse to play along. One of the best pieces of advice I received from one of my infosec professors: If you have a security question, answer it with something else entirely. If it asks for say, your mother’s maiden name, put in the name of your school. Make it something hilarious, and you’ll be better able to remember it. Even if someone does find out your mother’s maiden name, an attacker will be puzzled as to why it doesn’t work.

2. According to the paper though, even that may not be enough. While the paper focuses on single names, (and the above, I think, will give you a reasonable level of security) the use of an actual word is still relatively weak for the reasons I outlined above. So use a password. Make it the same as the one you use for the account, or a different one. Both the question and the actual password challenge (and you do use a strong password, right?) will be protected at the same level.

But what if you do actually forget your password? Isn’t that what this was supposed to fix? The first suggestion would be to use a password escrow manager, such as KeePass, so that you only have to remember one password, and can then access all of the others. The other suggestion? Write it down. Seriously. Write it on a pad of paper, and protect that paper. If you’re in a work environment, then this does not apply. Your office is not private. (No, really, it’s not. You don’t own or control the building.) But for home, it’s more than sufficient. Keep it hidden in a desk or so, and pull it out when you need to. You’ll lessen the number of passwords you need to remember and make it easier to create more complex ones.