3

I was setting my eBay security questions and one of the choices were:

Now I've seen sites that allow you to "type your own question" and "type your own answer" but unless they forgot a text field, this seems like a bad idea!

Not only would you need to remember "your own phrase" you would also need to remember the answer.

Is this a scheme a good idea?

Edit:

I just realized this could most likely means you type in the phrase as the answer. Don't know why I didn't realize this.

Anders
  • 64,406
  • 24
  • 178
  • 215
Insane
  • 249
  • 2
  • 8

1 Answers1

2

Usual process

There are two common ways to implement the so-called "security question" (which I don't think to be very secure anyway, but that's another subject):

  • Propose the user to choose a question from a set of already defined questions,
  • Propose the user to type his own question.

The issue with the first possibility is that you will have a very large ratio of your users who will reuse the very same question like their first pet's name, for instance. This can be a weakness since an attacker can, with this example, use a dictionary of common pet names against all users who chose this question.

With the second possibility, you just encourage your users to use different questions. While the risk here is that they may use even weaker question, at least there will be a wider range of different questions making any automation attempts a bit more difficult for the attacker.

However, in both cases the question remains public, only the answer is secret. When you click on the "I forgot my password" link, in any of these situations you will be prompted with your question (either the one you've chosen or the one you typed) and will have to provide the correct answer to get back your access.

If you encounter a website requiring you to type both your question and answer during the password reset procedure, then you can bet that this process has been designed by someone a bit screwy (and that this process will most probably be changed quickly when the support department gets fed up with users' complaints).

Screenshot's specific case

The goal of any authentication system is to let you prove your identity in some way. The most quick one is by using a secret password, or in another word a secret shared between you and the service to which you would like to prove your identity.

If you forget such shared secret, then comes the security question(s): they will offer you an alternative way to prove your identity by giving some details regarding your personal life that (hopefully) only you may now.

Having a question asking again for a shared secret seems just plain useless, as it does not provide any alternative way to prove your identity: if you have lost your main shared secret, most chances are that your have lost this other one too.

So I would definitively class this one in the "screwy" category.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Good info, but can you address the 'no question' 'only answer' scheme as seen above? You don't pick from a predefined question _or_ type your own question. – Insane Jan 25 '16 at 10:42
  • well that is, just like your username, insane... okay joking aside, the point of a security question is that you remember it in case your forget your password, but q no question security answer is similar to a password, just a LOT more insecure, because case insensitive, no symbols etc. The question is there so you can better remember it and without a question it's hard to remember it. – My1 Jan 25 '16 at 10:48
  • @Insane: Indeed, I initially thought that the form was expecting the user to choose a question without selecting one by default. I remember (but it was *years* ago !) when I had to pay fees to eBay, one one screen they would display the amount to pay, on the next screen they would ask the manually to type the exact same amount and ask him to not click several times on the *Submit* button to avoid being charge twice... Using trainees to do the work is cheap, but you then get cheap results... – WhiteWinterWolf Jan 25 '16 at 11:03
  • Well, eBay is screwy! – Insane Jan 25 '16 at 11:19