IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [secret-questions]

Personal questions, such as mothers maiden name, used for authentication. Commonly seen during account recovery. Also known as "security questions".

23 questions
165
votes
8 answers

Why is Mother’s Maiden Name still used as a security question?

From time to time, some web sites asks to enter a security question and an answer for it. The question list is standard and it usually includes "What is your mother's maiden name?". Some people use their mother's real maiden name so that they are…
Alexei
  • 2,183
  • 3
  • 9
  • 23
53
votes
7 answers

Do security questions subvert passwords?

Do security questions subvert hard to crack passwords? For example, if a site requires passwords with a certain scheme (length + required character sets) and has a security question, why would someone try cracking the password instead of the…
Thomas Eding
  • 685
  • 5
  • 5
36
votes
4 answers

Why did my provider reset my password after someone else attempted to gain access to my account?

Recently a provider (of SIP trunking services) I subscribe to sent me a strange email. It claimed that someone in another country attempted to reset the password to my account and was unsuccessful in answering my security question. The provider's…
Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
18
votes
3 answers

Should security question answers be case-sensitive?

Question In the case of security questions being used to reset an account password, what is considered best practice for handling case-sensitivity on the security question answers? Scenario An account password reset process I'm working on works in…
Michael Irigoyen
  • 335
  • 2
  • 7
18
votes
6 answers

Is storing answers to security questions in plain text bad form?

If the input for the security question is completely digital, should the answer to a security question be hashed (or at least encrypted) on the authentication server?
blunders
  • 5,052
  • 4
  • 28
  • 45
12
votes
1 answer

Why does OWASP recommend security questions?

I was reading the OWASP Forgot Password Cheat Sheet when I stumbled upon the recommendation to use security questions. There is even a dedicated page about what information to gather. Whenever I see such a "feature" on a web site it strikes me as…
theDmi
  • 395
  • 2
  • 10
8
votes
3 answers

Does prompting for security questions on new computers add any security on banking websites?

When you sign into Bank of America on a computer you haven't used with them before, the site prompts you to answer one of your security questions. How exactly does this make the site more secure? Is the assumption that if a person somehow guessed…
John
  • 2,242
  • 2
  • 28
  • 45
8
votes
2 answers

What is the purpose of forcing people to provide "security questions" and answers to them?

Am reinstalling Windows 10. Dang. It forces me to provide no less than THREE security questions. I have to choose them among questions like, What was the name of your first pet and What city were you born in. OK Windows might do this to convince me…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
6
votes
5 answers

Do security questions make sense?

Is it a good practice, or is it obsolete? I'm asking because I've never managed to remember a single security question, thus I always write down the answers. I think they are useless, long passwords or 2FA is a much better practice.
AteszDude
  • 63
  • 1
  • 4
4
votes
3 answers

How are "security questions" not a major security hole for any application that uses them?

So the original security model was to ask the user for an email address, at time of account creation, and if they forgot their password the system would email a new password to this email address. The idea now, however, seems to be to use security…
user7560542
  • 141
  • 1
4
votes
3 answers

Should I let users pick their own secret questions for password reset?

I'm building a web application and I'm actually writing a code that allows users to choose their secret question and answer used to identify them if they forget their passwords. I'm a little bit confused here because many well-known websites offer…
storm
  • 1,714
  • 4
  • 16
  • 25
3
votes
5 answers

What if user can't answer the security question during password reset?

I'm thinking out my password recovery logic for an ecommerce system. Some backround: Passwords are stored using bcrypt, password recovery involves the standard reset link, which then can be used to reset the password within a limited amount of…
Rivka
  • 133
  • 4
3
votes
1 answer

Is this "forgotten-password" procedure safe/legal?

Recently, I had lost my password on a web app that is supposed to be really secure (think bank or government type web app). This web app contains a lot of personnal critical infos (like SSN and salary, but legally). Here is the procedure I had to…
LP154
  • 131
  • 4
3
votes
3 answers

Which is more secure for a reset password feature - security questions or reset link in email?

I need to provide the Reset Password Feature for my product. For this I have two competing solutions: Send the password reset link in mail to the user Provide the Security Question based solution Based on the assessment by our security team, the…
Manchanda. P
  • 69
  • 1
  • 4
3
votes
1 answer

Is a security question you just have to 'remember' a good idea?

I was setting my eBay security questions and one of the choices were: Now I've seen sites that allow you to "type your own question" and "type your own answer" but unless they forgot a text field, this seems like a bad idea! Not only would you need…
Insane
  • 249
  • 2
  • 8
1
2