Forgot your password?
typodupeerror

How are 'Secret Questions' Secure? 116

Posted by Cliff
from the security-versus-usability dept.
Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?
This discussion has been archived. No new comments can be posted.

How are 'Secret Questions' Secure?

Comments Filter:
  • by Mostly a lurker (634878) on Friday July 28, 2006 @09:54PM (#15803459)
    how would you implement a secure facility to change passwords?
    Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
    • Even if they create the question themsleves, people will tend to create the same question for many websites so knowing one question/answer pair of one person for one website will lead to knowing it for most/all sites. Therefore, I'm not sure if that's the answer.
      • And they also tend to use the same password for most/all sites, so it's really a moot point anyway.
      • They are not supposed to be secure on their own, just a bit more secure than not having them.

        Normal password retrieval method:

        1. Click the "I forgot my password button"
        2. Enter your email address
        3. Click Ok to get a confirmation mail sent
        4. Go to your email account and read the mail

        With secret questions it becomes:

        1. Click the "I forgot my password button"
        2. Enter your email address
        3. Answer the secret question correctly
        4. Click Ok to get a confirmation mail sent
        5. Go to your email account and read the mail
        • Just to clarify, the secret question should not give access to your account, the secret question just is required to reset your password. Its like putting a sheet of newspaper over your head under an umberella, it wont help a lot if the umbrella blows away but it wont make you any wetter either.
    • Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.
      Sometimes you cannot write your own so either you type random junk on the keyboard if you are sure you'll never forget your password or you understand the question in a twisted way. What's your favourite animal ? Dubya !
      • Random junk works well enough if you're sure (and rightly so) that you'll remember your passwords and if you're sure the service won't decide to change them. That has happened to me, and resulted in switching cell phone providers because my account with the old provider was therefore no longer accessible. (Their service left something to be desired anyway.)
      • Or give a bogus answer only you know. My (former) bank thinks my mother's maiden name is "Thehellyousay"...
    • by schon (31600)
      Best is to allow the user to create their own question.

      That has its own problems:

      http://www.penny-arcade.com/comic/2006/07/12 [penny-arcade.com]
      • by lazlo (15906)
        I recall a friend who had a "create your own question" security system at.. I believe it was his bank. Anyhow, it was a question that was asked by call center employees. He had far too much fun with that. He said "I love it! Every time I call my bank, they have to ask me 'Jack, why are you such a fucking pussy?', and every time I have to reply 'Because I am what I eat.'"

        So, there may be other reasons not to use this sort of system.

        But, fundamentally, it's a horrible security measure and should be taken
    • Nonesense. You don't have to create your own question, you just need the ability to do what the site already lest you do, create your own answer. Mother's maiden name? Qgxyz7rtl. First pets name? Qgxyz7rtl. My Highschool? Qgxyz7rtl. Favorite TV show? Qgxyz7rtl. The only problem is coming up with a system where every minimum wage help desk monkey doesn't know your answer to every website that you have a password on, but that's not too hard to come up with.
      • When I went to UIC, we were required to have a challenge/response in case we forgot our password. Mine was:

        Q: What is your password?
        A: <my password>

        Interestingly, Dan Bernstein's is:

        Q: How many idiotic ACCC policies can dance on the head of a pin?
        A: <dunno, you'll have to ask him> :)
    • by Anonymous Coward

      Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to.

      Agreed, but we can go further.

      The time I was reverse scamming a Nigerian 419'er comes to mind.

      I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.

      The secret question this scammer had chosen was "Where were you born"?

      The next few e

    • A friend of mine had a bank account where he was able to make up his own "personal information" question that he would be asked over the phone. A correct question/response went like this:

      Receptionist: What are you wearing?
      Client: I don't think that's an appropriate question.
    • Since many sites don't do this, and I'm not a fan of the "secret question" either, I just enter a long string of garbage for the answer. Something even more difficult to guess than a password. If I forget the password...well, I just won't then, will I? :-P
    • That comic is delicious. Mmmm. I love waking up to the fresh taste of Penny Arcade on Mondays, Wednesdays, and Fridays.
    • I actually do something like that for places that let you enter any question. I enter some off the wall question that could be answered any way and does not easily relate to anything, but with how I think I know the answer right away.

      For example (This is not one I actually use) a friend in school when faced with the classic question "Why is a mouse when it spins?" did not know the "correct" answer (The higher, the fewer) so came up with an equally nonsensical answer (The faster it spins, the much). It is
    • You just messed up a one line joke...

      There's no question mark there, which is why Tycho goes on to question whetever it is a question or a statement.
    • You know, this is totally off-topic, but that reminds me...

      When I was in high-school, people would ask 'You know what?' and my answer was 'What is dead.' and then 'He got run over.' I usually eventually explained that my first girlfriend (hey, she asked me out, okay?) had a cat that had kittens... And she didn't name them fast enough. So I named them Spot, What and Horace. She was pretty pissed.
  • by jafo (11982) * on Friday July 28, 2006 @09:54PM (#15803466) Homepage

    Many, many site require that you answer some of these questions. It would be ok if it were optional, but in many cases it's required. The thing is that many sites really have no legitimate need to having password changing functionality in the site.

    For example, at most online shopping sites, I'm having to create an account I don't really want, and provide this "secret" information, to a site I'll probably never visit again. Or if I do, I'd rather enter all my shipping information again than have to remember a password.

    For most sites, if your password for the site isn't valuable enough to you that you keep it safe, then there's probably no reason that you couldn't just start over with a new account. For the sites that do have stuff that's interesting enough that you need a password recovery, the security of a password reminder probably isn't sufficient.

    One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

    Sean

    • by karnal (22275) on Friday July 28, 2006 @10:21PM (#15803563)
      My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

      I'll bet she couldn't WAIT to get married!

      On a related note, we must be cousins.
    • One thing you can do, is use a password vault and use another password for the questions they ask. My mother's maiden name? It's "avxQta6TNIwqqKAxqOGHRo6xdZP6bJYyo3BoBRmh".

      I have a friend who's first name is him mother's maiden name. It's an odd name as well, and people usually ask "where did that come from". A while back he actually had to come up with a plausable story so he wasn't giving away a "secret" every time somebody asked. Annoying. Now you have to know him pretty well to get that info.

      I don't thi
    • The thing is that many sites really have no legitimate need to having password changing functionality in the site.

      Yup. Any site for which having the ability to recover a lost password is important *either* had lots of personal and financial information about me already which could be used for that purpose, or it has my email address and could easily mail me a password-changing token. (Sure, that scheme could in principle be vulnerable to attacks - but far less so than using my mother's maiden name and my

  • by PaulBu (473180) on Friday July 28, 2006 @09:55PM (#15803467) Homepage
    Your mother maiden name? / your city of birth,

    Your pet's name? / your GF nickname,

    Your pet? / Ultraviolet

    And so on...

    Paul B.
  • by ChaosDiscord (4913) * on Friday July 28, 2006 @09:55PM (#15803468) Homepage Journal

    It's not perfect, but it makes attacking a random account harder. That the password is emailed to a known address adds further security. It's probably not good enough to stop a dedicated attacker, but for something relatively unimportant (like a Slashdot login), it's Good Enough. For important things (say, your banking site) I would hope that emailing you your password isn't an option at all (it isn't for my bank).

    You can improve your security marginally by making up a consistent fictional answer. Again, not suitable for important sites, but good enough for lightweight stuff.

  • by gclef (96311) on Friday July 28, 2006 @09:57PM (#15803480)
    If the users choose their own question and answer, it makes it much harder for an attacker to know what bit of info will be needed.

    Also, users can then choose all sorts of really arcane things for their questions, or just bits of sillyness & mental associations that aren't worth an attackers time to figure out.
    • They'll stop a bot, but they won't stop a human. That's about the best that can be said for user-defined security questions.

      Most people don't have enough imagination to come up with a secure password, let alone a unique question that's answerable twelve months from now. I bet if you were to look at some of the "write-your-own" question sites currently out there, the majority of the 'questions' you'd find will be "your password is 'xyzzy'". At least "city of birth" or "elementary school name" require a

    • by Anonymous Coward
      I just got burned by my credit card company coming up with their own arcane questions. I called them from my office to change my address. Before I got to an operator I toured the automatic options. Providing my soc # got me my balance, remaining credit limit, and last payment. Hmm, neat, but not what I called about so didn't record the specifics. I got an operator, prepared to provide my soc #, credit card number & confirmation code, birthdate, etc. Instead she asks me my member number. I didn't
  • That thing that identifies you that you know? Its called a password (or sometimes passphrase).

    The more passwords you have, the less attempts are necessary.

    Worse still: These "passwords incase you forget your password" are things lots of people might know.

    Passwords are only as strong as their secrecy, and since two is no better than half as good, these systems are _less_ secure than having a single password.

    They do, however, have a benefit- and that's the cost of creating a new account. Users that have forgo
  • When this is an option, the question I like to use is:

    "What is your password?"
  • by dduardo (592868) on Friday July 28, 2006 @10:07PM (#15803521)
    I prefer to give sites my email and if I forget my password it should email me with a link to reset my password. That is the simplest solution.
  • by Anonymous Coward
    How are 'Secret Questions' Secure?

    Um, can't answer that, its my secret question.
  • by goofyheadedpunk (807517) <(goofyheadedpunk) (at) (gmail.com)> on Friday July 28, 2006 @10:14PM (#15803544)
    Who says you have to answer that silly secret question with what it's actually asking for? You could think up a non-public answer ahead of time to the question, "What High School did you go to?" and give that non-public answer. Seems to be a bit more secure than giving an answer which is actually true.

    For example:

    Question: "What's your mother's maden name?"
    Answer: "Sheatemybrotherssoul"
    • Exactly. And every year or so, change what the answers are. Or, instead of your mother's maiden name, use an ex's mother's maiden name if you know it.

      An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.
      • An old friend of mine would choose the "favorite historical figure" option, if available, and he would answer "Hitler." He said you wouldn't expect it of a black Jewish guy, and that's what was so great. It's not likely to be guessed.

        Since there are exactly seven black Jewish guys in existence today, I now know your friend's password! Ha!

        • His password? You mean the answer to a security question? :) After a year, I'm sure he's changed it. I hope. I don't know since we fell out of contact last year. My favorite historical figure would have to be, um, you know, I can't think of anyone amusing enough at the moment.
  • stupid (Score:2, Informative)

    Whenever I am presented with one of these, I just mash on the keyboard for a bit. I remember my passwords.
  • Schneier's take [schneier.com] and Penny Arcade's take [penny-arcade.com]. Just give up and enter junk for the questions. If you lose your password, call someone.
  • No? (Score:3, Insightful)

    by gadzook33 (740455) on Friday July 28, 2006 @10:34PM (#15803616)
    I was on a major financial institution's web site yesterday changing my password. It asked me to pick a password with a minimum of six characters. Then it asked me to type the answer to a Secret Question. It required that I have a minimum of three characters in my answer. There were about twelve questions to pick from plus the option for a custom question (which we'll ignore for now since odds are no one picks it anyway). So, if we consider the choice of question to be (at best) an extra character in the answer, we are only required to use four (really like 3.5) characters. If I'm attacking this system, where am I going to spend my time? What is the point of having a minimum of six characters in the password? This isn't even considering the fact that the answer to the Secret Question is almost certainly something out of a dictionary whereas there's at least a chance the password is somewhat more complex.
    • To take that further, you could do a statistical analysis of what are common names, birth places and so on. A short 100 word dictionary would probably nail most people.

    • Because unlike logon screens secret questions can usually only be used in conjunction with something else that suggests that you are you, e.g. an e-mail reminder whereby you'd have to ALSO be able to intercept the e-mails while doing this dictionary attack.
  • They are not secure at all. They are a joke. Someone people are stupid enough to post certain personal information on their blogs or social networking sites. They are not secure in any way or form.

    What they need do it is to create a dual password system, where there's a master password which can change anything, and a secondary password which can change anything but the master password. You would always log in using the secondary password. Concerning the master password, write it down, stick it in a very sa
  • ... that made a joke about this once. For security, he got to choose his own question and answer. The question the techs were suppose to ask him was, "What are you wearing?" with a response of "THAT'S TOTALLY INAPPROPRIATE!"
  • A plethora of relatively unimportant web sites require logins, and they offer a cheap and easily implementable way to reset those logins by asking for a piece of (often benign) personal info (birthdate or zip code, for example). Now, banks and brokerages are hopping on that bandwagon, though in a different way. They are using personal identifiers (mother's maiden name, favorite color, first job, etc) as part of a 2-factor authentication mechanism (as opposed to simply a password reset mechanism). Bank of Am
  • I use Password Safe (Google it). I use two files - one is usernames and passwords and one is the stupid questions (and randomly generated answers). I avoid using the same question for two different sites. That effectively means I have two different usernames and passwords for each site.

    If I lose both the files then I am screwed since I don't even know what the answers are!

  • With good datamining, so called secret questions are totally insecure.
  • by scdeimos (632778) on Saturday July 29, 2006 @12:10AM (#15803939)

    I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.

    One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.

  • Nearly as I can tell there is absolutely nothing secure about a secret question. By definition it is a way to circumvent a moderately secure password system.

    Frankly I think it's a way for the company issuing the account to get just a little bit more information about you. Mother's maiden name? Name of high school? I think birth city is another common one. Sounds like a way of linking you to other people.

    Personally I always pick the most obtuse question and give it a completely false answer. Then, as usual,
  • Secret questions are only as secure as the secret itself - if you just gave that answer off to some web site, what's to stop you from giving it to another? Imagine this - you have an account of someone you want to break into, and you know their email address. You send them an email (tailored to not be like spam at all) inviting them to some special promotion on a site you set up, complete with login and the same security question. Anyone who answers this, poof, they have given you access to whatever account
    • That's just a phishing site. Just ask for their password.
      • That's just a phishing site. Just ask for their password.

        Not really - your site isn't pretending to be another site. It just happens to ask the same questions as another site.

        While everyone should (in princple) pick unique passwords for every site, most people are probably less likely to make up a different answer to the question "what is your favorite sports team" for every website.
  • I first ran across the idea of mnemonic passwords here on Slashdot awhile back, and now all my passwords are created using the method. I know Joe Average can understand them, because my PHB's have no problem with them. Well, except for them mouthing the phrases aloud sometimes while typing in the password. Still, that's better than them forgetting it or writing it down on a sticky pad. Mnemonic passwords are easier to remember and eliminate the use of dictionary words for passwords. I'm sure almost every
  • I hate "Secret questions." I'd rather keep track of my passwords. I've only once lost an account due to a forgotten username/password combo. And that wasn't an important account. I always fill the secret answer with pure giberish. Hitting 30+ random keys is a great workaround for me. Especially the stupid new sites that require not one but two secret questions.
  • The problem only arises if you assume that people give honest answers because if they don't, it's as hard as keeping track of multiple passwords for every site. Each one has different question lists, after all, and the answers to some questions can change over the years (before I came up with my own scheme below, I set up an account with "Best Friend's Last Name" as the question - she's now my wife, so her last name is different... but when I infrequently have to log in, I have to think back to when I sign
  • by Hamster Lover (558288) * on Saturday July 29, 2006 @04:04AM (#15804722) Journal
    I had to call in to Telus Internet service to address a problem and was asked my secret questions. Being the flippant ass I am, Telus (I think was Telus, it might be Bell Expressvu) let's you type your own secret question and answers so I took the liberty of coming up with some, ah, inappropriate questions and answers. Needless to say, the support agent on the line started to giggle when she had to read my secret questions:

    Question: How do I masturbate in the shower?
    Answer: With my SpongeBob SquarePants friend.

    Question: What is the most sexually satisfying farm animal?
    Answer: The Llama.

    I am not sure who was more embarrassed, me or the agent as I had forgotten that I even made up those questions in the first place.

  • I had the same thought - everybody knows my pets name etc. I always make up a fake answer (It's always the same answer, just different questions) - that way, even someone with super-personal info (significant other, parents..) can NOT know the right answer.
  • Actually, existence of secret questions is to make you feel your account is more secure.

    If it were truly a secure system, they would not be willing to change your password over the phone, because phone conversations are not encrypted. The only thing you could do would be to have your account locked/frozen over the phone, and possibly mail a signed form with a secondary password, and a signature guarantee (like a notary's seal) to request a token be mailed to your address of record, and then you change

  • ... by entering a random valuf from a strong password generator. If the site does not offer to mail me a new password if I forget (most do), then they are out of luck. I even have sites where getting a new password emailed is the only way of access I have.
  • Who ever said that you have to answer the 'Secret Question' truthfully? No matter what the 'Secret Question' is, I use the same answer. At work I have to answer 3 out of 5 different questions to get my password reset. When I set up the answers to those 5 questions, I just use the same answer for all of them. They have no relevance to actual data. Who are they to tell me what the answer should be? Example: Q. What is your mother's maiden name? A. My right toe. Q. What is the name of your pet? A. My righ
  • by stungod (137601) <`moc.krowtenypslabolg' `ta' `ttocs'> on Saturday July 29, 2006 @11:21AM (#15805924) Homepage Journal
    So encrypt the answers using a 1-way hash. If the intent here is to help you prove your identity on the site or recover from a forgotten password, why does any human need to know the answers?

    Instead, these questions should be scrambled and compared against scrambled answers you provde later. That way, nobody can retreieve the answer. It's up to the web site operator to take this simple additional step, but it's a lot more secure.
  • A few months ago I was logging into paypal, and for some reason the site told me that I had been using the same password for too long, and I would be required to change it (and no, this wasn't a phishing site). I couldn't understand this at all, I had never heard of such a thing as being REQUIRED to change my password. I have a secure password that I use on all of my important accounts, and I remember it very well. Now though, they were forcing me to come up with something totally new. As you could expect,
  • Some people have been recomending giving wrong answers, but there's a problem with that: unless you give the same wrong answer every time, it's no good. A friend of mine came up with a much better way to make his answers hard to guess but easy to remember. Whenever he can, he picks the question about his pet's name. Instead of just saying (Let's say for example) Rover, he ansers with this: mypetsnameisrover. Just as easy to remember, but no scammer's going to get it right even if they guess the right na
  • I don't need the questions, so I just fill the response field with noise. 'S pretty secure.
  • Two quick observations:

    Where I am required to answer one of these "your pet's name" questions, I do so accurately, but with my hands slightly off. Let's say there's three tiers of paranoia about an account and for stuff I don't care about I just move both hands one charater to the right while typing my secret answer. For medium stuff I move them apart from each other and for what I deem critical i move the right hand up and the left one in (reality is different but that's the gist). Incidentily, I do the

  • As long as nobody finds out that my mother's maiden name is Asduyff43rfasdhf14351243qwe9yfakshdfadfh...

Prediction is very difficult, especially of the future. - Niels Bohr

Working...