12

I was reading the OWASP Forgot Password Cheat Sheet when I stumbled upon the recommendation to use security questions.

There is even a dedicated page about what information to gather.

Whenever I see such a "feature" on a web site it strikes me as unbelievably insecure for most users, because most users will choose a question an answer that is probably very easy to find out by anyone who knows the person a bit. So I was very surprised to see such a recommendation on OWASP.

Is it really a good idea to implement security questions?

Anders
  • 64,406
  • 24
  • 178
  • 215
theDmi
  • 395
  • 2
  • 10
  • From what I can see, the security question is proposed as a first step process to immediately disable the current password and force 2FA – timuzhti Nov 18 '15 at 07:23
  • 1
    There is a discussion page which might be a better place to ask: https://www.owasp.org/index.php/Talk:Forgot_Password_Cheat_Sheet – lorenzog Nov 18 '15 at 13:31

1 Answers1

11

Specifically with regards to security questions you are asking users to share potentially sensitive facts about themselves that are likely obtainable by social engineering of people near them. That makes security questions at best inadvisable and at worst downright dangerous from a holisic security perspective.

OWASP, while good overall for explaining the problems, makes many inadvisable recommendations including security questions, input whitelisting, and XXE mitigations that prevent loading most XML documents. Take the problem descriptions as they are, but really scrutinize their solutions before considering implementing them.

Alain O'Dea
  • 1,615
  • 9
  • 13
  • 4
    Specifically, what is wrong with input whitelisting? It is a valid and useful technique in many places. – Cybergibbons Nov 18 '15 at 13:55
  • 3
    @Cybergibbons it has occasional merit. I have trouble recommending it in places like passwords where it both makes the user experience annoying and reduces the security of passwords. It's also annoying in free text entry. It makes sense to do type-safe input validation (numbers are whitelisted to numbers and bounded if needed), but I think whitelisting of free text is often never desirable. In many cases I've seen whitelisting used where prepared statements and output encoding are the actual solutions. – Alain O'Dea Nov 18 '15 at 18:12
  • 1
    Ah, ok, so it's more that it is used as an inappropriate solution, or where it is an annoyance. Yes, that makes sense. – Cybergibbons Nov 19 '15 at 10:49
  • @Cybergibbons: I see whitelisting as a comfort solution: warning that an email address has no `@`(and nothing more), making sure a number is a number - all the things which would make the submission fail when checked server-side. In no case it can be a security feature. – WoJ Mar 13 '19 at 16:42