Do security questions subvert passwords?

Question

Do security questions subvert hard to crack passwords? For example, if a site requires passwords with a certain scheme (length + required character sets) and has a security question, why would someone try cracking the password instead of the security question? I assume most answers to these are shorter and have a smaller variety of characters. For example, "Mother's Maiden Name" (somewhat common question) is typically not as long as a decent password (even after satisfying password requirements) and often contains only letters. When a site requires a security question, is it best to fill it in with a lengthy string containing random characters?

This is a common way for newbs to hack into peoples account. They crack their email using the "secret" answer and then just request new passwords by email. Takes away all security with emailing passwords if the email password iteself is not safe — , May 21 '11 at 21:37
Reminds me of [How Paris Got Hacked](http://www.oreillynet.com/pub/a/mac/2005/01/01/paris.html). — Gumbo, May 21 '11 at 21:54
Note that the answers to these questions are not just shorter than passwords, they are typically dictionary words, and from a limited set of words at that. (e.g. "Favorite color"...). Also, knowing a person would make it even easier to "guess" the answers... And EVEN worse, these answers are often shared with other sites (as answers to "security questions"!!)... not to mention much of it is public record. — AviD, May 31 '11 at 17:50
Password reset systems so often seem to be the weakpoint of systems. Barclaycard allows both user name and password to be reset using ONLY the information on the card. Once in an attacker could then PAY the credit card bill from MY current account! The only saving point is if you assume I'd notice the loss of the card and stop it. — pipTheGeek, May 19 '12 at 16:18

score 25 · Accepted Answer · edited May 23 '17 at 12:40

The manner in which security questions are used by a site, determines whether they undermine the supposedly stronger authentication mechanism (of using good passwords).

Typically, systems that allow access to users after they've answered a security question, are weaker than systems that would communicate a (temporary) password to the user via a (different and secure) channel. The previous statement conveys a best practice, and certain systems need not implement all of it; some systems would provide a new password (which need not be changed by a user), and there are other systems that would communicate the password via an insecure channel.

Filling a security question with random characters is not necessarily a good approach (although it is better than having a smaller answer with low entropy), for it would make it difficult to remember, resulting in a potential lock-out scenario (from where this is often no point of recovery). It should be remembered that security questions are often not changed periodically unlike passwords. The answer therefore depends on how well the answer is protected (both by the user and the system), how public the answer actually is, and how frequently can the question (and answer) be changed.

Reading this related StackOverflow question is recommended, for the answers discuss out-of-band communication, amongst other issues like the potential lock-out scenario.

From a personal use and user education perspective also using a password manager to store a strong random answer to a secret question (as often you have no choice but to set one and they don't offer out of band) is also good idea. In your attack tree with out of band also remember that if someone is has the users mobile and you are sending an sms or email it is not really out of band — Rakkhi, May 23 '11 at 09:23

score 13 · Answer 2 · answered May 21 '11 at 21:42

Yes.

A better name for these "security" questions would be "convenience questions". They are an alternate way of accessing the same account, bypassing the password. Since answers to such questions are typically composed of existing words, they are the perfect target for dictionary attacks, or even just plain guessing. Things get even worse when the attacker has some personal details already.

The best you can do if you have to subscribe to something that presents a "security question" (and makes it mandatory) is indeed to just enter a really long sequence of garbage characters.

score 11 · Answer 3 · answered May 29 '15 at 15:49

A 2015 study based on Google's deployment of personal knowledge questions contains a lot of evidence for the many problems with them: Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

Some findings:

secret questions generally offer a security level that is far lower than user-chosen passwords
a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them "harder to guess" although on aggregate this behavior had the opposite effect as people "harden" their answers in a predictable way
secret answers have surprisingly poor memorability, with a success rate of 60%, vs 80% for SMS reset codes
questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability

They conclude that

it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.

score 7 · Answer 4 · answered May 21 '11 at 21:33

7

If you want it to not be answerable? Most of such sites will require you to reset password by mail anyway, so they'll need your email info to get anywhere, the answer is mostly to prevent people from annoying you by constantly resetting the password.

If you can reset a password by "secret" question only then that is lousy security.

answered May 21 '11 at 21:33

2

Well, many email sites (like hotmail) uses this function. Would be kinda useless for them to send an email with the password (unless you have specified an alternate email address) – May 21 '11 at 21:36
Most email sites (to my knowledge) do use alternate email addresses for such reasons. If not then make sure your question and answer is indeed hard to crack.But then we're back to why not just remember your password in the first place. – May 21 '11 at 21:39
@Andreas as I stated, at least Hotmail does. Aren't they still the biggest? – May 21 '11 at 21:40
8

+1 because I agree that these questions are **BAD FOR SECURITY.** Secure passwords are completely pointless when the so-called security questions ask for "private" information that would be easy for a hacker to obtain. Sure, you can lie or fill in gibberish, but the chances are pretty good that you'll lose that information when you lose the password. It drives me crazy (**crazy,** I tell you!) to see web sites saying that they're "increasing security" by adding these questions when they're doing exactly the opposite. – May 21 '11 at 21:42

score 5 · Answer 5 · answered May 21 '11 at 21:44

Yes. If for no other reason that both your password and your secret question/answer are shared secrets and best practice dictates that you don't share those secrets with third parties, but that is exactly what you are asked to do when you provide a secret question/answer.

What you should do instead of "following instructions" is to come up with a simple algorithm that lets you generate the answer given the question, site name, and true answer.

This answer provides another reason that is overlooked. – Matthew Schinckel May 22 '11 at 12:10 — Matthew Schinckel, May 22 '11 at 12:10

score 3 · Answer 6 · answered May 19 '12 at 07:03

My secret questions are usually "What is your password?" And then the answer is actually something else.

I make the answer as random as possible and as long as possible and store it together with the password itself. So if numbers are not allowed, I use all letters. But I usually make most of them about 20-30 alphanumeric characters long.

This is what I do with web based email (gmail) and all of my banking passwords. My bank is vulnerable to a denial of service attack (wrong passwords will block my user id) so I should have picked a user id that was also random and maximum length and kept secret as well.

score 0 · Answer 7 · answered Jun 01 '15 at 17:29

Yes is better to fill it in with a lengthy string containing random character, than answering the real question or giving short answer. If you decided to go with this approach you need to be sure to remember it since is very probable that you forget it.

Do security questions subvert passwords?

7 Answers7

Linked

Related