8

I needed to reset my password on a website that uses security questions for the purpose, and I noticed something strange. My hypothetical security questions are (not the ones I actually use) are:

  1. What is your name? John
  2. Where do you live? Chicago

To reset, I'm prompted to answer both questions; however, it doesn't matter which answer I use for which question, so long as the answer I use is correct for at least one question. All of these combinations work:

John/Chicago, Chicago/John, John/John, Chicago/Chicago

If either field is an incorrect answer to either question, the page returns an error, so

John/-incorrect-, -incorrect-/John, Chicago/-incorrect-, -incorrect-/Chicago

all fail.

This must be a bug, right? It seems like an almost deliberate "convenience feature" that actually dramatically reduces the already-limited effectiveness of the security questions.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
John Bensin
  • 247
  • 2
  • 10
  • 1
    Everyone commenting on the quality of the security questions & answers here: Please remember that the OP has posted these only as examples for demonstration and, in fact, has explicitly stated that these are ***not*** the ones he's actually using. – Iszi Apr 21 '14 at 13:25
  • Thanks for the comment; I tried to make it clear in the question that the questions I'm using are purely hypothetical. – John Bensin Apr 21 '14 at 17:35

3 Answers3

9

In short, somebody misplaced an OR where an AND should be. Indeed a big mishap on the part of the developer. Your assumptions about its security are correct.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
6

Yeah, what you describe looks like a bug. Regardless of the alleged security value of "security questions", or lack thereof, there is no way that "John" can be considered as a valid response to "Where do you live". It is even more than a bug: it is a vulnerability (an even bigger than merely using "security questions" in the first place). Indeed, in your example, someone presented with 5 questions, one being "what is your name", can answer "John" to all five and be granted access, so an attacker does not even have to guess the answers to all questions, only to one of them.

I don't think it is a deliberate convenience feature; it would take a truly warped mind to come up with that design. A genuine bug seems most plausible.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Why couldn't "John" be a valid answer to "Where do you live"? Even if there's no city named "John", there may be a neighborhood, or other locality named "John". And of course, the most secure answer to that question wouldn't be a place name at all, it would be some completely unrelated answer. My answer to "what is your mother's maiden name" is not my mother's maiden name, nor even a name at all. – Johnny May 02 '13 at 22:43
5

Security questions are bad, security questions which ask for your name and place where you live are even worse. The fact that you can use either answer for one question isn't a bug, it's poor coding.

Passwords resets by using security questions are bad if they aren't used in combination with something else. For instance, if they ask you questions, but stuff which you can only know (I can't come up with good questions at the moment, but probably something along the year of your first love) and after you answer these questions a time limited token (link) is generated and sent to your email address which remains valid for 15 minutes. After you click that link a text message is sent to your phone with a code and you need to enter the code on the page. If the code is right, then you can alter your password.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Sorry, those were *hypothetical* security questions that I made up for the question. I bolded the word hypothetical to make it a little clearer. In reference to the reset strategy itself, you're basically saying that security questions are only good as one part of a two/multi factor authentication scheme, right? – John Bensin May 02 '13 at 19:31
  • 3
    yea, they are imo completely useless these days where people post anything on facebook. – Lucas Kauffman May 02 '13 at 19:37