New Lows in Secret Questions

I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesy of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or toolkit.

Posted on September 8, 2011 at 6:14 AM • 61 Comments

Comments

peg dash fabSeptember 8, 2011 6:34 AM

heh, when given the option of creating a secret question, i like to go with "what is your password?"

JeroenSeptember 8, 2011 6:49 AM

When I worked for Atos Origin, the lost password procedure involved entering BOTH the secret question and the answer.

Clive RobinsonSeptember 8, 2011 6:50 AM

I've heard some people refere to certain paswords used by people as "Hobbit Rings" or "Tolkien Passwords" because the password is the same for every account the person holds. Thus it's like the magic ring that could control all the others.

This is obviously a significant security risk especially when said user uses it for their work account as well, and uses their work EMail account name for what is effectivly the username for the account...

Thus an attacker who can find out this either by being a Man In The Middle or having lifted the information from a site with low security (which happens so often these days we only bother mentioning it if it's Anonymous or LulSec etc), has a good foothold for the start of an APT attack.

vwmSeptember 8, 2011 7:14 AM

To be fair, that's finally a "Secret Question" without an answer published at facebook, nor is it easy to guess.

Unless one happens to favour easy to guess passwords that are published at facebook. But than the "secret question" is not important, either.

Paul R. DittrichSeptember 8, 2011 7:19 AM

I lost faith in all forms of passwords and secret questions a long time ago. There is a saying that "Locks are for honest people." and I would include passwords in that statement. Neither locks nor passwords will stop a determined professional [thief | hacker].

Years ago, a colleague asked "Why do I need to have so many passwords?" Rather than answering directly, I pointed at his keyring and asked him "Why do you need so many different keys? Wouldn't it be easier to have just one key to open everything?"

He looked at me like I was crazy and said "Well THAT would be dumb!"
(Unfortunately, he did not recognize the analogy between his keys and his passwords.)

CornerstoneSeptember 8, 2011 7:32 AM

What about the password that this ComodoHacker guy claims was used for the login: globaltrust and for the database: instantsslcms. I have no idea if this is true but if it is then there is something seriously wrong with the people who are managing the security there.

MarkSeptember 8, 2011 7:33 AM

So, presumably you are not using your preferred internet password at the National Archives? Why not? If you do use a common password on a number of sites, why would you use a different one here?

I hope they at least ask the question on an SSL https session.

Steve JonesSeptember 8, 2011 7:38 AM

I tend to put deliberately wrong answers in the "Mother's maiden name" box.

Hopefully, we'll be able to move to multi-factor security soon, like banks are doing, and Google even on gmail (using a code sent to your mobile).

PeteSeptember 8, 2011 7:41 AM

My initial reaction was the same - disgust. But thinking about it makes it actually seem somewhat clever. It is probably stronger than most other secret questions (I could imagine it being added in response to the outcry *against* secret questions). It usually comes with email request to reset password, and the good news is, you don't actually have to tell the truth.

At first glance, crazy. But I am now leaning towards this being helpful.

swimSeptember 8, 2011 7:42 AM

@peg dash fab

I did that whenever possible. Led to an embarrassing phone call to the state department of taxation when I forgot the password for their website (and, naturally, the answer to the "what is the password" security question).

uk visaSeptember 8, 2011 8:48 AM

@MothersSon
I wonder what the legal position is on say setting up a bank account (medical insurance could present an interesting case) with a clause 'all the info I've given is accurate to the best of my knowledge' and telling them your mother's maiden name is 4dAm3Y3fv9nIks?
I'm sure the banks would argue, if it suited them, that you'd knowingly given misleading information.
Interesting...

ramriotSeptember 8, 2011 8:54 AM

Stikes me that if I was unable to hack into said bank etc. But found they had a weak secret question toolkit then I would inject a question into that which later I could use to exploit other sites?

VarjohaltiaSeptember 8, 2011 9:17 AM

I just went to a site that insisted on offering me only a few US-centric questions that made no sense (high school mascot, football team name etc.) and I picked the only applicable question: a parent's birth city. However, upon entering it, the site informed me that it was too short and not acceptable. Not entirely sure what sense it makes to enforce a rule for minimum length in a name. And, yeah, not exactly hard to find info (nor are the high school things, I imagine.)

EdT.September 8, 2011 9:28 AM

Even worse - the "register" page at Priceline.com doesn't use this as your "secret question" - they use this instead of "choose a password for your new account"!

Talk about a phisherman's wet dream...

~EdT.

GSESeptember 8, 2011 9:30 AM

I actually started a blog about stupid security questions. I didn't really do much with it and forgot about it for a while, and when I tried to log back in I realized I'd forgotten my password. So, completely aware of the irony of the situation, I entered the name of my first teacher--Just that, nothing else, not even a birthday--and was allowed to reset the password instantly.

It's at http://stupidsecurityquestions.blogspot.com/

Sandro HawkeSeptember 8, 2011 10:06 AM

Whenever I see the secret question, I assume it's part of a two-factor system: I assume I will have to answer the secret question in order to have the password-reset link emailed to me. That seems like a reasonable system, so it's what I assume people use. Now I wonder if I've been wrong about it....

MattSeptember 8, 2011 10:23 AM

I hit a website that had "What was your first grade teacher's name?" as one of the secret questions. Mine was (really) Mrs. Smith. The site wouldn't allow me to use that as my answer. I guess my real teacher was too generic. Odds are I wouldn't remember anything different I made up anyway, so I had to pick a different secret question.

Poster of Brucedom Currently Being Tracked by BruceSeptember 8, 2011 12:14 PM

Well thanks, guys. I never though as the password field as a secret secret question, "what is your password?" Now I'm wondering why I even try to answer those secret question setups correctly. I should go Dadaist. It's conceivably possible that both my first dog and some grade school teacher were both named "Fish Bicycle Bathtub." I sure don't remember.

matSeptember 8, 2011 12:26 PM

HOW about - What are the best short bible verses? 2T#!UQD?FM(70V#XTV6&! and uploading a personal image with it

John E. BredehoftSeptember 8, 2011 2:19 PM

I read your post just after reading a scam identification post in which the scammers send a fax to you, supposedly from the IRS, asking you to fax bank information back to the IRS.

If I'm asked for my preferred Internet password, I'd naturally assume a scam anyway.

BridgekeeperSeptember 8, 2011 2:33 PM

What is your name?
What is your quest?
What is the airspeed velocity of an unladen swallow?

JimFiveSeptember 8, 2011 3:51 PM

@ Paul R. Dittrich

[Re: Having only one physical key] He looked at me like I was crazy and said "Well THAT would be dumb!"
(Unfortunately, he did not recognize the analogy between his keys and his passwords.)

The problem with the analogy is this: Different physical keys allow different people to have different access based on their role. I have one key for my car, and one key for my house (all 3 doors). I can give my kid a house key, but he still can't drive the car. Passwords, however, are not meant to be shared. So, why shouldn't I use my one really difficult password for everything?

Note: Before everyone freaks out, I know answers to this, but your colleague doesn't.
--
JimFive

John David GaltSeptember 8, 2011 4:22 PM

@MothersSon: What's worse is sites that "sanity"-check the secret answer, so that you can't set your mother's maiden name to 4dAm3Y3fv9nIks. Then you're just hosed.

@JimFive: Just as the three doors to your house can have the same key, I don't see why you *can't* use the same password for many blog sites (where all someone could do by logging in as you is to post comments "from you"). Of course, the ones for sites like your bank need to be unique, because you can be hurt so much more if they are misused.

But of course if one of the blog sites has the weak back door that started this thread, then its password had better be unique just to save me the annoyance of resetting 50 different accounts just because somebody used that weak back door.

anonymousSeptember 8, 2011 6:01 PM

> The worst "security" question I've ever encountered:
> "What is your favourite season?"

hockey

GabrielSeptember 8, 2011 8:23 PM

I guess fake two factor authentication and fake free checking go hand in hand.

Maybe the next security question that a bank should ask is: what is our favorite word? Answer: fees. That's about as secure as some of thE facepalms referenced here.

GabrielSeptember 8, 2011 8:25 PM

@Arthur: I think you found the backdoor that let's anyone in without knowing the answer.

BillSeptember 8, 2011 8:47 PM

I once used a free email account whose security question was "In what year were you born?" And I got as many tries as I needed to get the correct answer. (I had deliberately entered fictitious information when I created by account, so I just kept entering years going backwards from 1970 until I got in.) Needless to say I stopped using that particular service.

AdamSeptember 9, 2011 3:18 AM

What bugs me most are sites where you click "I forgot my password" and they send it to me via email. What's the point of choosing a strong password if the site hasn't even bothered to hash it? If their site gets hacked (likely given their inability to hash & salt), then that strong password can be used everywhere else.

qwertyuiopSeptember 9, 2011 3:54 AM

@Paul R. Dittrich - I remember using this same question when a colleague asked why he had to have different passwords for everything. I was completely floored when he said he thought it would be really good to have just one key that opened everything!

I heard an amusing take on the question/answer issue by a comedienne here in the UK (I think it was Lucy Porter, but I may be wrong). It went something like this:

My bank has changed the password system it uses for customers to prove their identity when they phone up. Instead of having a standard set of questions you now get to choose the question and answer.
In future when I call up they have to ask me "And where do you think you're going dressed like that? Go upstairs and change immediately!".
I have to answer "I can wear anything I want - and anyway, you're not even my real dad!".

RonKSeptember 9, 2011 4:34 AM

@lazlo

Actually, it looks like they invested at least some thought to try to come up with questions which would be less likely to be able to be answered only via Google and Facebook searches, like the "favorite national monument" and the "favorite melon". The problem is that I don't believe that most people have strong opinions about those things (which is related to why they are "good" from the first point of view), so my guess is that most people would just pick the first item on the list.

Anyway, the basic idea behind recovery questions is rotten, so trying to "fix" it by choosing "better" questions seems silly to me.

@ xkcd

The xkcd reference combined with the WTF post makes me think of the inverse/dual: inviting someone to a "melon party" where hidden cameras are trying to decipher his preference.

Actually not totally disconnected from reality: I can imagine a spear phisher trying to direct someone to a fake Facebook game which supposedly ranks his preferences vs. the general public, where "national monuments" and "melons" are incidentally sandwiched in with chaff to make it less obvious what is going on...

Clive RobinsonSeptember 9, 2011 5:29 AM

@ mpj,

"The worst "security" question I've ever encountered: "What is your favourite season"

It could be worse, how about one for the geeks from the geeks,

"Warning the account will lock after three incorect entries,

Which is your favourite binary digit from the set {0,1}?"

BetaSeptember 9, 2011 8:59 AM

I worked at a company (handling classified information) where I could reset everything about my computer accounts by answering my two security questions. It's probably still a felony for me to reveal what they were, but one was of the form "what is worse than X?", with the answer "Y". One time I had to reset some passwords or something, and the guy on the phone goofed and asked me "what is worse than Y?", thereby proving that the answer was in the clear on the screen in front of him.

SBSeptember 9, 2011 9:07 AM

@uk_visa: "with a clause 'all the info I've given is accurate to the best of my knowledge' and telling them your mother's maiden name is 4dAm3Y3fv9nIks?"

I suggest you enter a name like "Jane Doe aka 4dAm3Y3fv9nIks".

dilbertSeptember 9, 2011 9:44 AM

Did you know this forum automatically masks all passwords if you type them into the comments box? Here's mine: **********

Give it a try!

PaulSeptember 9, 2011 11:21 AM

I just use a created system for my passwords, and it gives me a secure password for every site.

For each letter A-Z i created and memorized a 3-4 digit alpha-numeric sequence. For example, A=$3G. B=4Hl2, etc.. (those aren't the real ones). I found it fairly easily to memorize 3-4 digit groups, and its only 26 of them.

Now, I just have very short easy to remember passwords for every site I reguarly use. I remember my bank password as "money", but is really the 15-20 digit sequence created by combining the associated sequences.

If someone breaks one, they won't gain access to any others.

IziSeptember 9, 2011 9:01 PM

Are we sure that this question wasn't added by some enterprising hacker trying to gather more accounts?

Peter E RetepSeptember 10, 2011 2:43 PM

@ Paul
Ah, ha! You don't deal with any site that,
instead of retreiving a password,
forces you to create a new one,
and forbids the use of any old one
you have used in the prior calendar year.
Does a forcing of change make a sytem more,
or less, secure?

QuercusSeptember 12, 2011 7:26 AM

Well, speaking of XKCD, this is the one that came to my mind regarding the 'what is your password?' secret question:
http://xkcd.com/792

One improvement for the password harvesting scheme: for each user, every time they enter an incorrect password (that's not obviously a typo), store that as well; there's a good chance they've typed in a password for a different site by mistake.

GaborSeptember 12, 2011 4:18 PM

Does anyone have experience using supergenpass.com ? You have one master password and based on the website URL (e.g. amazon.com or google.com) it will generate you a nice unique pass. Yes, you should not lose your master pass though..

Brad HowardSeptember 15, 2011 2:16 PM

This reminds me of "flag" buttons and "report offensive content" buttons that exist on most blogging sites. The Obama-Biden campaign blog in 2008 had a "report offensive content" button beneath their own contents, surely this is not something any blogger would want.

The near ubiquity of such buttons gives rise to the inference that they are an integral part of some system. As an analogous illustration of the existence of another ubiquitous feature, try building an ecommerce check-out site that accepts visa and mastercard without using a shopping cart icon on your site...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..