Wednesday, August 18, 2010

Truly secure security questions

Organizations from financial services companies to e-commerce web sites have implemented "security questions" in the log on process. The idea is that, in addition to a username and password, your answering these questions correctly, helps authenticate you to a system.

The idea is good: Provide an answer to a question that only you could know is the correct answer.

But many of the questions are weak, either because they're answerable from publicly available information (mother's maiden name; what if that is her name?), or there's a special format to entering them (case-sensitivity is often a problem).

In addition, security questions seem to be bundled by particular vendors, so a user might get the same questions from organization to organization. This could be an advantage for the user, but also for the cracker, acting like single sign-on. For opinion-based or favorites questions, there's a memorability problem: How did I answer this question last time? Did I answer it the same way on all the sites I've chosen it on? The answers to questions of "favorites" change over time. What's your favorite color? This is a question that, if answered incorrectly, can have dire consequences.

Which leads to a classic workaround: Choose the most outlandish question in the list and answer it with a passphrase. Have to answer multiple security questions? Answer them all with the same passphrase. This subverts the purpose of the questions, but makes it easier for the user as she crosses the hurdles to making an investment, making a purchase, or getting lab results from her health care provider.

And so, I offer some of the most ridiculous *real* security questions, followed by some that some friends brainstormed during a rant about this so-called security mechanism.

Garry Scoville writes regularly about security questions and related topics at http://goodsecurityquestions.com. He's an authority on what makes a less weak question (asserting all the time that there are no good security questions). His list of examples is excellent.


Real, ridiculous security questions
Among the real security questions used in real systems are some of these gems, which I've borrowed from goodsecruityquestions.com:

What is the name of the High School you graduated from? (What if you didn't graduate?)
What is your pet's name? (What if you don't have pets?)
How many bones have you broken? (In my own body or someone else's?)
On which wrist do you wear your watch? (The third one)
What is the color of your eyes? (Seriously? It says that on my driver's license)
What is your favorite teacher's nickname? (Mine for her? Or hers for her?)
What is the name of your hometown? (You think I might have moved once in my life?)
What is the color of your father’s eyes? (He has eyes?)
What is the color of your mother’s eyes? (The ones in the front of her head or the back?)
What is your favorite color? (Blue! No - green! Ahhhhh!)
What was your hair color as a child? (Either black or white because that's what color the photos are.)
What is your work address? (I work at home. Hmmm.)
What is the street name your work or office is located on? (Why don't I just tell the hacker what room the PC is in?)
What is your address, phone number? (And, by the way, the list of passwords is stored in the top right drawer.)



Questions I wish they'd ask

What was your first boyfriend's favorite car brand?
What color was your first grade teacher's house?
How long did your first pet live?
When will global warming end?
Why did your girlfriend say that about your mother?
Why am I soft in the middle?
How can you live in the city?
How dare you?
What is the point of these questions?



What's your favorite security question? 

24 comments:

  1. Of course they should ask "do these questions make me look fat?". Right?

    ReplyDelete
  2. Which is your favorite Rutherford B. Hayes presidential campaign speech?

    ReplyDelete
  3. One of Scoville's excellent questions: "What is the middle name of your youngest child?" OH NO! Which one? He has 2 due to parental indecision.

    ReplyDelete
  4. How much wood could a woodchuck chuck?
    What happens when an irresistible force meets an immovable object?
    What is the sound of one hand clapping?
    Why is my voice so annoying?

    ReplyDelete
  5. How would you prove you are who you say you are?

    What's that lump on my neck?

    Where has my baby gone?

    ReplyDelete
  6. Which fetish excites you the most?

    How would your friends describe you?

    What's the philosophy you use when choosing desserts?

    What was your most glorious moment of victory?

    What are your career aspirations?

    ReplyDelete
  7. Why didn't you live up to your parent's expectations?

    Who could it be now?

    You're not wearing that shirt outside, are you?

    Why is a raven like a writing desk?

    Why don't Americans use the metric system?

    ReplyDelete
  8. To steal a page from Deborah Tannen: You're wearing that?

    And, Why do they always call at dinner time?

    ReplyDelete
  9. Mrs. Robinson, are you trying to seduce me?

    ReplyDelete
  10. Do you think I should see a doctor about this?

    To be, or not to be?

    Did you see where I left my glasses?

    Most regrettable hair style from junior high?

    ReplyDelete
  11. After giving it some thought, my favorite security question is "What is your favorite security question?"

    ReplyDelete
  12. Bueller? Bueller? Anyone? Bueller?

    ReplyDelete
  13. On a serious note (if this thread can handle that!) — we recently did a study where corporate customers were creating accounts with a program and being asked for security questions. They noted that "What street did you grow up on?" or "What's the name of your first pet?" don't make sense in the context of a company. Or that there's turnover in who manages the account and subsequent managers may not know the security questions from the previous users.

    Have you thought about what makes a good security question for companies? Obviously "What year was the company founded?" is not very private or secure — but what could work in this situation?

    ReplyDelete
  14. Brynn, I'm not clear about the context for the security questions. Is this a B2B situation? Or users within a corporation? Or... something else?

    Why on earth did they need this level of "authentication," anyway?

    ReplyDelete
  15. This was just a regular old account creation process (username, password, security questions) but for users who had to manage the administrative access of a suite of programs for their team. They needed to login to get new licenses for new employees or add new programs (i.e. purchase) to their suite.

    Thus, they had to login with their account to manage all this stuff. But it wasn't really a personal account, because the users themselves were really representing the company who bought the many licenses. And they noted that when they leave the company and the next admin steps in, they'll have the same ol' security question about what street they grew up on — which wouldn't make any sense.

    Does that help clarify things?

    The broader issue is security questions for company-sponsored accounts. If I'm creating an account for my company or that several people may use jointly, personal security questions don't make much sense!

    ReplyDelete
  16. Yes, that does clarify things quite a bit. Thanks.

    What this tells me is that we're authenticating in the wrong place. It makes sense to identify a user who is an admin. But what is needed is some proof that this person is authorized to take this action, which is different from authentication.

    My design suggestion would be to remove the security question for the admin user and set up an authorization table for the people who log in as admins.

    ReplyDelete
  17. Interesting point. Yeah, right now all accounts are treated equally (for the most part, right?). And so with an authorization table as admins turn over, new admins can be added with their own credentials (for example)?

    ReplyDelete
  18. Yes, that's the idea. But the authorization table also has to be secured. So whoever owns that must make sure it is encrypted, etc.

    ReplyDelete
  19. Okay, more questions:

    Are you talking to me?
    You're going to call, right?
    Why didn't he call?
    Where did you get that?
    What are you looking at?

    ReplyDelete
  20. What was your previous password?

    What do you mean by that?

    Seriously, I think "mother's maiden name" is one of the most ridiculous ones. Many banks use that for call-in help, and I always read them the riot act when they give it to me.

    ReplyDelete
  21. Who wears a wristwatch any more, anyway?

    ReplyDelete
  22. I read some commentary once (don't remember where) on the foolhardiness of allowing users to create their own security questions. Now, whenever I run across one of those, I start thinking of questions designed to embarrass the poor customer service representative who might have to actually ask it over the phone, such as:

    Why do I find you so attractive?
    Do you have any pot?

    The aforementioned "Do these pants make me look fat?" works here too.

    ReplyDelete