Secret Questions and Answers
For a little while it’s been bothering me that various websites ask for a secure password (Hotmail goes so far as to tell you, as you’re typing it, just how good your password is–more on this below), but then ask you to choose, as backup, a seemingly very much less secure question and answer, such as your birthplace or mother’s maiden name. Shouldn’t your backup password be as secure as your primary one?
Should someone who knows my birthplace be able to reset my password? Hundreds of people know this, and even friends (or enemies) armed only with Google would be able to have a good guess.
I’ve gone along with this for a little while, but recently my bank (a site whose security I actually do care about) started doing the same thing. Now, to as well as needing a support id (8 digits), account id (10 digits) and password, I also need to provide a free-form question and answer (two fields), AND the answers to a question selected from each of the following two sets:
Set A:
- Name a memorable city
- Name a memorable historical character
- What is your best friend’s name?
- Name a memorable sports personality
- What is the name of the first company you worked for?
- What is your grandfather’s first name?
- What is the name of your eldest child?
- What is the name of a pet you have or have had?
- What was the name of your best friend at school?
- What was your favourite subject at school?
Set B:
- What is your favourite food?
- What is the name of your favourite musical artist?
- What is your favourite car?
- Who is your favourite author?
- What is your favourite flower/plant?
- What is your favourite colour?
- What is your favourite holiday destination?
- What is your favourite newspaper?
- Who is your favourite actor?
- What is the name of your favourite sports team?
There’s a few problems with these questions: either (a) they’re unanswerable in that they don’t make sense (I’ve never had a pet); (b) there’s no one answer (I like Edinburgh, but … sometimes I prefer New York); (c) the answer is not random (doesn’t everybody have red as their favourite colour?) or (d) the answer is not private (Paris Hilton’s Sidekick was reportedly hacked because her secret question was “What is your favourite pet’s name”).
So, what’s the purpose of these security questions? When I called First Direct (their phone service is, and has always been exceptional) they said that there’s no way someone could access my account knowing the answer to just these two questions. A relief, but: (a) if this is so, why are you even asking them? and (b) I would have had a lot more faith in the system if this had been clear when I was making the selections.
Another problem is that choosing an answer is mandatory, and there’s no question in Set B that I’m confident I would answer in the same way in a few years that I would today. So, in the same secure note that I was already storing my support ID, access ID, password, memorable date and memorable address, I added the free-form question and answer, as well as the questions and answers from Set A and Set B.(Since I was effectively writing them down anyway, the answers are completely arbitrary–my “favourite city” is in fact a randomly generated password.) In other words, I’ve locked four passwords behind one password: if you know one, you know all four, so why not let me use one in the first place?
First Direct, with its multiple security questions is annoying and over-engineered, but probably safe enough. Other sites–like Hotmail–are a little more cavalier: Hotmail lets you reset your password if you know your region (just country if outside the US) and the answer to the secret question. My secret question is my mother’s birthplace: maybe a difficult guess if you don’t know me, but much less secure than a random password, and not so difficult if you know me, or are prepared to go through my blog or Flickr photos.
Also, you get a choice of secret question, but none of the choices are any good!
My mother’s birthplace isn’t secure, and my grandfather’s occupation was sufficiently generic that I’m not very likely to think of the same description for it in a few years!
(Hotmail does seem to allow some users to choose their secret question, which helps a bit. It’s kinda fun and revealing to see what friends have used, and see if they seem vaguely guessable. Mark Wong Web Developer, what is your “matric number”?!)
It’s 96…..
Ahah!
You can’t get your hands on my pennies that easily!
The reason “security questions” can be weaker is that they don’t have the same power as the main password. Their only power is to generate a password reset request, which theoretically shouldn’t compromise the password. This of course relies on having a secure conduit to the user, someone who you can actually verify as being the legitimate user. Email is pretty close to that for all intents and purposes.
Andy’s right - in fact the worrying thing is that email is becoming the absolute bedrock of the whole security edifice - if you get into someone’s hotmail account, you are enormously likely to have the keys to car. Which means we’re increasingly reliant on Google, Microsoft and Yahoo (and their respective password management techniques) to protect us all. Not all of these companies have the most illustrious security record, apparently…
But ultimately the real weakness is the reliance on passwords at all - they’re always the weakest part of any security framework because users choose dumb passwords, write them on bits of paper etc. “Security questions” are intended to encourage users to choose stronger passwords - which are inherently less-memorable - by providing a get-out clause. But its probably still true that most users solve this problem by just choosing some easily-memorable - and weaker - password in the first place. Would be interesting to find out how often password reminders / security questions get used in webmail accounts - very low usage would be a pretty bad sign.
XBox security compromised? http://news.bbc.co.uk/1/hi/technology/6477155.stm
Allegedly the thing to do is to continually change your password. Unfortunately for those of us with poor memories for multiple passwords (or pin numbers for that matter - I only have 3 but always manage to forget one of them just when I need to pay for something) this isn’t really possible for the sake of maintaining some semblance of sanity, and more to the point the ability to access any of our online information.
I agree with Ade - people do choose memorable passwords, generally a combination of a name close to the heart for some reason, and a date of importance, neither of which would be hard to guess for anyone close to that person.
However, things have improved since the good ol’ days (?) when people could choose a password as short as they want. When my father’s company installed a new fancy computer network in an nhs hospital to store patient data in a database (really quite personal and valuable data), the nurses there complained remembering the long password they were supplied with was too much for someone with such a non-stop job. Consequently they had the password changed to “a”. Now there’s security for you!
Gawd, I can remember when you could just leave your backdoor open
To clarify: I don’t have a problem with password resets to an existing email address being triggered by the answer to a non-secure question. If you forget your password, most websites will email your password, or a reset password, to the email address you provided when you signed up, and that’s okay. (Unless the site in question is a bank, but banks don’t make this mistake.) Hotmail, though isn’t in this category: it *is* email, and it will let you reset someone’s Hotmail password by knowing part of their (postal) address, and the answer to their secondary question.
My beef with First Direct is slightly different: since you can’t seem to do anything useful with the “secondary” questions, why even bother asking them? It’s not like applying for a mobile phone where you have to supply multiple forms of id (which an imposter might have difficultly assembling), because the questions they ask are so difficult to remember, and so plentiful, that you essentially have no option other than to write them down.