Tuesday, May 9, 2017

Are security questions secure?

Many online sites have a mechanism where a user who has forgotten a password can get a new password by answering one or more 'secret' questions.  In some cases these questions may be used as a second authentication factor.

The questions tend to be of the form "what was the name of your first pet," or "what is the name of your first grade teacher."  They are intended to be personal but also easy to remember.

The problem with this is that it may be possible to learn enough about a person using open source intelligence tools to answer these questions correctly.  In 2008, VP Candidate Sarah Palin had her Yahoo e-mail account hacked by a young man who correctly answered security questions about her birth date and where she first met her husband.

Even worse, a researcher at the University of Washington has pointed out that popular surveys encountered on social media could provide enough information to compromise these questions.  For example, consider the currently popular survey in which a person lists 10 concerts, 9 of which they have actually attended.  The game is to figure out which of the 10 they have not attended.

Although this seems harmless, and in most cases is harmless, it is possible to develop a profile of the users age, culture and interests from these surveys.  The general advice is that "secrets make bad passwords when those secrets can be discovered or guessed."

So what can you do?  In many cases the secret questions are required.  My advice is simple, answer the questions but lie, and remember the lie.  It helps if you have a basic scenario, such as Star Trek, to use in constructing your lies.  For example - "What was the name of your first pet?"  Answer: "Tribble."   "What was the name of your High School?"  Answer: "Starfleet Academy."

If you have a scenario in mind (Star Trek, Harry Potter, Lord of the Rings, etc.) it will be easier to construct lies that can be remembered.  Just make sure the scenario cannot be easily determined from your online presence.

No comments:

Post a Comment