The Curse of the Secret Question

It’s happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a “secret question” to answer. Twenty years ago, there was just one secret question: “What’s your mother’s maiden name?” Today, there are more: “What street did you grow up on?” “What’s the name of your first pet?” “What’s your favorite color?” And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It’s a great idea from a customer service perspective—a user is less likely to forget his first pet’s name than some random password—but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I’ll bet the name of my family’s first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer—I madly slap at my keyboard for a few seconds—and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don’t remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it. I know this is a customer service issue, but it’s a security issue too. And if the password is controlling access to something important—like my bank account—then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

This essay originally appeared on Computerworld.

Tags: , , ,

Posted on February 11, 2005 at 8:00 AM70 Comments

Comments

Ryan February 11, 2005 8:31 AM

Too bad that alle online apps (banking & other important services especially) have to be usable by the lowest common denominator, and the lowest common denominator is not too bright. Especially when it comes to Technology and ESPECIALLY when it comes to security.

I wouldn’t pass off password too quickly though. If you only pick 4 or 5 services to pick really difficult random passwords for this CAN be reasonably secure (presuming the authentication protocol is “secure”).

Timm Murray February 11, 2005 8:36 AM

Expounding on the last paragraph, I’ve become convinced that passwords are a failed means of authentication. In “Out of the Inner Circle” (written by a former cracker in 1985, ironically published by the Microsoft Press) the author hoped that future programs would make increased use of passphrases, while at the same time increasing user training to be more security-conscious.

That was 20 years ago. I’ve noticed that a lot of modern programs are actually capable of using arbitrary passwords (no limits on whitespace or length), so we can use passphrases if we like. But users don’t make use of them. Almost every program that requires authentication that I’ve written over the past three years was perfectly capable of using passphrases (this is a lot of programs, including a few that are used by a few hundred users). I’ve only seen this taken advantage of by one user, and only then after a lot of explaining about how the input can take any phrase you like, not just a simple password.

If we haven’t taught people to do these things properly after 20 years, it’s never going to work. It’s an embarrassment. Passwords need to be replaced by a system that is easy to implement (goodbye public key auth), easy to allow immediate access after user signup (i.e., you don’t have to mail anything out, like smartcards), and doesn’t require so much security training on the user’s part. I’ll be the first to admit that this is highly non-trvial.

Paul Vigay February 11, 2005 8:54 AM

Actually, I use a fairly easy additional security measure for these types of question.

As most people know how easy it is to find out someone’s mother’s maiden name, why not just enter a random name for each site and remember it in the same way as a standard password. There are two advantages to this in that a) you’ve got a secondary password and b) anyone who guesses your mother’s real maiden name will get it wrong.

Of course, the additional problem is that you have to remember which random name you’ve used for which site.

Tim February 11, 2005 8:55 AM

I recently ran into an inane use of ‘memorable information’ with my online banking. I had just set up a new bank account, and wanted internet access to it. They did the usual ask for a password and a memoranble word, and I assumed that like most of these systems it would just be used for retrieving my password.

However, the ‘memorable’ word had to contain letters and numbers. There were no such restrictions on the password. I took a memorable word and added a couple of numbers to it. I didn’t really care, I knew I wouldn’t forget my password, so I didn’t think I’d need my ‘memorable’ word, that was now rendered unmemorable by the forced addition of digits.

Anyway, when it came to log in, it turns out that the memorable word is simply a second password, and it’s not possible to log in without it. In which case:

a) Why make it memorable? Why not just ask for two passwords?

b) If you’re going to ask for some memorable detail, why ensure that it isn’t memorable by forcing you to add non-memorable digits to it?

Rich Wilson February 11, 2005 9:16 AM

An improvement can be made if the bank initially asks for both a question AND an answer. If you forget your password, you are presented with your own cutom question.

The problem is making sure the customer picks a ‘good’ question/answer.

Phone verification:

Con: it opens up the avenue of social engineering, in that an attacker can prey on the CSR’s good nature to close the gap between educated guesses and the right answer.

Pro: the CSR can close the gap between the obviously right answer, and what the computer thinks. e.g. different case, spelling, token digit in a different position.

Of course both of these mean the CR has access to the cleartext secret question.

Martin Geddes February 11, 2005 9:16 AM

This reminds me of some other great security snafus:

  • “Field must be at least 6 characters long”. Errr, except my mother’s maiden name is 5 characters long. Oh, and my wife’s had the opposite problem of being limited to 8 characters, when ma’s maiden name is 9 long.

  • I’m a Brit who worked in the USA for several years. My Fortune 100 employer created a new central password store using “memorable words” for access to resets etc. Except the memorable words were culturally inappropriate (e.g. “4th grade teacher” – we don’t do numbered grades), irrelevant (e.g. “Parents’ ZIP code” – sorry, wrong continent), or not determinate (“Favorite holiday destination” – I like variety). In fact, when asked to create the memorable words, NONE of them applied to me!

piglet February 11, 2005 9:31 AM

Are you saying that your online banking account is backed by a “secret question”? Wow, I can’t believe it. Of course, the “secret question” is only acceptable for “low-security applications”. It is inappropriate as soon as real money is involved. By the way, did it ever appear to you how sexist that “mother’s maiden name” question is? And how inappropriate that question is to be asked by a bank clerk?

piglet February 11, 2005 9:38 AM

@Tim: how stupid is that idea to back up one static password by a second static password? Id makes life more complicated wothout improving security (Trojan or phishing attacks will work just as well with two passwords). Is the use of one time passwords (TAN) – a reliable and proven system – so difficult to understand for certain bank managers?

Israel Torres February 11, 2005 10:08 AM

“I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.”

Good luck, it is an “AOL-Friendly World”; and as long as it is so will it be gaining access to anyone’s account at will (regardless of passwords).

Israel Torres

David Lechnyr February 11, 2005 10:20 AM

I find that having different “levels” of passwords helps. Non-critical accounts (that don’t contain card numbers, etc.) receive one password, and so on. Personally, I use three levels; anything requiring my credit card number or financial information uses a unique password however.

Where this helps is, when asked for a “secret” question, I generally just type in “Level 1” (or 2, 3, etc) as “the question”. Where this doesn’t work is when I don’t have a choice to determine my own question. For an answer, I type nonsense random words. The upshot is that I don’t have to remember the answers — ever. When asked the question, it immediately reminds me which password “level” I used.

Again, this is of limited usefulness as I would never do this with a financial institution or other highly critical account. But it does help pass the difficulties involved when registering for trivial websites that require this for downloading a program, reading an article, etc.

Tim February 11, 2005 11:02 AM

@piglet:

The idea of the two passwords is (I think) to defeat keyloggers. The first password is entered in normally in your browser, and a ‘*’ obscures every letter that you type in.

Then they ask you for something like the 2nd, 3rd and 7th letters of your second password (randomly selected every time), and these are selected from unobscured drop-down listboxes.

Therefore, only one of the passwords is typed in in full, and only one of them is entered using the keyboard.

Damian February 11, 2005 11:40 AM

Curse of the secret question. Yes, quite.

I usually put an answer that’s totally unrelated to my question:

Q: “When was the Railway Act passed?”
A: Magenta.

Then I write both down in a notebook and put it somewhere safe.

Scott Carlson February 11, 2005 11:53 AM

I just encountered a system where they got rid of the questions you’ve mentioned, and used ones with much “improved” security: favorite activity? favorite city? favorite restaurant?

I’m sure those answers will never change once I’ve put them down!

al February 11, 2005 12:23 PM

I use very complicated passwords and fake answers for the quiz questions but I am not concerned about forgetting my passwords because I write them down. They all fit nicely on a standard size piece of notebook paper which I keep stuffed in one of my many books. Anyone who does not belong in my house will be looking for something other that a paper stuck inside a book.

J. B. Levin February 11, 2005 1:01 PM

In my experience, the result of someone guessing my question and answer is that I receive my password in my e-mail (or better, a notice that it has been reset). Only rarely has answering the question resulted in the password being displayed in response. Using this method means that my password is as secure as my e-mail (however secure that may be), but I can always log in and change my password right away after receiving it.

David February 11, 2005 1:48 PM

Security Levels: 1. What you know 2. What you have 3. Who you are. So, as long as 2 and 3 remain off the table for all but the most elaborately (and properly) secured functions, and as long as banking and e-Commerce remain out of THAT set… what do we expect?

Bruce Schneier February 11, 2005 2:37 PM

“By the way, did it ever appear to you how sexist that ‘mother’s maiden name’ question is? And how inappropriate that question is to be asked by a bank clerk?”

Remember the history, though. It’s something that everyone knows but was reasonably private. Hence, it made a good secret question. It might look sexist now, but it didn’t 30 years ago.

Bruce Schneier February 11, 2005 2:38 PM

“Expounding on the last paragraph….”

I’ve been doing a lot of thinking about authentication these days. The result will be a series of essays in here and in Crypto-Gram. Stay tuned.

brian February 11, 2005 3:44 PM

Thanks, Bruce. Believe it or not, this is the first time I’ve seen anyone note this complete in[s]anity.

I think it would be really good if you put a link to Carl Ellison’s note on recovering keys without escrow from about ten years ago – you make up the questions, the answers, and have each one key a PBE of a secret share. Making up questions that only you can answer and requiring a reasonable subset – say, 3 of 5 – can recover the key or password hash. It’s more work, but it’s pretty strong if you want it to be.

Davi Ottenheimer February 12, 2005 12:15 AM

Just like passwords, there are good and bad “secret” questions, as Mark Burnett wrote on OWASP:
http://www.owasp.org/columns/mburnett/questions.html

In terms of strength of the passphrase, I especially like his breakdown of the range of possibilities for generic questions. For example, if you prompt a user to answer “when is your anniversary?”, he suggests that “the average length of a marriage is 7.2 years, giving 2,628 likely dates”.

Technology has the fun effect of eroding existing trust systems faster than we can think up new ones that we find trustworthy.

responses to "secret questions" February 12, 2005 12:28 AM

The whole concept of the secret question used as Bruce has described it is totally bogus. However, we still don’t want the system to lock you out forever if you forget your passwords, so what these services ought to do is use these secret questions as a trigger to send a password reset link via email to the user when this happens. While this is still no good for high security sites, it’s better than making the main password reset facility accessible directly via the secret question–doing that turns the secret question into an instant secondary password.

To attack this system would also require the attacker, in addition to guessing the answer to the secret question, to intercept the email containing the password reset URL (which should contain as much random and unpredictable information as possible). Intercepting the mail requires either access to the mail server the victim is using or the ability to sniff traffic on at least one node in the path between the source mail server and the victim’s mail server. This makes the attack meaningfully more difficult at a single stroke, and increases the possibility that the attacker can be sussed and further attempts thwarted.

This obviously won’t work for webmail services unless they require a secondary email address, but for all other low to medium security websites it would be a meaningful step in the right direction.

Chris Davies February 12, 2005 5:15 AM

Ultimatly, it doesn’t matter how secure or otherwise the passwords you choose are. The weak link will always be the human element. In this case the phone monkeys staffing the help lines, who are never adequately briefed on security.

For example, I have an account with vodafone. Last time I phoned them, I had forgotten my password. However, since I sounded nice on the phone and established a decent raport with the girl I was talking to, she read me my password straight from the computer. All the other “security” questions were matters of public record (Name, DoB, etc.)

I later went to a Vodafone store and used my password to get a very expensive new nokia 9500 on my account.

Until companies tackle social engineering as an attack vector, what is the point in even talking about improving password security?

Alex February 12, 2005 1:38 PM

“By the way, did it ever appear to you how sexist that ‘mother’s maiden name’ question is? And how inappropriate that question is to be asked by a bank clerk?”

For a start, my mother didn’t change her name when she married, and so her maiden name is the same as mine.

“For example, if you prompt a user to answer “when is your anniversary?”, he suggests that “the average length of a marriage is 7.2 years, giving 2,628 likely dates”.”

Surely an anniversary occurs every year, so you have at most 366 dates to choose from (although it’s unlikely many people would get married on February 29th or December 25th for obvious reasons).

Ben Mord February 12, 2005 1:57 PM

“Expounding on the last paragraph…” Passwords are fixable.

We can cram plenty of entropy into passwords – their limit comes from our feeble memory which makes us use less entropy or reuse them. Solution: an easy-to-use password device in your wallet or keychain for generating and remembering passwords, with no wired or wireless connections through which it can be hacked. At least one company is already making these (Mandylion Labs).

Why not? This seems like a simple low-tech solution with no special integration requirements, no need to change existing security infrastructure, and with security that exceeds the credit card and cash sitting in your wallet. (Credit card numbers are used with multiple parties, cash can not be cancelled after it is lost and can not itself be password protected.)

Why haven’t dedicated electronic password devices flooded the market yet?

arkady February 12, 2005 3:37 PM

loosely related thought. one could install ATM on some gas station servicing any type of credit cards. such faked teller could even deliver real cash when needed.

arkady February 12, 2005 4:06 PM

To Ben Mord (regarding Mandylion Labs password manager)
i read User Guide. very interesting. two problems make me worry. let’s say that somebody picks my password manager, opens it, scans FLASH memory using $100 EPROM programmator and then returns the manager back to my pocket. is the stored data encrypted and if it is, than how ? using 5 keystroke pattern i generated in initialization step ? something like 4 times up and 1 time down or aroud the clock and one in the middle ?

another problem is that the very fact that i posses password manager can be considered by some as a clue that i keep something attractive enough and worth effort.

B February 14, 2005 2:38 AM

The code memory in my cell phone is usefull at least it require me to type a PIN and a controll password before I can reach my atm code, passwords etc. The problem with the code memory is that it is limited to quiet a small amount of posts.

Ian Eiloart February 14, 2005 4:16 AM

My bank is worse. On several occasions it has phoned my and asked me to give my password! When I refuse, they give me a phone number to call back on, that doesn’t match their well known numbers.

These aren’t social engineering attempts, since I’ve always been able to call the bank’s well known number and get through to the original caller, but it does leave their customers wide open.

And this from a bank that proudly proclaims that it is the only UK online bank to meet BS7799 standards for online security!

Here’s a nice quote from their security tips: “And we’ll never ask for your security details until you’re safely logged into your account on the smile website”. Huh? How do I log in then?

Clive Robinson February 14, 2005 7:05 AM

The real question is “why paswwords” or “why passphrases” The human brain is not good at remembering textual information, pictorial however it is very good at.

There was a system being developed that used pictures of peoples faces, it displayed nine at a time on the screen and you selected the one of the nine that you knew via the numeric keypad. It did this several times in succession depending on the level of access required.

The systems DB stored ten pictures that you supplied, and would select one of them randomly, the other eight where selected randomly from the DB.
There where two downsides to this system,

First off was getting ten pictures of people you knew well enough to recognise quickly into the system.

The second was if there where more than ten faces in the database that you recognised.

The First problem has a number of solutions, none of which most banks etc like, it usually involves actually meeting your customer (ugh)

The second problem was resolved using a threshold scheam in that if you got one wrong it would ask again using a new selection of pictures.

The experimental system I looked at about ten years ago appeared to be very reliable and worked well.

Todd Gruhn February 14, 2005 10:00 AM

I dont normally respond to these type of
blogs since they just go right over my head. But wether Bruce knows it or not, he
makes a good point:

“Why do we need 24 helpdesk reps to help
you with your stupid passwd problems when you
can just do it over the web (or is it WEB?). The web is the web, we can do everything over web — including passwords.”

But if it sacrifices security
IS THIS WISE? Who thinks up this stuff,
but then who stops and thinks of the
SECURITY consequences and the fallout from said consequences…
🙂

piglet February 14, 2005 11:47 AM

Bruce said: <<“By the way, did it ever appear to you how sexist that ‘mother’s maiden name’ question is? And how inappropriate that question is to be asked by a bank clerk?”

Remember the history, though. It’s something that everyone knows but was reasonably private. Hence, it made a good secret question. It might look sexist now, but it didn’t 30 years ago.>>
Two observations: 1. It may have been “reasonably private” before it was used for authentification purposes. It is now so widely used and probably relatively easily available so as to defeat the security purpose behind it. Similarly, the widespread use of the SSN (which once may have seemed a good idea) has made identity theft such an easy thing (that is, in the US).
2. It is an interesting example how a seemingly neutral, technical decision is based on cultural predjudice. Remember, there have always been people who bore their mother’s name.

piglet February 14, 2005 11:48 AM

Sorry, bad format. Bruce said:
–“By the way, did it ever appear to you how sexist that ‘mother’s maiden name’ question is? And how inappropriate that question is to be asked by a bank clerk?”

Remember the history, though. It’s something that everyone knows but was reasonably private. Hence, it made a good secret question. It might look sexist now, but it didn’t 30 years ago.–

Anonymous February 14, 2005 3:54 PM

In the U.S., my bank makes me go to one of its branches and present identification to change the pin on my ATM card. I assume that if I were to forget my pin, they would not tell me over the phone (I hope) and make me go to a branch.

The access recovery process must be at least as robust as remote authentication, or else it becomes a point of attack. “Mother’s Maiden Name” is a laughable measure compared to the rigorously, academically scrutinized methods such as encryption, etc.

The other question is why we keep forgetting passwords. The answer is because we’re supposed to remember them. I use PWSafe at home, but at work I have no access to the passwords I can’t remember.

As a poster above already mentioned, this manual typing of passwords/passphrases/YourFavouritePetsNameBackwardsInChinese has to go.

Davi Ottenheimer February 14, 2005 4:36 PM

Some interesting complaints here, but few suggestions for improvement.

Gorilla is an excellent multiplatform successor to Rony Shapiro’s “Password Safe”:
http://www.fpx.de/fp/Software/Gorilla/

I do not agree with continuing the negative thread of “I hate using passwords, I hate passphrases, I hate my housekeys, I hate my carkeys, I hate…I shouldn’t have to use”, etc.

Instead, I encourage you all to review the much more constructive approach to solving security issues taken by the Open Source Web Application Security Project (www.owasp.org), and specifically their recommendations for passphrase management.

Opining (along with Bruce) about the limitations inherent to online trust is fine, but let us face the simple fact that progress comes from new solutions to the same problem and not from hope that the problem with disappear. We are better off, and far more secure, with remote car lock controls than with no keys at all.

Ray February 14, 2005 7:57 PM

Do what I do: write your passwords on a yellow sticky paper and stick it to the underside of your keyboard. I mean, no one really looks for the house key under the welcome mat, right?

AC February 14, 2005 11:16 PM

Ah, makes one pine for the good old days when H*tmail allowed you to reset your account password if you could answer the ‘secret’ question.

Some of my favourite ‘bad’ secret questions:
What is the capital of Mexico?
What is my favorite color?
Square root of 144?
How many brothers and sisters do I have?
What is my birthday (from a user with ARIES71 in username)?

Bill Brown February 15, 2005 10:04 AM

I do the same thing where I answer whatever question with a completely unrelated word.

What I do differently is to use that same word for all such questions. It makes it very easy to remember and provides ample security on any particular site. Where it goes wrong is if someone who gets it from one site tries to use it somewhere else.

It’s a tradeoff, but remembering two unique tokens for every site I frequent seems like a pretty tall order.

Sean February 15, 2005 10:59 PM

The secret question can be defeated by careful research of the subject. Therefore I propose that while the secret question may be a good idea in some situation, it IS surmountable. [with some patience]

perhaps a combination of a password, some biometrics and multiple secret questions that are resistant to psychoanalytic work?

just a thought.
cheers

Lou Scheffer February 15, 2005 11:57 PM

Every one here, Bruce included, is being a tech weenie and ignoring the real world.

OF COURSE the backup password is horribly weak. But the bank’s goal is not to have excellent security – it’s to make money, and security is just a means to this end. The backup password has some advantages (less human customer service required, reputation as a ‘friendlier’ company) and some disadvantages (more theft, loss of reputation, irate customers, etc.) Presumably the bank keeps some data on (reported) fraud and knows what they spend on customer service, so they are in a good position to make this choice, and the answer is NOT always “be as secure as possible”.

Of course, this tradeoff can change. If someone creates a “fraud” toolbar for google, that given a name looks up their first address, pet’s names, school teachers, etc., then the fraud cost would go up, and the increased customer support for those that forgot their passwords would be a necessary cost of doing business.

Until then, a crappy but easy to use security system is probably about right, for the same reason you don’t drive a bulletproof Hummer even though it would certainly be safer.

Joerg Sonntag February 16, 2005 4:59 AM

In my opinion, the secret question applies to an individual at the time, someone is not able to remember his password.
The state of forgetting passwords is more likely, when forcing unique passwords to be used on every site. Above mentioned solutions called password safes could work around this situation, but what happens if you loose the password data through hdd crash or something, then you will have nothing.
For me, the solution for the problem of unique passwords is the use of Hash Algorithms the following way:
Take a string, e.g. ‘www.schneier.com’ as input and your private password as either the concatenation to the string or the HMAC key and calculate the Ripe-MD160 or MD5 Hash out of them. These hashes are your password for the site then, they will be unique to each site and you just have to remember only one private password. Your private password should then be of significant length and full with special characters.
In this case I do not need correct answers to secret questions anymore.
I made a little tool for this, but I do not have a website suitable for such tools, bummer.

Chung Leong February 16, 2005 8:56 PM

What I don’t understand is why web sites don’t ask more questions. Most ask one or two. Why not let the user provide as many secrets as he/she likes? More secret questions means greater security–it’s such a good excuse to extract marketing info from end-users that I’m a little surprised that companies don’t use it.

Chris Koch February 18, 2005 9:50 AM

My wife has no “maiden” name. Most of her friends haven’t changed their names after getting married, either. When we’re down to pets and hometowns, how secure can it be?

Dan February 19, 2005 9:37 AM

One thing… you have to be careful of the question and knowing the right answer… Some secret questions can have difficult answers… Picking the right question is important… but basing it on something that is public record such as a pet’s name, a wife’s maiden name, where you went to school or where you were born is not wise. Social engineering can get the answers to most straightforward questions like those.

A better way might be to have the company tell you the answer, and then you would reply with the question. The question is usually much harder to guess from the answer than the answer is to guess from the question.

Be wary when reading http://www.owasp.org/columns/mburnett/questions.html as
Mark Burnett has made some faulty assumptions… found here:

One faulty assumption is found in the quote, “the average length of a marriage is 7.2 years, giving 2,628 likely dates”.

He states that there are 2628 likely dates… but that’s not true… if the question is in fact, “What date is your anniversary?” The answer is one of 366 days… as anniversaries occur annually… and therefore the number of possibilities is limited to a day of the year… 366 on a leap year.

Many of the other samples he gives have equally faulty assumptions for the answers. For example… what city were you born in… he lists the ten largest cities in the US… and states that 1 in 3 live in the top ten cities in the US… the question isn’t where do you live… but where were you born… not the same thing.

Shadow Runner February 21, 2005 6:58 AM

Nice solution provide… sonyericsson mobiles.
They allow to store passwords, but to acces ’em you need to enter some kind of pin-code.
If you’ll enter wrong pin – you’ll be shown not actual passwords, but different letters and digits.
sorry 4 my english =)

Shadow Runner February 21, 2005 7:03 AM

and little more:
Say, entering wrong answer on secret question takes you to a fake mail/banking/any other account system.
As another solution for secret answers we can use any part of real answer

Q: Your pet’s name?
A: Alaver (instead of real ‘Alaverdy’)

charlie March 26, 2006 5:19 AM

the secret question can be helpful. but once i have a password. it remains in my mind .. such as my mothers maiden name which is WHITE

M. Y. March 19, 2007 5:45 PM

This is EXTREMELY helpful. Thank you so much!!!! Wakes me up about those dumb banking it type dildoes who make up crap like these backup passwords. Next time they ask me for my pet’s name, I’m going to put in Hans Blix or something like. No, not that one. Don’t even think about it!!

PS: Hey, Bruce, your log gets better and better. Keep up the great work! You may want to start a PayPal contribution account too (seriously)… but of course, be sure to remember the password for it.

M. Y.

KD July 19, 2007 7:39 PM

Excellent analysis of the problem. What is the solution?

In an organization with thousands of geographically separated users, and no budget for automated self service reset options, what is your opinion for a good solution for authentication of password reset calls to the Help Desk?

someguy May 22, 2008 7:08 PM

a good password has all of the letters in it from A to f converted to binary and G to Z converted to hex….

Mike A October 15, 2008 7:34 AM

I always enter a random answer for these questions and use a different random password for each site, which provides great security. I can do this because I store everything in a password manager on my PDA, which I have with me all the time.

I know PDAs are uncommon, but how about a password manager for cell phones? It seems everyone has a cell phone these days. A password manager combined with a random password generator would be convenient and accessible, and provide an easy path to improved security.

Mike

Warrl October 15, 2008 1:01 PM

Since so many people have some sort of record (e.g. paper list) of their passwords…

does that record have to be complete?

I have a sticky note below my screen right now that says – and this is really what it says, complete and in full – “Login: S”. Next to it is another that says “HRIS: 16”. Since I know how I built the passwords in question, those are sufficient to remind ME of my passwords, but are of no use to anyone else.

At home I have a list of passwords that actually looks like it has complete passwords. There’s an additional, constant string that gets added to each of these passwords, all in the same place. It isn’t written down and identified anywhere.

(Oh, and the secret questions? Always the same answer, which isn’t particularly secure, but I’ve never yet seen a question where this answer was even a reasonable guess.)

Nicholas Parimore October 15, 2008 11:53 PM

Come on, people! Sure secret questions are the weakest link, but we can make them almost as strong as passwords. You have to focus on the answer, not the question. Do it the same way as passphrases and scrambling rules (a $ between every word). Use words, phrases, numbers, etc. before and after the answer. You can memorize one or two 2-line obscure poems (a line each before and after answer), a few long numbers, etc. to use this way on all your question answers.

The result is something like this: %what is in a name Barbara a rose by any other name would smell just as sweet%. Or one I once used to encourage myself to remember the password: “gof***yourself The Matrix.” Imagine having to say that to a cust. service rep and u see where the motivation comes in. You can use the same one for many questions, as long as you make it unique to you (put something personal in there).

As for those {expletive here} questions like favorite movie, whose answers change often, I recommend using the key words in the question as the answer (i.e. favorite movie), and then use my technique to make it hard to guess. Note, that my technique has some of the same weaknesses as passwords/passphrases, but it’s as easy to use as passphrases and brings these security questions closer to passphrase-grade strength while we come up with something better.

Another system for security questions: http://lifehacker.com/5051905/how-to-protect-your-email-from-hackers

Jared October 16, 2008 10:21 PM

I think my bank got the security question aspect right. When you apply, you supply two passwords, both assumed to be secure. One is your primary login password, and the second is required if the system detects that you are on a different machine than your “authenticated machine.” You also have the ability to not authenticate any machine, and always need to supply both passwords to access your account. The second is by html buttons too, to prevent simple keylogging, although this does expose you to over the shoulder looking, even when the buttons do change to random other letters after every input.

Senny April 10, 2009 8:15 AM

For what it’s worth, the EPA recommends using such challenge questions for the Cross-Media Electronic Reporting Regulation (CROMERR):

http://www.epa.gov/exchangenetwork/cromerr/

The primary considerations are cost and resistance by users. USB devices have a cost, and users are resistant. Biometrics are very expensive and abhorred by many users. Challenge questions cost almost nothing and find low resistance from users.

Another thing to remember is that using images instead of text may violate some accessibility standards; remembering an image is not easier for a blind person.

Long story short? Lowest common denominator wins, security loses.

Keith Myers May 19, 2009 10:07 PM

What about “Biometric” Passwords. The concept is simple but not yet prooven. It is driven by a simple JavaScript that checks the pattern of your Key Strokes.

engidsacces June 1, 2009 5:06 AM

гдето тут упоминали в этот о продаже металлочерепицу в розницу в Пензе ? да, и профнастил вроде тоже – для кровельных работ ?

Mark Fuller September 20, 2010 11:16 AM

My favorite tool, STRIP from zetetic.net.
Still use it on my old palm-os devices. available for iPhone and iTouch products.

John Faughnan January 3, 2011 8:34 AM

Five years later, they are everywhere. Time for an update post.

Against stupidity, the gods themselves, contend in vain.

Less bitterly, as noted elsewhere, this is the victory of the lowest common denominator.

The secret question reduces our security, but it improves the life of the vast majority of normal people who, very understandably, cannot track their 300 passwords unless they make them all identical.

Ian Toltz October 10, 2011 10:18 AM

The worst part is that security questions aren’t even “optional” anymore. I don’t forget my passwords (use a password manager to keep track of them, meticulously encrypted and backed up), so I used to just fill in security questions with garbage.

But now all the banks require not just a password, but also for you to answer your security question. So I can’t just fill in garbage. I either need to answer the questions truthfully, which drastically reduces the security of my account, or I need to enter in a secure “password” and keep track 5 different passwords for each of 5 different questions for every site, in addition to the normal passwords.

Ugh.

Sarah January 20, 2018 7:31 AM

The answer to this problem is: questions that change every time you load the program. The problem is that this could still be easy to brute force, but depending on how many abstract questions you have, this determine how hard of a function it is to answer.

But extension, if you were to have the user solve a different maze puzzle (think something like a procedural generated rogue like) then not only would they have to guess the right route, they would have to only guess it the first time as the program automatically self-destructs.

Hoping things to be perfectly secure gets kind of ridiculous.

Matthew Cordell October 23, 2019 12:24 AM

It’s sad that this post is still entirely relevant 14 years after it was written…

I’ve just had the experience of verbally answering challenge questions to a human, over the phone, in my office. Thankfully none of my answers were terrible, but still awkward. Gave us all a laugh.

John Hascall July 3, 2020 7:01 AM

BTW, don’t think (as we once did many years ago) that letting the user write their own security question(s) is the right answer either.

One day we thought, “wonder if people are choosing the same questions”, so we took a look at the questions (the answers were hashed, but the questions were stored plain text, of course).

A stupidly large number of people either choose even worse questions than the standard ones (eg what is my middle name?), or they simply put their actual password as the security questions (eg my password is ‘123IRdumb’?). My favorite though was what is my father’s maiden name? (and the answer wasn’t just the user’s last name).

We immediately deleted the terrible questions, disallowed setting new ones, and told our users that Q&A password reset was going away for good in 30 days.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.