2

I didn't think of this before but today I just realised that in soke sites, pw recovery is possible if you know the answers to security questions like

What is your mother's maiden name?

In this case, should the answers to the security questions be hashed or not?

Dan
  • 63
  • 3
  • 1
    To clarify, the question `What is your mother's maiden name?` is an awful security question. If you are going this route, the questions should be decided by the user as well. Or, at the very least, not the common, awful questions like that one. Because it's really not that hard to find a person's mum's maiden name. – Parthian Shot Aug 10 '14 at 15:43
  • 1
    Yup of course :) I agree that's a stupid question but I only used it for fast comprehension of the topic – Dan Aug 10 '14 at 15:45

2 Answers2

3

it depends on how you plan to use the answers.

If you expect to do strict automatic checking then treat them as passwords and apply key-derivation function such as bcrypt/scrypt. (But remember, that BCrypt uses only first 72 characters of string for the hash. is that enough for your case?)

on the other hand, if there is a chance of phone-based support and you want call-operators to interpret users answers you need to store strings as-is

p.s. using plain hash-functions (such as md5,sha) is not the answer to this problem in any case

JimiDini
  • 172
  • 7
0

From the perspective of having such a simple answer like a mother's name protected ,for example, on the web server side - the answers are more than likely hashed in there.

The same story is for your local machine, for which you administrator password, be it even so simple, as mother's name, is also kept in hash form.

So, keeping the hash instead of the password protects latter, however if it's so simple like a mother's name it's risky to be hacked by both: Dictionary Attack and Brute Force Attack.

Ruslan Gerasimov
  • 111
  • 4