Secret Questions

In 2004, I wrote about the prevalence of secret questions as backup passwords. The problem is that the answers to these "secret questions" are often much easier to guess than random passwords. Mother's maiden name isn't very secret. Name of first pet, name of favorite teacher: there are some common names. Favorite color: I could probably guess that in no more than five attempts.

The result is that the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

Here's some actual research on the issue:

It's no secret: Measuring the security and reliability of authentication via 'secret' questions

Abstract:

All four of the most popular webmail providers -- AOL, Google, Microsoft, and Yahoo! -- rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What's more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Posted on May 25, 2009 at 9:56 AM • 80 Comments

Comments

franklymydearMay 25, 2009 10:44 AM

My mom's name is "Dallas Cowboys".
really.
At least that's what Google thinks.
Yahoo thinks it is "Yellow Cab"

Good luck

Paul NelsonMay 25, 2009 11:11 AM

I think "secret questions" can be used effectively: i.e. without degrading security.

If answering "secret questions" results in correspondence being sent to my information on file (e.g. a secondary email address, or even a postal address), then wouldn't it still be an effective way to keep my account secure while giving me recourse when I forget my password?

If someone guesses my answers (which, I agree, is pretty easy), the information still gets sent to me in the above case which means I am immediately alerted to the shady activity.

I suppose someone could intercept the email (or even the snail mail), but that seems like an awful lot of work. At that point, I think it would be easier to do a dictionary attack on the account's password.

As long as "secret questions" are used along with something else (sending the information to a trusted destination), it seems like a pretty good solution to me. But then, I'm no security expert, so feel free to shoot this down. It's probably an easy target!

However, I do think that isolating one thing, as the study cited above did, is somewhat pedantic.

SpikeMay 25, 2009 11:17 AM

If the secret question is an obligation, my secret answer is always the same

(a good keyboard hammering like:
moaemhgdxfày!hz"'t:cxfnm!àog5z5azeofhol=%:uyiw)

I like to see the first guessing that ;-)

DUMMY ANSWERSMay 25, 2009 11:30 AM

WHY make the REAL mother's maiden name? Why WHY? There is no right or wrong anwer so be creative - AND DON"T FORGET THE DUMMY ANSWERS!!

woosterMay 25, 2009 11:31 AM

"Secret answers" are how that kid got control of Sarah Palin's yahoo email account, so we certainly have a high profile example of the problem. Like franklymydear who has already posted, I use nonsensical answers, a different one per site. These, like my passwords, are all stored in a password-protected database that I sincerely hope I'll never forget the password to.

SteveJMay 25, 2009 11:40 AM

Sites for official business (banks, government) are the least secure if they use secret questions. They generally require you as a condition of use to assert that all information provided is correct.

So, if you enter "Dallas Cowboys" as your mother's maiden name, can they prosecute you unauthorised computer use, and/or financial fraud if you've thereby obtained a bank account?

&rwMay 25, 2009 12:07 PM

Secret questions are a viable way for password-recovery - if AND ONLY IF the question isn't predetermined by a 3rd party.

MiguelMay 25, 2009 12:16 PM

The problem with secret questions is not the answer but the question: As DUMMY ANSWERS points out, the system works nicely and securely if you consider the questions as a request to provide a backup password.

No matter what the question is about, your answer should be a second password for the site (as such it should be as strong as the main one). Spike's seems a good approach to me.

Once you start paying attention to the question and making your answer making sense then I'm with Bruce.

someoneMay 25, 2009 12:29 PM

I'm not sure this is as bad as it sounds. As far as I know AOL send an e-mail to the account holder's secondary contact address... which the attacker does not even know the address of! So if the attacker guesses the secret question correctly, they are then left with the impossible task of finding the victim's second e-mail address.

JohannesMay 25, 2009 12:56 PM

As for me, I usually just take a bit of /dev/random to enter for those secret questions ... though this has bitten me for PayPal, where you need the answer to the secret questions to delete your account (even though they say you'd need them only in case you forget your password).

ShhhMay 25, 2009 1:29 PM

That last part sounds like the gameshow Family Feud.

I like sites that allow us to make up our own questions, but those are far and few between.

The people that handle my money have 10 questions, and we're allowed to choose from a larger pool of questions. But! We're only allowed a certain number of questions to answer, and then when we try to sign in, we have to cycle through all the other questions until we get to our selected questions.

It's really a pain, but maybe it's so much of a pain that there's not many attacks on it.

AnonymousMay 25, 2009 1:46 PM

One solution, 24 hours delay per attempt (pass or fail) + instant notification on every attempt for manual override

reinkefjMay 25, 2009 2:50 PM

My Mom's maiden name is 7DGG46QPK, FGAD4P3N, DKNNT4VKP C9HJLPQVK, or KEZNBF6N9 depending which of the sites I used it at. If a "secret question" is a password, then I say treat it as such with your favorite 12 random alphanumerics. Just don't tell anyone about your secret list. Memorization of passwords leads to forgetting. As long as I don't lose my little black book, I'm fine. If I do, oh well.

p.s., the passwords are just a in a sequentially numbered list. You have to have another key that maps # to name. Maybe it's DNS? ROFL.

TimMay 25, 2009 3:08 PM

As others have said, there's a fairly trivial fix: Just send an email to the user's email address along the lines of:

"Someone has requested a password reset for your account at example.com. If this was you, please click [here], otherwise it may indicate that someone is trying to break into your account. You should click [here] to block their attempt."

Obviously they may have lost access to their email account so it should still allow the password to be reset if the email is ignored for a sufficient time. Same for if they have no email/secondary email account set up.

SpikeDMay 25, 2009 3:52 PM

@spike: well, I must admit before I came to this article, the string "moaemhgdxfày!hz"'t:cxfnm!àog5z5azeofhol=%:uyi" came to mind before I read your post, but the trailing "w" was missing, so fair point ...

Rich WilsonMay 25, 2009 4:15 PM

It's great that all our mothers' maiden names are "syxIaooblark5#1"

But, and no offence to Bruce, readers of this blog are a small minority of the population.

The point is, if you put down a 'real' answer, then you have a back door with a lock weaker than your front door. And if you put down a randomly generated sequence of characters (as I do) then the whole secret question serves no purpose.

In essence, "something you know" is not an appropriate retrieval system for "something you know".

JessicaMay 25, 2009 4:24 PM


I took the opportunity to look at my banking site secret questions (I can write my own). My family and most friends could have guessed one. My family might have been able to guess the second. My family and really close friends could probably guess the third.

I've since felt inspired to rewrite them to stuff that even my nearest and dearest should be unable to guess without resorting to telepathy.

annieMay 25, 2009 4:44 PM

I don't care which question I pick - except those that except a certain format. The answer is nearly always the same though - and it NEVER has anything to do with the answer I give. Why should it?

JimmyMay 25, 2009 5:11 PM

My University requires that we answer these questions to verify our identity if we forget our uni password, why can't they just get us to visit them in person and show photo id.. that's beyond me.

OrvilleMay 25, 2009 8:27 PM

Well, sure, if you're in a WASP family with names like Smith or Jones, or a Korean family (where half the population is called Kim) maybe not the best idea. On the other hand, my mother's maiden name is an unpronounceable Slavic name, and even my wife didn't know it after several years of marriage.

Johnny VectorMay 25, 2009 8:48 PM

My gov't agency recently changed one of our web-based services, and the password requirements are so draconian (change it every 60 days, all 4 character classes required, no repeated letters, no dictionary words, and can't repeat more than 3 letters from any of your last 25 passwords), that at training they all but told us to use the secret question as a password. A password on which there is absolutely no checking other than "has to be longer than 3 letters" (too bad if your Mom's middle name is Ann). I guarantee 10-20% of the agency grew up on a street named "password".

I believe this is what Bruce calls "locking it down so tight any Joe off the street can walk right in".

TLCMay 25, 2009 10:04 PM

My agency setup a self-service that has a 'set' secret questions that are not obivious but not hard either. The problem that were getting is users forgetting the answers to the questions and asking why can't they pick questions like "mothers maiden name".

So we want to ensure users are able to remember their answers and not make them to obvious for someone to guess, How does one maintain that balance?

StickyWidgetMay 25, 2009 10:53 PM

Continuing on the Facebook angle, there have been several quizes and tests where you actually enter in this type of information.

I was actually forwarded one that asked me, verbatim, the three security questions that GMail asks you.

Once you provide this information to Facebook, it's in somebody's database, including your name and email address. From there, they have everything on you.

~Sticky

DanMay 25, 2009 11:04 PM

One of my favorite pet peeves... websites that force you to choose Pentagon-strength passwords, which can then be reset by anyone who Googles your name and finds a picture of you with your first pet Skippy, or a bio that lists the city where you were born. And who seems to do this the most? Banks. How could people smart enough to run a bank be so stupid? Oh, wait.. did I just say "smart enough to run a bank?"

vanillaMay 26, 2009 1:19 AM

I agree with dummy answers. I started using fiction for those secret questions long ago. It is a hassle, but I keep a master list of passwords/answers in a safe. I seldom have to dig it out, but I feel better making things up for each site ... van

AlexMay 26, 2009 1:34 AM

Got you, reinkefj! All this "Schneier on Security blog" thing was a scam to make you spit your maiden's name. Now let's try those random strings on all major mail services...

LamahMay 26, 2009 2:03 AM

I absolutely hate "secret questions", I normally just mash the keyboard. If they want you to supply a second password, why don't they just ask you for one? Why have all this nonsense about having to supply the names of uncles-twice-removed and your favourite brand of kumquats. At least if they ask for a password, people will write it down so that they don't forget it.

The one time, _one time_ where I really forgot my password, I had "Never accept the secret answer because I will never use it! awsifvejn4r0bq34cfnhjq89c4fbqopa" as my secret answer. That was an embarrassing phone call.

CassandraMay 26, 2009 3:13 AM

SteveJ has it correct - the finance industry shares data, and if you supply different answers to the 'mother's maiden name' question, it will be flagged. Finance industry websites also require you not to enter fraudulent information.

What I would like is a provably secure password safe I can carry with me, so I do not have to remember all my PINs, passwords, and account details. I was hoping that the OpenMoko mobile would become popular enough, but that project seems to be faltering, which is a pity. Are there provably secure applications on the iPhone/iPod platform?

Cassie

windscarMay 26, 2009 5:07 AM

@TLC: You can't help everyone. One idea is the pick-your-own-question, followed by a "your-question-sucks" dialog. That may take some smarts in the question parser.

At the very least there should be a few hundred questions to choose from. That may give enough of a chance to make this at least somewhat secure.

Chris K.May 26, 2009 5:57 AM

The Problem with security questions that you either use them as a second password with no connection to the question asked, but then you are even more likely to forget it than your regular password because you use it much less often, or you give an answer that is very easy to guess (very little entropy)
One way to remedy this would be to use permanent written information: Use the second letter in each word of the first five sentences in the third chapter of your favourite book. It doesn't matter that it is tedious to reproduce since you are not going to enter it very often anyway.
A simpler and ever more secure way than security questions would be to deposit the users public PGP key. Whenever you forget your password you get it sent, encrypted with your key. (One might even use this to securely transmit TANs, one time passwords etc. )

RickyMay 26, 2009 6:12 AM

AOL, Google, Microsoft, and Yahoo! -- rely on personal questions as the secondary authentication secrets used to reset account passwords. We asked participants to answer these questions and then asked their acquaintances to guess their answers.

Clive RobinsonMay 26, 2009 7:06 AM

@ SteveJ, Cassie,

"So, if you enter "Dallas Cowboys" as your mother's maiden name, can they prosecute you unauthorised computer use, and/or financial fraud if you've thereby obtained a bank account?"

Be thankfull you are not POTUS there is a legal requirment that everything they write whilst in office be kept effectivly in perpatuaty in the National Archives...

So no secret question for you Mr Prez...

Clive RobinsonMay 26, 2009 7:19 AM

Oh by the way the use of an EMail account is not a solution to the "secret question" or other security issue.

Most people have more than one EMail account at any one time and usually have had many more that they no longer use.

The issue of "remote ID" is a very vexing one, especialy as politicians (and their advisors who lets face it should know better) are talking about legislation putting age restrictions on remote access with draconian penalties for organisations that cannot ensure it.

In general the organisations tend to think "ah credit card" as a solution, but that does not work for a couple of reasons, the first and most obviouse is by far the larger part of the worlds population do not have credit cards. The second is that most smart teenagers (or younger) will work out how to get around that minor bump in the road.

Public Keys etc are not a solution either for various reasons not least of which is expiry and revocation.

But and this is the big BUT is being "identified" in person any more reliable and the answer is again NO...

The simple fact is with a little care and fore thought you can be who you want to be and it is virtually impossible for people to say otherwise...

CassandraMay 26, 2009 7:20 AM

The rules are different for Heads of State. There's a very nice story about King Juan Carlos I of Spain, who, needing some currency exchanged whilst on a skiing holiday in Austria, held up some Spanish currency showing his portrait and said "That's me" upon being challenged for identification.

LarsMay 26, 2009 8:36 AM

Uh, use encrypted, local password stores and pwgen (or whatever random string generator) to generate question and answer. Or put it on a piece of paper an store it securely. Chances are that nobody ever stumbles upon both, your pwdstore and the according account. (Especially if you have some non-trivial way to map stored data to accounts and back.)

Actually I totally agree, these secondary private questions are completely voiding all purpose of strong passwords. Hasn't anybody read the classical "wargames"?

And even the "My mother's name is Dallas." is not much better. For a start, why should I remember two answers (password and answer) as well as the question and the place where the answer is valid better than just a password to the notorious "whats the password of $ID"-question?

Are there any widespread attempts on cracking secondary passwords or do we have to do it ourselves still?

somebodyMay 26, 2009 8:40 AM

The secret question interface can be done right, IMO.

OPM (office of personnel management) handles identity binding with a 'golden question' interface.

The user must create their own questions and IMO a diligent user would create questions that were harder to guess than a reusable password without the burden of remembering a new strong password.

I think for this use-case it was a well-chosen idea. People will connect very infrequently to this system and strong identity binding is important.

The user's other secure password may be the same one he uses with a Web-SSO package or an email client or some other frequently typed in difficult to defend authentication vector.

System's that don't allow creation of custom questions are of course very flawed.

So yes, I think this idea is tricky to do right, but not impossible. In fact I think it might be a very smart idea for an application where users are expected to connect to _very_ infrequently.

sooth sayerMay 26, 2009 9:05 AM

These questions and context for webmail etc. are more or less harmless unless you are extremely careless.

I am more worried about phone rep's asking answers to the "secrets" - to me that's a bigger security issue.

Davi OttenheimerMay 26, 2009 9:13 AM

This research is helpful - cuts down the noise in those meetings where budget dollars are needed to recode systems with bad secret questions. Sadly enough, sometimes product managers don't believe there is a problem here. An independent study clarifies without prejudice.

FPMay 26, 2009 10:11 AM

@Davi:

Unfortunately, many product managers would argue that, "it must be safe because everybody's doing it."

kangarooMay 26, 2009 10:48 AM

To all those who use the "secret" as a secondary password: what's the point?

If you lose your primary password, what makes you think you'll have a > probability of recalling the secondary one? If you could, then why not use that one as your primary password? If not, this is all a very silly exercise in blocking a useless "feature" --- working around a bug.

And as a way to activate an email to an account to do a password reset -- what added security does a "secret question" add? You might as well just enter your email address and hit a button to receive a temporary randomized password --- preferably encrypted.

These are all work-arounds for the non-standardization of decent pgp style home-made keys. Ie, security theater once again.

AppSecMay 26, 2009 10:56 AM

To user friendly and they are easy to acquire. To long term to recover and they remove the "instant access" perception that is apparently required by business owners.

Here's an idea, re-think your perception of what these questions are for.

They are user friendly "captcha" techniques to allow users to have a randomly generated password delivered to the perceived intended user.

Clive RobinsonMay 26, 2009 2:04 PM

Oh by the way the use of an EMail account is not a solution to the "secret question" or other security issue.

Most people have more than one EMail account at any one time and usually have had many more that they no longer use.

The issue of "remote ID" is a very vexing one, especialy as politicians (and their advisors who lets face it should know better) are talking about legislation putting age restrictions on remote access with draconian penalties for organisations that cannot ensure it.

In general the organisations tend to think "ah credit card" as a solution, but that does not work for a couple of reasons, the first and most obviouse is by far the larger part of the worlds population do not have credit cards. The second is that most smart teenagers (or younger) will work out how to get around that minor bump in the road.

Public Keys etc are not a solution either for various reasons not least of which is expiry and revocation.

But and this is the big BUT is being "identified" in person any more reliable and the answer is again NO...

The simple fact is with a little care and fore thought you can be who you want to be and it is virtually impossible for people to say otherwise...

DavidMay 26, 2009 3:49 PM

@kangaroo: I trust that by "To all those...", you meant site designers, not this audience; else you're preaching to the choir ...

"Free" services such as web mail have a hard problem, and may be thus forgiven: they are asked to find away to get you back in if you forgot your password, but they've never verified your identity in the first place. Banks, however, do not have this excuse ...

President SkroobMay 26, 2009 10:43 PM

1 2 3 4 5? That's amazing! I've got the same combination on my luggage!

DaveMay 27, 2009 11:03 AM

As others have suggested, the answer to the question "mother's maiden name" is not my mother's maiden name. But if we aren't answering the questions we are asked, what's the point? It's just another passphrase (one used for multiple accounts most likely).

I just set up a new checking account. In setting up the online account, one of the security questions I could choose was, "What's your sign?" Like my birthday is a closely guarded secret! On the plus side, you need to answer one of 3 questions and know the password--it's not a fallback (I still opted for my own security questions and auto-generated passwords for the answers).

bf skinnerMay 27, 2009 12:01 PM

so shouldn't the secret question be...

This IS the secret question - What is your secret answer?

JimFiveMay 27, 2009 2:36 PM

I've been thinking about this for a bit and I think I have a good solution.

A couple of years ago I found a site that generated a random substitution cipher chart so that e.g. A = jZ, B=N*, C=R0, etc...(The site was www.levii.com/cipher.php, it isn't there anymore but is available via the wayback machine.)

Generate one of these and print it on a business card. Laminate it. Use it only for the secret questions/answers. You can either use the real answer or some other easy answer (site name, simple password, etc) encoded with the card. File the card and only use it when you need to answer a secret question.

If you're really paranoid, you could generate a different card for each site to ensure that one site being stupid (or compromised) doesn't compromise your other secret answers.

This seems to solve the "forget the answer" problem as well as the "too easy to guess" problem.

I think I'm going to implement this for my secret questions.

(btw, I'd really like comments on this method, to me it is like a poor man's SecureID as it requires "Something you Have" as well as "Something you know")
--
JimFive

HookMay 27, 2009 11:26 PM

Where the list of available questions is preset, then I’d agree that using one can reduce security. However, the bank that I use here in Australia insists on answers to two separate questions when I add a new third party account detail to my internal address list. One of the questions comes from a preset list (the usual options like “your mother’s maiden name” and such), but the second question can be something that you create for yourself – and that’s a lot more useful, and potentially more secure (IMHO anyway).

The usual assumption made, as far as I can tell, is that the question and answer need to be related in an identifiable manner, but that’s not true. There’s no mysterious AI system checking that the supplied answer to the question “what is the secret of steel” actually makes any sense at all. If I define the answer as “12 July 1927” because that’s something that I’m confident I’ll remember, I’ve immediately made it more difficult to forge my identity successfully for this part of that particular system. So, it looks as though everyone agrees that having no contextual link between the question and the answer can improve security.

Of course, there’s no need to give the correct answer to “what’s your mother’s maiden name” either! You just have to be sure to remember what you actually typed.

TimMay 28, 2009 6:17 AM

Who needs secret qustions when the password for The Police Academy is "Police" and for Department of Environment is "Environment"!

AnonymousMay 28, 2009 9:50 PM

Jokes aside about free online services and other cheap services, I strongly suspect some banks are implementing good KYC, Know Your Customer, practices.

If you haven't noticed some of these, then perhaps you are not worth anything more than a secret Q/A.

EpimortumMay 29, 2009 9:23 AM

I came here hoping to see what in fact I did see; mostly intelligent answers. I think what most of us fail to remember is that while our solutions seem obvious to us; how many of our family and friends don't think twice about this and provide factual information? This can happen for several reasons I think.

1.) Older generations are used to filling out paper forms; forms where every question was processed and used e.g employment, SS benefits, hospital...

2.) Stimulus and correct (known) response e.g. Mother's Maiden Name/${m_m_n} is simple and its intended use

3.) 1+2+ what could go wrong?

I easily could be missing something here but you get the point. It largely comes down to people not thinking like criminals when they need to be.

Which frankly I think is silly because you don't look at a door and lock and think, "Well this key might be too hard to operate let's not have one". When it comes to information security they fail to see how rules of physical security translates to the information security realm.

TwyliteJune 1, 2009 6:58 AM

The best possible case answer to a "secret question" has the security of a traditional password, therefore at best using a secret question decreases account security from one password to two passwords that allow access.

At worst the answer to a "secret question" is easily guessable, and much less secure than the account password.

Most tech savvy users seem to adopt one of two approaches:

(1) use a different random password for each secret question, which has as much risk of being lost as the account password; or

(2) use the same random password for all secret questions, which has the same weaknesses as reusing passwords across sites (in particular it only takes one compromised site for all your bases to belong to them).

Custom secret questions CAN lead to a reasonable compromise: use a random 32-byte hex string as the challenge, then
use a password-based security function like PBKDF2 to derive a key from a password, and encrypt the challenge with the key to get the response. Only one password to remember (you're screwed if you forget it) and it never leaves your PC.

Doug CoulterJune 2, 2009 10:38 PM

This is all good stuff, but fails to cover another interesting case. These days, I trade stocks for a living, and use an electronic broker. Their code, and Firefox prevent the saving of my login data as far as I can tell, but they use a cookie on my machine for some kind of verification. Eg I have to type my login info each time I go online with them, and in fact every few time intervals, as they have a settable timeout to guard users who may walk away forgetting they are logged in.

If I attempt to login from a new machine, as sometimes happens -- like when I arranged a wire transfer to a car dealership to buy my new Camaro using one of their computers, that's when I get the secret questions, even after a correct input of my login info. I'm then asked if I am on a trusted vs a public machine, presumably so they won't store the cookie on a machine I consider unsafe or not mine.
And the question nicely defaults correctly to "unsafe".

I'm fairly impressed as there is quite a lot of money involved here, and they think this (and whatever else they do and don't mention) is good enough so that they make a guarantee against damages caused by someone else getting into my accounts there.

I did use accurate answers to the questions, which didn't include mothers maiden name, but other things much harder to find out, but next time I will do the "random garbage" thing, and thanks for the laminated card idea! This is a nice partial solution to security that works, but is a pain to deal with.

So here's at least one reasonable use of secret questions, even if the answers aren't extremely hard to guess, as there are many of them, and it's they who choose which ones you must answer.
Most of their questions concern things that are quite unlikely to be in public records at all, which I noticed right away, and thought good. You'd almost have to be my twin to know most of the answers, I doubt even the government, who knows a lot about me due to some security clearances I had, would be able to guess them.

My bank, a local outfit, is comparatively clueless and demands correct answers to questions anyone can guess or find out easily, and lets the browser retain all login info -- and doesn't ask for permission to do that...So, not much money is kept there until they catch a clue. They are, however still large enough to say "we don't have to be reasonable, we have a policy" when this issue is mentioned to them. Basically, it's very hard to find the correct person to enlighten, and as Bruce says, until they are accountable for losses due to dumb policy, it's unlikely to change. And it is further unlikely that if I pull my accounts there due to this, that anyone who could change it would ever find out that they were losing business because of ignorant practices on their part.

SatyaJune 3, 2009 9:01 AM

To those that point out that secret questions rsult in an email to a "trusted" destination:
If the destination's trusted, why bother with the questions? Why not a captcha or similar human-checker?
And you shouldn't be emailing the password anyway! You should be sending a reset code.

MattJune 3, 2009 4:42 PM

I'm looking at this from the pov of a product manager designing such a "security question" system, and there's some things commenters aren't taking into account.

Some have suggested that a system where you can choose your own secure question would be more secure. For you perhaps, as an intelligent user. But what about all the dumb users who will put "My date of birth" or some other ridiculously easy prompt?

The questions must be pre-defined by the system.

The solution I'm looking at is a pool of questions (15, say) of which the user must supply answers to at least 5 - and we'll advise them to pick ones that are safe; asking them to think about whether they have their first ever pet's name on facebook for instance.

Then, when they do forget their main password, they will be asked to answer 3 of the 5+ questions they set previously, chosen at random. This ought to introduce some pretty strong entropy; I challenge any ID thief to discover my first pet's name, my oldest cousin's full name AND the city where I met my partner.

Of course, you security-savvy users are welcome to provide "second passwords" as answers to these questions; so you can still secure your own account to the max.

But we are trying to keep the system useable by people who are security-lazy, and still keep their accounts secure.

vexorianJune 6, 2009 9:44 AM

This secret question non-sense gets worse and worse. Now hotmail forbids you from using special characters in the answer, so it is not possible anymore to just type giberish on it. I guess later they will verify that the answer matches a dictionary or something...

mike waddinghamJune 8, 2009 2:48 PM

@matt: We built a system with 9 possible questions, user had to provide answers to 4, and then provide 2 correct answers (to random questions) for a password reset. I think you are on the right path...

mccsecurityJune 15, 2009 4:31 PM

As I see it, one of the main problems with backup authentication is that the typical user has relatively low levels both of security sophistication and learning curve threshold for saavy approaches such as custom (i.e., user-defined) questions. In fact, I would bet that decision theorists can easily demonstrate why most users would much rather endure a simple bio-id process than a custom challange/answer of their making.

In for a penny--in for a pound!

blogster99June 15, 2009 9:14 PM

Ive got it ! Why not just use two passwords ! I would... It could be at least made an option by banking sites.

encrypt the passwords (one on each of two servers)... so if one server gets compromised.. the other still stands.

Steve PJune 17, 2009 6:34 AM

The bank I'm with uses lame 2-factor authentication. That is something you know, and, er, something you know.

Yeah, it had the usual range of obvious questions, the answers to which can be found in public records. So I picked the one that isn't public: my first pet's name.

I'm currently locked out of my account because although I can can remember a 14 character completely random alphanumeric password, I couldn't remember which of the two pets my family had when I was born I had chosen...!

woodwakerJune 17, 2009 7:49 AM

The solution I use is Password Safe originally written by Bruce. It will store an unlimited number of user ids and passwords. It also has a notes section for each entry. I list all of the secrect questions and the random character answers. I use a different password for evey site and different random answers for each. The program is free open source and works great.

SplashJune 17, 2009 8:49 PM

On all sites I use, you put in your 'name' and 'password' before taken to the secret question page. So, once your 'name' and 'password' have been broken, all someone has to do is break your secret question. Why not have the option to put all three on the same page; that way, if someone tries to enter, they would have to guess all three, thus making it more difficult to break. Also, I use Password Safe (thanks Bruce) and Access Manager to store all my passwords and phrases.

Janet BarclayJune 21, 2009 8:55 AM

If your passwords are saved in a file, and you save the answers to your secret questions in the same file, when would you ever need those secret answers?

Clive RobinsonJune 21, 2009 10:06 AM

@ Janet Barclay,

"... when would you ever need those secret answers?"

If you lose control of the current password.

For instance, you get "shoulder surfed" or by some other reason your password gets "owned" by somebody else who then changes it on you.

You can (in theory) ask the system admin to reset the password.

This keeps the other person out and alows you to get back into your account to set a new password.

J in CAJune 25, 2009 7:49 PM

If I'm understanding Yahoo correctly, they want me to not only answer my "secret question" correctly -- they want me to tell them what my secret question *was*.

I have no idea which secret question I chose back in 1993 or so.

RobertJuly 8, 2009 7:17 PM

One site wanted my mother's maiden name and I entered a truthful response to it.
It was rejected as being too short!

Not ApplicableJuly 9, 2009 7:28 PM

Often my answer to these secret questions is along the lines of "Mind your own f***ing business", but that can be a little embarrassing when calling customer support.

MarabelleJuly 19, 2009 4:33 PM

Yahoo is now denying me access to my own email account(s) unless I give them two more freaking secret questions. It's a huge time waster and a bunch of cr@p. Clearly if you use correct answers, anyone who knows you well - like an ex-boyfriend! - can guess the answers. If you use fake answers, there's an increased liklihood you will have to write them down somewhere & they will be discovered. Either way it is STUPID and only decreases security. What's most interesting though is that when I use Firefox as my browser, Yahoo doesn't stop me at the gate, that annoying pop up demanding additional info does not appear. Sadly I can't download Firefox at work so I can no longer access my Yahoo accts until I get home. Which is why I am switching everything to Google mail this week & tell Yahoo to go *@%!#*& themselves.

SteveJuly 21, 2009 9:25 AM

Letting users make up a question is a bad idea. Too many do not understand the logic about good and bad questions so they will often create very insecure questions.

G 4 realSeptember 3, 2009 4:25 PM

The information Yahoo really wants and hopes to acquire is the "optional" data. The secret questions are not important to them.

DanielSeptember 16, 2009 12:16 PM

What I do with these questions is pick a random dictionary word, type it in 1337 speech maybe even mispess it, and use it for all the sites. Reguardsless of the question. Like a super password.

Of course this only works with those sites that allow you to type the answer. And if compromised all my accounts could be in jeopardy.

But it works better for me and does not use information that could be researched about me or my family.

Amrith KumarSeptember 27, 2009 5:08 PM

someone pointed me to your blog post on HackerNews (http://news.ycombinator.com/item?id=846994).

Fascinating how little people think about things like this when handing out information.

LPOctober 15, 2009 2:00 PM

Regardless of whether secret questions in general are useful, Yahoo has managed to utterly fumble their implementation.
If an account has guessable secret questions, or if they are divulged, some 3rd party gains access, right? If the account owner changes the questions, the account should be locked up again.
Yahoo currently has a button on the 3rd screen of the password recovery process: "These are not my questions". Clicking this button reverts to the initial set of secret Qs for 45 days, allowing the intruder to regain access, and continue tinkering with the account. If your Yahoo questions are _ever_ exposed, you cannot secure your account unless the intruder, unless they decide to ignore your account for 45 days. Absolutely unbelievable.

Lawrence SimonMay 14, 2010 2:34 AM

Ihave not been on the computer for a while. I am now using a laptop which i just up and running with a different internet provider. The questions that are being asked I can not guess because I am being asked to idenify people on facebook that I only know by name

Taylor DiconoMarch 21, 2011 1:38 PM

I want my email address from yahoo mail to be changed right now ok because i don't want mean people to email me from it

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..