Security theater on the Web

[unixronin]

There's a growing trend in web e-commerce sites to "improve" site security by adding a "secret question" to the identifying information for the user.  It's well-intentioned, usually.  But it's almost invariably poorly implemented.

You want me to be able to prove my identity by answering a "secret" question to which only I would know the answer?  OK, fine.  Then let me pick the question.

But this isn't what most sites do.  They typically let you pick one question from a list of three to five.  Sometimes, they pre-pick the question; you don't get a choice at all.  ING Direct goes slightly better than the usual run of this; they provide a list of eight possible questions, from which you must pick and answer five.  When called for, they will use one randomly-selected question from the five you chose.

The problem is that, invariably, most — if not all — of the questions offered for your selection are questions to which the truthful answer is a matter of public record.  Your city of birth, for example, or that old standby beloved of banks and credit-card companies, your mother's maiden name.  What's worse, in many cases, if you forget your password, you can gain access to your account by answering the secret question instead.  So anyone who wishes to gain access to your account need only research the answers to those four or five most common "secret" questions — a much easier task than cracking or otherwise compromising your password, since the vast majority of users will answer those questions with the correct answer.  The slightly more sophisticated user recognizes that to answer these non-secret "secret" questions with a truthful answer which can be readily found in public records is a security weakness, not a security measure, and so will provide false answers to the questions; but then there's the problem of remembering which false answer you supplied to which question on which site.  And that means that either you develop a system of some kind (which could be as simple as, say, answering every "secret" question with "Madagascar"), or you write your answers down somewhere accessible.  It's not hard to come up with a system.  But the honest fact is, most security-unaware average users aren't going to even realize they need to do it.

The upshot of it is, the "secret question" tactic, as commonly implemented by 90% of web sites, does not improve security; it weakens it, sometimes drastically.

As noted above, there's an astoundingly simple measure for making the "secret question" gambit an actual, real security improvement:  Let the user pick the question, as well as the answer, and disallow questions to which the answer is likely to be trivially available from public records.

So why don't more sites use it?

Comments

[rbos.livejournal.com]

ING lets me pick the question. I think I set it to something like what my original password was when I was a kid.

But yeah, those things do weaken security. Even narrowing down the password to maiden names, if it weren't public knowledge, would give it only a few thousand possibilities, right?

[therealocelot.livejournal.com]

Yeah, I've always had a problem with these things, and have a standard set of made-up answers.

[otherbill.livejournal.com]

I suspect that without knowing the importance of picking an unusual question with a unique answer, the vast majority of users would just pick one of the same boring public-record questions that would otherwise get asked anyway, thus defeating the purpose.

[unixronin.livejournal.com]

That's why you filter for terms like "maiden name", "license plate" etc and say "Sorry, you can't use that as a security question, the answer can probably be found in public records about you."

[greyman.livejournal.com]

There's at least one work-related web site I use which doesn't even DISPLAY the secret question! I had to guess which one I had answered....

Another requires the answers to three of the five secret questions, all of which are vague and indefinite and have answers which are CASE SENSITIVE.

The question I like least is "What was the name of your favorite pet?" since I have at least two. "Street where you grew up" is second since I moved a fair bit.

[unixronin.livejournal.com]

I'm all in favor of case sensitivity. You can do things like, say, capitalize every third letter, or use selective capitalization to embed the value of pi into your answer.

[greyman.livejournal.com]

If you're going remember to do all that, why can't you remember the password?

I run into difficulties like "How many Ns and how many Ls in my city of birth? Did I spell out the state or use the abbreviation? Did I use a comma?"

[jilara.livejournal.com]

It's fairly easy to come up with the name of a favorite pet, with only a few filter choices, which makes it a bad choice. That's because most people are fairly unimaginative about their pet names. Smokey, Bosco, Moggy, Sasha, Killer, Fluffy, Stripes... There have been studies done of the most popular pet names. Just plug in the list to try them and go...

[ilcylic.livejournal.com]

Because most people don't care?

[unixronin.livejournal.com]

Unfortunate, but largely true. :p

[attutle.livejournal.com]

"So why don't more sites use it?"

Those questions have zilch to do with security. They are implemented to reduce the maintenence burden of user requests for password changes. "80% of our support calls concern lost passwords. Let's give the idiots an automated system."

[unixronin.livejournal.com]

ING at least claims that their new "one of five of eight" system is supposed to increase security.

[attutle.livejournal.com]

Oops, I was unclear.

I mean the normal "what is your dog's name?" questions are only there to cut down on password reset requests, not to improve security. ING's technique may be useful, but it isn't being used widely, because most orgs simply don't give a damn.