Keith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked.
Congratulations – you’ve addressed half the problem.
The server can now require that the server asks the user a complex question.
Because the correct answer is determined entirely by the user, though, the answer can be unnervingly simple.
- What’s your mother’s maiden name?
- What’s the last four digits of your SSN?
I bet you can guess the last four digits of my driver’s licence, and the city in which I was born, too.
So, this clearly hasn’t started to solve the problem – the only complexity you’ve enforced is the public portion of the exchange.
Sadly, many of these complex questions raise a further concern – who else knows the answers?
My mother knows her maiden name, and the city in which I was born. My wife knows that, and also has access to documentation for the other keys to the castle. Suppose one day she becomes my ex-wife, and wants to have access to my online banking, my business, my health information – those questions are now the simple key to allowing her in.
Other elements of concern:
- I’ve just told my bank what my SSN is, who my mother was, what my driver’s licence is, where I was born, etc – do they need any of that information to do business with me? No. Then they don’t get that information.
- I express it often with biometrics – how does your iris scanner work on a person with aniridia? how does your fingerprint scanner handle a person with no fingerprints? how does your “What is your driver’s licence number” cope with a person who has been banned from driving, or is sufficiently disabled that they cannot drive?
At work, we’re required to create the same sort of “three questions” to reset our password.
I’m tempted to enter the following:
- What is your name?
- What is your quest?
- What is your favourite colour?
What I do instead, is to enter:
- Why don’t you just walk over to the security office, show them your photo identity, and get them to reset your password?