Security Questions – Good, Bad and Just Plain Ugly

Most of us, at one time or another, have forgotten a password for a website. So we go to the ‘Forgot Your Password’ link, answer a simple question, and the password is reset or we get access to the account to choose a new password.

A recent blog post from Proskauer Rose LLP looks into this issue and quotes a study by researchers from Microsoft, and Carnegie-Mellon University called “It’s no secret. Measuring the security and reliability of authentication via ‘secret’ questions”.

Here’s the abstract from the paper describing the study:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail.

We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers.

Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Not very reassuring. But here are some basic precautions that you can take, and things that you should do:

• For Your Own Protection
• If You’re Running a Website
• If You’re Developing Security Awareness Training

For Your Own Protection

You can protect yourself by doing some very simple things:

1. If you have to provide an answer a preset question where you think that a criminal could discover the answer by simple research (e.g. what’s you mother’s maiden name, which city were you born in …), lie. That’s right – invent an answer that you can remember but that won’t be listed on Facebook or recorded in a database somewhere. For example, you might have been born in Atlantis, your high school might have been Albert Einstein High, and your favorite flower might be a cactus – the possibilities are endless!
2. If the system accepts your answer and then emails your password to you, change it immediately for this and all other accounts where you use it. I can’t stress this enough. Once the password is included in a plaintext email sent across the Internet, there could be copies of it floating around for decades to come on servers that could be compromised by hackers.
3. Remember that there are accounts that don’t matter too much – like your fantasy football team – and other accounts that matter a great deal – like your bank account! So use different question/answer combinations for each.

If You’re Running a Website

If you’re responsible for setting up a system that’s going to use security questions, consider the following.

1. Try to avoid questions where the answer could be guessed by an acquaintance, discovered by a criminal doing some basic research, or guessed (because the answers are statistically common or there are a limited number of options). Here are some examples of poor questions:
   • Where were you born?
   • Where did you grow up?
   • Which elementary school did you go to?
   • What color are your eyes?
   • What’s your favorite flower?

    

2. Require the correct answer to more than one security question before resetting a password or allowing access.
3. If you track account activity – for example, you’re running an ecommerce site – ask a question that relate to the user’s account activity, such as:
   • When was your last login?
   • During what month did you last make a purchase?
   • What was the approximate amount of your last purchase?

    

4. Asking for date of birth or mother’s maiden name might seem like a good idea – after all, a user is unlikely to forget this information. But it’s often pretty easy for a criminal to track down with little more than a Google search, and it could also mean that your database falls under state and/or federal laws (if it doesn’t already do so) since it now contains personal information, and this could result in a host of new compliance issues.
5. It seems pretty obvious but it’s worth mentioning again … don’t allow unlimited attempts at guessing the answer. Refer the user to a representative to follow up if necessary.
6. When the user answers the security question correctly, don’t simply provide them with their password or reset it and allow them access to the account. It’s much better to email a reset password link or a randomly generated one-time password – but not the original password itself – to the address that you have on file. Of course, you also need to have a mechanism for dealing with the case when they no longer have access to that email account.
7. Why not email the original password? Because the user may well be using the same password on many other accounts, and you’ve now sent it in plain text across the Internet where a hacker or criminal could find it sometime in the future.

If You’re Developing Security Awareness Training

So how does this all apply to Security Awareness Training?

1. At the very least, you should include the advice listed in the section above called For Your Own Protection in your end-user training.
2. Someone (if not you, then the IT department) should create some advice for your developers based on the advice in the section above called If You’re Running a Website.