Secret Questions Blow a Hole in Security

By Bruce Schneier
ComputerWeekly
April 4, 2008

It's a mystery to me why websites think "secret questions" are a good idea. We sign up for an online service, choose a hard-to-guess (and equally hard-to-remember) password, and are then presented with a "secret question" to answer.

Twenty years ago, there was just one secret question: what's your mother's maiden name? Today, there are several: what street did you grow up on? what's the name of your favorite teacher? what's your favorite colour? Often, you get to choose.

The idea is to give customers a backup password. If you forget your password, then the secret question is a way to verify your identity. It's a great idea from a customer service perspective - users are less likely to forget their first pet's name than some random password - but terrible for security.

Easier to crack

The answer to the secret question is much easier to guess than a good password, and the information is much more public. I'll bet my childhood address is in some database somewhere. And worse, everybody seems to use the same series of secret questions.

The result is that the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). The security of the entire system suffers. I'm sure the designers of the system thought the fallback system would only be used rarely, when a user forgot their password. But any good security engineer realises that bad guys can force the failure whenever they want, and that the whole security of the system rests on the security of the weaker of the two subsystems.

What can be done? As a customer, my usual technique is to type a completely random answer for the security question. I madly slap at my keyboard for a few seconds, and then forget about it. This ensures that an attacker has little chance of bypassing the password protection by successfully guessing the answer to my secret question, but it is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. Yes, it was a right pain.

Which is maybe what should happen in the first place. I like to think that if I forget my password, it is really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue, too. And if the password is controlling access to something important - like my bank account - then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

earlier essay: The Difference Between Feeling and Reality in Security
later essay: Prediction: RSA Conference Will Shrink Like a Punctured Balloon
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..