How are 'Secret Questions' Secure?

Anonymous Howard wonders: "It seems that every authentication system these days requires me to provide the answers to several personal questions, such as 'Mother's Maiden Name' and 'Name of High School' for resetting lost passwords. I've always disliked this method because it is completely open to anyone with some personal information about me, but now it seems that its security continues to degrade as more and more Help Desk Reps can easily see this same information about me. Can anyone explain to me how these questions/answers, which seem to vary little among systems, are in the least bit secure?" You have to have some way of identifying yourself if you forget your password. If you feel the same way about these 'secret questions', how would you implement a secure facility to change passwords?

Create your own question

[Mostly a lurker]

how would you implement a secure facility to change passwords?

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to. However, it is secure for those who know what they are doing.

Re:Why you have to provide the real answer?

[Marillion]

The one that bothers me is last four digits of social. In a privacy obsessed world, we've basically taken a nine digit key and reduced it to a four digit key.

Re:Why you have to provide the real answer?

[Detritus]

The leading digits can be guessed if you know when and where the social security card was issued.

Re:Let the user choose their own question

[Anonymous Coward]

I just got burned by my credit card company coming up with their own arcane questions. I called them from my office to change my address. Before I got to an operator I toured the automatic options. Providing my soc # got me my balance, remaining credit limit, and last payment. Hmm, neat, but not what I called about so didn't record the specifics. I got an operator, prepared to provide my soc #, credit card number & confirmation code, birthdate, etc. Instead she asks me my member number. I didn't have that since it otherwise has no use. My bad. So to verify my identity she asked me a series of questions that were either useless, or shockingly poor security; ie. my ex-wife's birthday?!?! (something I've worked hard (kinda) to forget in the past few years) my exact credit balance and limit, (you know, the things the auto-voice JUST READ TO ME for the price of my soc #, which suddenly isn't sufficient to prove my identity) the exact amount of my last payment, ("uhhh, $24... something? Look, the stupid voice just read it to me...!") the exact amount of my last charge, the vendor of my last charge (aka a usenet provider, you know, the ones that bill as "BFGT Inc, LLC" or something equally forgetable) and/or the city of the last transaction ("Did I mention INTERNET USENET PROVIDER? I dunno, Silicone Vally?") I explained that I wasn't at home with my bill, which would have all that info which any mail grabber could read. I was instead in my office, with my card, you know, the thing that I could actually do thousands of dollars of damage with in under five minutes if I was an identity thief...

Sorry about the long post, but I had to get this out.

Why secret questions?

[scdeimos]

I've worked on a few systems which allowed you to choose your own secret questions and answers, but they're really not that much better.

One of the better solutions I saw required you to register at least two of (1)an e-mail address, (2) an SMS number, and (3) a facsimile number. If you lost your password you went to the "forgot password" interface, entered your username and asked it to send a message to one of the registered points (it would just say "E-mail," "SMS" or "Facsimile" and not divulge the specific details). The message contained a one-time URL which expired in 24 hours and allowed you to set a new password. When the password got reset, a message was sent out to all registered points detailing when and where from (IP address) this occured. Self-service all the way.

Re:Create your own question

[Anonymous Coward]

Best is to allow the user to create their own question. The only issue here is that some people will choose questions that others could easily find the answer to.

Agreed, but we can go further.

The time I was reverse scamming a Nigerian 419'er comes to mind.

I thought it might be fun to look at his mail.com email account. Having Mail.com I knew that it doesn't report attemots to password guess to the account holder.

The secret question this scammer had chosen was "Where were you born"?

The next few emails worked this question into the conversation, using a generous donation to the church in his birth town as the guise. Once I had the town it was trivial to get the password, log in and add an autoreply message to his email. Anyone who emailed him after that time got back my autoreply warning them away.

After the reverse scam I checked his account a few times and the autoreply was still there right up until the account was closed.

Moral to this story: No matter what the question there will probably be a social engineering method to obtain the answer. A good solution along with a user defined question that would raise alarm bells is to simply Audit password retrival attempts.

If someone asks for your secret question and attempts to answer it then place an email in the account giving details of the attempt plus the IP those attempts came from. -- Posting as AC as hacking an email accoumt, even for reverse scamming is a serious crime in my country.