I’ve already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here’s a new one, courtesy of the National Archives: “What is your preferred internet password?” I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.
MothersSon • September 8, 2011 6:43 AM
My mother’s maiden name is 4dAm3Y3fv9nIks
Jeroen • September 8, 2011 6:49 AM
When I worked for Atos Origin, the lost password procedure involved entering BOTH the secret question and the answer.
Clive Robinson • September 8, 2011 6:50 AM
I’ve heard some people refere to certain paswords used by people as “Hobbit Rings” or “Tolkien Passwords” because the password is the same for every account the person holds. Thus it’s like the magic ring that could control all the others.
This is obviously a significant security risk especially when said user uses it for their work account as well, and uses their work EMail account name for what is effectivly the username for the account…
Thus an attacker who can find out this either by being a Man In The Middle or having lifted the information from a site with low security (which happens so often these days we only bother mentioning it if it’s Anonymous or LulSec etc), has a good foothold for the start of an APT attack.
vwm • September 8, 2011 7:14 AM
To be fair, that’s finally a “Secret Question” without an answer published at facebook, nor is it easy to guess.
Unless one happens to favour easy to guess passwords that are published at facebook. But than the “secret question” is not important, either.
Paul R. Dittrich • September 8, 2011 7:19 AM
I lost faith in all forms of passwords and secret questions a long time ago. There is a saying that “Locks are for honest people.” and I would include passwords in that statement. Neither locks nor passwords will stop a determined professional [thief | hacker].
Years ago, a colleague asked “Why do I need to have so many passwords?” Rather than answering directly, I pointed at his keyring and asked him “Why do you need so many different keys? Wouldn’t it be easier to have just one key to open everything?”
He looked at me like I was crazy and said “Well THAT would be dumb!”
(Unfortunately, he did not recognize the analogy between his keys and his passwords.)
Cornerstone • September 8, 2011 7:32 AM
What about the password that this ComodoHacker guy claims was used for the login: globaltrust and for the database: instantsslcms. I have no idea if this is true but if it is then there is something seriously wrong with the people who are managing the security there.
Mark • September 8, 2011 7:33 AM
So, presumably you are not using your preferred internet password at the National Archives? Why not? If you do use a common password on a number of sites, why would you use a different one here?
I hope they at least ask the question on an SSL https session.
Steve Jones • September 8, 2011 7:38 AM
I tend to put deliberately wrong answers in the “Mother’s maiden name” box.
Hopefully, we’ll be able to move to multi-factor security soon, like banks are doing, and Google even on gmail (using a code sent to your mobile).
Personally, I like “Where are the bodies buried?”
Pete • September 8, 2011 7:41 AM
My initial reaction was the same – disgust. But thinking about it makes it actually seem somewhat clever. It is probably stronger than most other secret questions (I could imagine it being added in response to the outcry against secret questions). It usually comes with email request to reset password, and the good news is, you don’t actually have to tell the truth.
At first glance, crazy. But I am now leaning towards this being helpful.
swim • September 8, 2011 7:42 AM
@peg dash fab
I did that whenever possible. Led to an embarrassing phone call to the state department of taxation when I forgot the password for their website (and, naturally, the answer to the “what is the password” security question).
Anonymous 1 • September 8, 2011 8:03 AM
That’d actually make a pretty good satire.
Tim#3 • September 8, 2011 8:09 AM
@ peg, at least you didn’t choose some from the entertaining previous blog post on the topic
http://www.schneier.com/blog/archives/2010/04/fun_with_secret.html
uk visa • September 8, 2011 8:48 AM
@MothersSon
I wonder what the legal position is on say setting up a bank account (medical insurance could present an interesting case) with a clause ‘all the info I’ve given is accurate to the best of my knowledge’ and telling them your mother’s maiden name is 4dAm3Y3fv9nIks?
I’m sure the banks would argue, if it suited them, that you’d knowingly given misleading information.
Interesting…
ramriot • September 8, 2011 8:54 AM
Stikes me that if I was unable to hack into said bank etc. But found they had a weak secret question toolkit then I would inject a question into that which later I could use to exploit other sites?
lazlo • September 8, 2011 8:58 AM
Interesting that you posted this at the same time the daily WTF has this:
http://thedailywtf.com/Articles/WTF-Factor-Authentication.aspx
Bad ideas abound!
tim • September 8, 2011 9:13 AM
There is nothing that says you have to answer the silly questions honestly.
Strad • September 8, 2011 9:14 AM
@J, Behind the…. 🙂
Varjohaltia • September 8, 2011 9:17 AM
I just went to a site that insisted on offering me only a few US-centric questions that made no sense (high school mascot, football team name etc.) and I picked the only applicable question: a parent’s birth city. However, upon entering it, the site informed me that it was too short and not acceptable. Not entirely sure what sense it makes to enforce a rule for minimum length in a name. And, yeah, not exactly hard to find info (nor are the high school things, I imagine.)
Paeniteo • September 8, 2011 9:19 AM
@J: “Where are the bodies buried?”
XKCD has it covered:
http://xkcd.com/565/
EdT. • September 8, 2011 9:28 AM
Even worse – the “register” page at Priceline.com doesn’t use this as your “secret question” – they use this instead of “choose a password for your new account”!
Talk about a phisherman’s wet dream…
~EdT.
GSE • September 8, 2011 9:30 AM
I actually started a blog about stupid security questions. I didn’t really do much with it and forgot about it for a while, and when I tried to log back in I realized I’d forgotten my password. So, completely aware of the irony of the situation, I entered the name of my first teacher–Just that, nothing else, not even a birthday–and was allowed to reset the password instantly.
Sandro Hawke • September 8, 2011 10:06 AM
Whenever I see the secret question, I assume it’s part of a two-factor system: I assume I will have to answer the secret question in order to have the password-reset link emailed to me. That seems like a reasonable system, so it’s what I assume people use. Now I wonder if I’ve been wrong about it….
Matt • September 8, 2011 10:23 AM
I hit a website that had “What was your first grade teacher’s name?” as one of the secret questions. Mine was (really) Mrs. Smith. The site wouldn’t allow me to use that as my answer. I guess my real teacher was too generic. Odds are I wouldn’t remember anything different I made up anyway, so I had to pick a different secret question.
Poster of Brucedom Currently Being Tracked by Bruce • September 8, 2011 12:14 PM
Well thanks, guys. I never though as the password field as a secret secret question, “what is your password?” Now I’m wondering why I even try to answer those secret question setups correctly. I should go Dadaist. It’s conceivably possible that both my first dog and some grade school teacher were both named “Fish Bicycle Bathtub.” I sure don’t remember.
mat • September 8, 2011 12:26 PM
HOW about – What are the best short bible verses? 2T#!UQD?FM(70V#XTV6&! and uploading a personal image with it
John E. Bredehoft • September 8, 2011 2:19 PM
I read your post just after reading a scam identification post in which the scammers send a fax to you, supposedly from the IRS, asking you to fax bank information back to the IRS.
If I’m asked for my preferred Internet password, I’d naturally assume a scam anyway.
Bridgekeeper • September 8, 2011 2:33 PM
What is your name?
What is your quest?
What is the airspeed velocity of an unladen swallow?
JimFive • September 8, 2011 3:51 PM
@ Paul R. Dittrich
[Re: Having only one physical key] He looked at me like I was crazy and said “Well THAT would be dumb!”
(Unfortunately, he did not recognize the analogy between his keys and his passwords.)
The problem with the analogy is this: Different physical keys allow different people to have different access based on their role. I have one key for my car, and one key for my house (all 3 doors). I can give my kid a house key, but he still can’t drive the car. Passwords, however, are not meant to be shared. So, why shouldn’t I use my one really difficult password for everything?
JimFive
mpj • September 8, 2011 4:15 PM
The worst “security” question I’ve ever encountered: “What is your favourite season?”
John David Galt • September 8, 2011 4:22 PM
@MothersSon: What’s worse is sites that “sanity”-check the secret answer, so that you can’t set your mother’s maiden name to 4dAm3Y3fv9nIks. Then you’re just hosed.
@JimFive: Just as the three doors to your house can have the same key, I don’t see why you can’t use the same password for many blog sites (where all someone could do by logging in as you is to post comments “from you”). Of course, the ones for sites like your bank need to be unique, because you can be hurt so much more if they are misused.
But of course if one of the blog sites has the weak back door that started this thread, then its password had better be unique just to save me the annoyance of resetting 50 different accounts just because somebody used that weak back door.
WTF • September 8, 2011 4:51 PM
Today’s Daily WTF is appropriate:
http://thedailywtf.com/Articles/WTF-Factor-Authentication.aspx
What continent was your father born on???
anonymous • September 8, 2011 6:01 PM
The worst “security” question I’ve ever encountered:
“What is your favourite season?”
hockey
Gabriel • September 8, 2011 8:23 PM
I guess fake two factor authentication and fake free checking go hand in hand.
Maybe the next security question that a bank should ask is: what is our favorite word? Answer: fees. That’s about as secure as some of thE facepalms referenced here.
Gabriel • September 8, 2011 8:25 PM
@Arthur: I think you found the backdoor that let’s anyone in without knowing the answer.
Bill • September 8, 2011 8:47 PM
I once used a free email account whose security question was “In what year were you born?” And I got as many tries as I needed to get the correct answer. (I had deliberately entered fictitious information when I created by account, so I just kept entering years going backwards from 1970 until I got in.) Needless to say I stopped using that particular service.
Adam • September 9, 2011 3:18 AM
What bugs me most are sites where you click “I forgot my password” and they send it to me via email. What’s the point of choosing a strong password if the site hasn’t even bothered to hash it? If their site gets hacked (likely given their inability to hash & salt), then that strong password can be used everywhere else.
qwertyuiop • September 9, 2011 3:54 AM
@Paul R. Dittrich – I remember using this same question when a colleague asked why he had to have different passwords for everything. I was completely floored when he said he thought it would be really good to have just one key that opened everything!
I heard an amusing take on the question/answer issue by a comedienne here in the UK (I think it was Lucy Porter, but I may be wrong). It went something like this:
My bank has changed the password system it uses for customers to prove their identity when they phone up. Instead of having a standard set of questions you now get to choose the question and answer.
In future when I call up they have to ask me “And where do you think you’re going dressed like that? Go upstairs and change immediately!”.
I have to answer “I can wear anything I want – and anyway, you’re not even my real dad!”.
RonK • September 9, 2011 4:34 AM
@lazlo
Actually, it looks like they invested at least some thought to try to come up with questions which would be less likely to be able to be answered only via Google and Facebook searches, like the “favorite national monument” and the “favorite melon”. The problem is that I don’t believe that most people have strong opinions about those things (which is related to why they are “good” from the first point of view), so my guess is that most people would just pick the first item on the list.
Anyway, the basic idea behind recovery questions is rotten, so trying to “fix” it by choosing “better” questions seems silly to me.
@ xkcd
The xkcd reference combined with the WTF post makes me think of the inverse/dual: inviting someone to a “melon party” where hidden cameras are trying to decipher his preference.
Actually not totally disconnected from reality: I can imagine a spear phisher trying to direct someone to a fake Facebook game which supposedly ranks his preferences vs. the general public, where “national monuments” and “melons” are incidentally sandwiched in with chaff to make it less obvious what is going on…
Clive Robinson • September 9, 2011 5:29 AM
@ mpj,
“The worst “security” question I’ve ever encountered: “What is your favourite season”
It could be worse, how about one for the geeks from the geeks,
“Warning the account will lock after three incorect entries,
Which is your favourite binary digit from the set {0,1}?”
Beta • September 9, 2011 8:59 AM
I worked at a company (handling classified information) where I could reset everything about my computer accounts by answering my two security questions. It’s probably still a felony for me to reveal what they were, but one was of the form “what is worse than X?”, with the answer “Y”. One time I had to reset some passwords or something, and the guy on the phone goofed and asked me “what is worse than Y?”, thereby proving that the answer was in the clear on the screen in front of him.
SB • September 9, 2011 9:07 AM
@uk_visa: “with a clause ‘all the info I’ve given is accurate to the best of my knowledge’ and telling them your mother’s maiden name is 4dAm3Y3fv9nIks?”
I suggest you enter a name like “Jane Doe aka 4dAm3Y3fv9nIks”.
dilbert • September 9, 2011 9:44 AM
Did you know this forum automatically masks all passwords if you type them into the comments box? Here’s mine: **********
Give it a try!
Philip Newton • September 9, 2011 11:16 AM
dilbert, you hunter2ing hunter2!
Paul • September 9, 2011 11:21 AM
I just use a created system for my passwords, and it gives me a secure password for every site.
For each letter A-Z i created and memorized a 3-4 digit alpha-numeric sequence. For example, A=$3G. B=4Hl2, etc.. (those aren’t the real ones). I found it fairly easily to memorize 3-4 digit groups, and its only 26 of them.
Now, I just have very short easy to remember passwords for every site I reguarly use. I remember my bank password as “money”, but is really the 15-20 digit sequence created by combining the associated sequences.
If someone breaks one, they won’t gain access to any others.
Nick P • September 9, 2011 2:28 PM
Should change it to “What is your SSN?”
dilbert • September 9, 2011 2:34 PM
@Chris,
Google hunter2 and you’ll understand both of our comments.
Poster of Brucedom Currently Being Tracked by Bruce • September 9, 2011 2:35 PM
Sites should give you a random noun and you have to come up with the question, Jeopardy style.
Izi • September 9, 2011 9:01 PM
Are we sure that this question wasn’t added by some enterprising hacker trying to gather more accounts?
Peter E Retep • September 10, 2011 2:34 PM
What is your favourite colour?
Thou mayest pass the bridge.
Peter E Retep • September 10, 2011 2:43 PM
@ Paul
Ah, ha! You don’t deal with any site that,
instead of retreiving a password,
forces you to create a new one,
and forbids the use of any old one
you have used in the prior calendar year.
Does a forcing of change make a sytem more,
or less, secure?
kneH • September 12, 2011 4:53 AM
xkcd also has us covered on the complex-passwordparadigm as a whole:
http://xkcd.com/936/
Quercus • September 12, 2011 7:26 AM
Well, speaking of XKCD, this is the one that came to my mind regarding the ‘what is your password?’ secret question:
http://xkcd.com/792
One improvement for the password harvesting scheme: for each user, every time they enter an incorrect password (that’s not obviously a typo), store that as well; there’s a good chance they’ve typed in a password for a different site by mistake.
Simon • September 12, 2011 8:42 AM
The next question was “What is your bank account number?”
Gabor • September 12, 2011 4:18 PM
Does anyone have experience using supergenpass.com ? You have one master password and based on the website URL (e.g. amazon.com or google.com) it will generate you a nice unique pass. Yes, you should not lose your master pass though..
Brad Howard • September 15, 2011 2:16 PM
This reminds me of “flag” buttons and “report offensive content” buttons that exist on most blogging sites. The Obama-Biden campaign blog in 2008 had a “report offensive content” button beneath their own contents, surely this is not something any blogger would want.
The near ubiquity of such buttons gives rise to the inference that they are an integral part of some system. As an analogous illustration of the existence of another ubiquitous feature, try building an ecommerce check-out site that accepts visa and mastercard without using a shopping cart icon on your site…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
peg dash fab • September 8, 2011 6:34 AM
heh, when given the option of creating a secret question, i like to go with “what is your password?”