Security questions considered dangerous

Keith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked.


Congratulations – you’ve addressed half the problem.


The server can now require that the server asks the user a complex question.


Because the correct answer is determined entirely by the user, though, the answer can be unnervingly simple.


  • What’s your mother’s maiden name?
    • 1111
  • What’s the last four digits of your SSN?
    • 1111

I bet you can guess the last four digits of my driver’s licence, and the city in which I was born, too. :-)


So, this clearly hasn’t started to solve the problem – the only complexity you’ve enforced is the public portion of the exchange.


Sadly, many of these complex questions raise a further concern – who else knows the answers?


My mother knows her maiden name, and the city in which I was born. My wife knows that, and also has access to documentation for the other keys to the castle. Suppose one day she becomes my ex-wife, and wants to have access to my online banking, my business, my health information – those questions are now the simple key to allowing her in.


Other elements of concern:


  • Privacy
    • I’ve just told my bank what my SSN is, who my mother was, what my driver’s licence is, where I was born, etc – do they need any of that information to do business with me? No. Then they don’t get that information.
  • Accessibility
    • I express it often with biometrics – how does your iris scanner work on a person with aniridia? how does your fingerprint scanner handle a person with no fingerprints? how does your “What is your driver’s licence number” cope with a person who has been banned from driving, or is sufficiently disabled that they cannot drive?

At work, we’re required to create the same sort of “three questions” to reset our password.


I’m tempted to enter the following:


  • What is your name?
  • What is your quest?
  • What is your favourite colour?

What I do instead, is to enter:


  • Why don’t you just walk over to the security office, show them your photo identity, and get them to reset your password?

 

5 Responses to Security questions considered dangerous

  • Bucky says:

    Q. Why don’t you just walk over to the security office, show them your photo identity, and get them to reset your password?

    A. Because that’s way too far to walk.

    Then again, people who know me might be able to guess that one.

    First off, I agree with your overall intent, I just disagree with your examples. I think you are going a bit extreme with your concerns. There will always be systems where someone can’t participate; Iris scanner/lose an eye, fingerprints/burns, etc. The solution is finding a good way to handle the majority while planning for the minority.

  • Alun Jones says:

    The “walk over to the security office” is just an example. It could just as easily be “get two other people in your team to vouch for your identity”, “get your manager to request the password to be reset”, etc, etc – those are examples for an office environment. There are more creative ways to ask for verification of identity.
    As to being extreme with the concerns, I guess it’s going to depend on how many people are going to be inconvenienced by whatever scheme you choose. I never had a favourite sports team, but that’s usually the choice I have to make when it’s just one out of four questions, because I don’t fit a number of other categories, or the answers to the remaining questions are known by too many people.

  • Garry says:

    Some questions pose more serious threats than others, and some can be quite difficult to decipher or crack. There’s a list of good, fair, and poor questions at http://www.goodsecurityquestions.com along with guidelines to find the better questions.

  • Cat says:

    Why don’t you just walk over to the security office, show them your photo identity, and get them to reset your password?

    Because the line of people getting their password reset over there is 4 hours long.

  • alunj says:

    Sounds like a company that needs a little security awareness training.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>