Secret security questions deemed insecure


[Read the post]


Or just the fact that I never put in a proper answer for those and get asked them so infrequently I need to have text file with my answers of "FooBar1234abcd’ or whatever bit of silliness I picked as I never remember what all strangeness I would have done to a regular answer.


Bruce Schneier wrote about this ten years ago:


For accounts that are not vital and that don’t have any sensitive contents (ie: banking or personal info) I don’t really care much about the security questions, plus the passwords for those are different than for my sensitive accounts, which is different from my email pass as well. For the sensitive accounts i usually answer the security questions with semi-unrelated things, if the question is what street did you grow up in i answer with my hometown.


Can I just point out that it’s very disturbing that Google was able to do this study? It strongly implies that when they save security questions, they don’t salt and hash them like they (almost certainly) do with passwords. Saving the plain-text answers to security questions is an incredible security hazard.

I suppose that they could have a thing where when the security question arrives from the user, it salts and hashes it for their account management database but also sends the plain-text security question to another database used for this study, and disassociated each security question from the user-name. That would be better, but still not great.


Once upon a time when I worked on a non-Google e-mail system, security questions and their responses (actual answer and last 10 attempted responses) were visible to account support people, as was the password and the last two or three historical passwords. That was a long time ago, so maybe things are different now, but at the time they were vital to untangle things like hostile takeovers of accounts.


Alternatively they bruteforced them. (:

I use algorithmical answers to passwords and these “secret” security questions. This way I only need to remember a couple of formulas and I have unique passwords and security questions for every site.

This isn’t perfectly secure of course: if I was targeted by a human (instead of a computer) who was able to get a couple of my passwords, they would probably be able to reverse engineer the algorithm I used, which would then probably allow them to access some of my other services. But my assumption is that if a human targets you personally, then even the most secure methods involving passwords are void.


My pet peeve about security questions (the ones you can’t write yourself) is how much they assume about your life. Not everyone has pets; not everyone wants to remember the name of their first romantic partner.


I find these types of security questions to be particularly annoying for business accounts. If we have an online account with a office supply company or courier or whatever sometimes we’re forced to use these kinds of personal identifier questions for password security. The problem comes when someone is absent or there is turnover; no one can remember the mother’s maiden name of someone who hasn’t worked at the company in six months or the favourite food of someone who is sick on the day when an order has to happen.


Mothers maiden name and city of birth aren’t exactly immune from a little online search.


The security question is supposed to be a password that’s validated by a human, not a hashing algorithm. You’re not expected to remember the case or other technicalities, just to demonstrate knowledge of the correct answer. It doesn’t matter if you wrote “Lincoln High School” initially, “lincoln high” should be a valid answer.

Admittedly, that’s not how secret questions are always used, sometimes they’re evaluated in the exact same way as your actual password. So then you just have two passwords, and one of them is pretty easy to guess.


I had an “oh, duh” moment recently when someone pointed out that those silly games where you figure out your porn star name (First pet, mother’s maiden name) totally give this stuff away.


More times than I can count – and several times recently – I’ve been trying to head off some imminent crisis, and needed to log in to something-or-other and needed to get someone elses’s password to do so – and then found out the password is a shared password everyone knows, usually “the same one we use for everything”, or written down in an easy-to-find place. And naturally, such passwords are generally very weak. It’s a recurring experience that every rule I can think of about password handling is routinely violated – and that every business and every household I’ve encountered since computer networking became commonplace depends on this. More than once, I’ve needed a password and had no access to my password vault, and found myself thinking, “If I’d actually followed the rules, I’d be totally screwed right now.”

In fact, another episode of this came up as I was typing that last paragraph.

I’d go so far as to suggest that with rare exceptions, if a password is strong, unique, never shared, and stored securely, it’s probably not a password that really has any importance.

Given that it’s a routine experience that people’s personal and employed lives depend upon ignoring or bypassing rules about passwords, why even bother pointing out that security questions are insecure?


I especially hate the subjective questions - favourite pet, favourite food, best friend in grade school, etc. Really? How is one a)supposed to choose, and b)be able to remember?


I had my high school on a set of accounts long ago as one of the answers and I had not capitalized for one account and had capitalized for the second. I kept using the wrong one and getting sent back to the beginning of the verification. On another secret question I could not remember how I had spelled the answer to a particular question but it was handled by humans … so no worries… No: “Could you tell us the 5th letter of your secret question?” fortunately it was a human who could understand reality and got the computer to serve up another verification.


Yes yes yes! It drives me nuts that I have to choose from a specific list of security questions that may or may not fit my life. Usually they do not, and as a result, I wind up picking the most guessable ones.

It seems to me that a better system would be to require the user to enter a challenge question AND a challenge answer. That of course would have the weakness of allowing stupid questions (“what is two plus two?”), but at least it would allow secure ones as well.


I do the same, entering these made-up answers in 1Password alongside passwords etc. My dad’s middle name is different on every site I use, and always more unusual than “John” (which is not his middle name, incidentally). I expect that given enough breakins into enough sites, my truly personal information would be exposed over time, so it’s better not to use it in the first place.


People think your answers to these questions have to be literally true? Or even conceivably true? Not just ‘something you’ll remember’? (e.g., “Favorite color: 23 skidoo!”, “Mother’s maiden name: Nabisco”)

Yeah, okay. Who am I to judge?


That kind of thing is how Sarah Palin’s Yahoo email was hacked, wasn’t it?


What about using something (online) like Passpack @TobinL?