1

My Yahoo account was hacked and I am very worried about why. They said I was more secure after removing my additional security questions. Is that correct?

Anders
  • 64,406
  • 24
  • 178
  • 215
Stalwart
  • 19
  • 1
  • 1
    Whenever you are forced to use standard questions such as your mothers maiden name, **always** use something made up. Treat it like a password, use a different answer for every site. – Julian Knight Oct 01 '16 at 12:38
  • And don't use a real last name, even if it's not your mother's real maiden name. I usually use something from `/dev/urandom` so my mother's maiden name happens to be something like `dc��ܠ��ԛ�����Ye����/_�;]�<\���+d(��`*S�o���(U�����w�k�_�<�lK�)bn�)0N��tB�>����` a lot. If that isn't accepted, I pass it through `xxd` so then it's something like `1e8a 9e3b 8e1b 9d91 76eb 05af 3af7 8598`. No need to store that shit anywhere, of course. Just store your password in a password manager so you won't lose it and don't ever need the answers to those questions. – UTF-8 Oct 01 '16 at 13:39
  • @UTF-8, until your account becomes locked for some reason, and you need the security question to unlock it. I'd just store the security question in your password manager alongside the password. – Ben Oct 03 '16 at 12:47

3 Answers3

7

Disclosure: I work for AgileBits, the makers of 1Password, a password manager.

Security questions are terrible. In fact, pretty much everyone who studies these calls the insecurity questions.

First of all security questions are another way into your account. But let's compare their security properties with passwords.

  1. Security answers are not secret

    My mother's maiden name is not a secret. Nor is the street where I lived as a kid, nor are so many of the other things that are routinely asked. Sure, some of them may not actually be public knowledge, but if I have to use my father's middle name, I don't want to then be responsible for keeping that secret in the future.

  2. Security questions are stored unencrypted

    Passwords have to match exactly because they are typically hashed, but security questions are looked at by humans, so if I answered "walter" for my father's middle name (see, it is no longer a secret), I would be allowed back in with "Walter". But in terms of passwords almost doesn't count: 

    $ echo walter | shasum
95ea07881ac3ffe8602879232682052c3e93b6d8  -
$ echo Walter | shasum
f82f03f4a76873ff4ae41d6609b99f258a647b82  -

    And so insecurity questions are stored unencrypted. Yahoo! did a nice job with using bcrypt to hash the passwords (making it harder for the people who stole those hashes to make guesses at passwords), but the thieves got the security questions.

    This also means that the people who manage the system also know your security questions and answers. It's not just external thieves, but internal ones as well who can learn these.

  3. Insecurity questions are even more likely to be reused than passwords.

    The people who got hold of the insecurity questions (and answers) can now uses those answers to attack your account on other sites you use those answers for. If you give your father's middle name as "walter" on one site, you are likely to give the same answer to the same question on another.

    This, of course, is true of passwords, which is why you should use a separate password for each site and service. If you used a decent enough password, than Yahoo!'s use of bcrypt will mean that many reasonably strong passwords will remain unguessed. So the bad guys may not know your Yahoo! password, but they do know your security question answers. (But do not use things that you would like to keep secret for security questions. Remember that in the best case only the people who operate the service will see them.

  4. Security questions (answers) are less varied than passwords.

    The most common 100 pets names are almost certainly going to be more common than the most common 100 passwords.

Almost all of the problems about security questions listed above are a consequence of what they are designed to do. They are designed to be things that you already remember (instead of a new thing you have to remember like a password. And you remember these things because they are the truth. So true things about you are less likely to be secret and there are many more ways to lie than to tell the truth. So the inherent problem with insecurity questions follow from their design.

I'm quoted in an a recent article at WIRED that covers these and points to other resources as well.

edwinksl
  • 109
  • 6
Jeffrey Goldberg
  • 5,839
  • 13
  • 18
  • Your second example is maybe not very good. You could hash the lowercase version of the answer. The problem is more how to handle the case that the answer provided is misspelled. There are also cases where you have to provide the answers over the phone to a human agent (and that human agent will compare plaintext to plaintext and not compute a hash). But generally, I agree with you. – kaidentity Oct 01 '16 at 09:14
3

From what I remember, all of the questions that were stored in clear-text were being flagged for removal. This all ties back to the info they just released. So in this case(and actually most cases), yes you ARE safer removing them.

Ijustpressbuttons
  • 101
  • 1
  • 4
0

Well in some cases if you are using easy questions that people can just Google/know about you. Go with 2 Factor a lot better also you can use a password generator to create keys to use for the security questions. Hope this helps.

code_bash
  • 101