Thursday, May 21, 2009

The Failure of Security Questions

MIT's Technology Review author Robert Lemos recently tackled security questions as a method of password retrieval or resets. We've all seen these before - often a small number of fixed questions that have predictable answers. I wrote about them from a user perspective back in 2008 - The Problem With Security Questions - And An Easy Solution, where I discussed using a password safe utility and using answers unique to each site.

Lemos points out that research found that "answers that require only a little personal knowledge to guess should also be considered unsafe" and that "Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet's name, the researchers found."

Your pet's name is likely in your Flickr photo stream, or your email inbox. Your co-workers likely know your favorite sports team, your favorite color may be easy to guess from your fashion choices, and your pet and your significant other may be conversational topics that they would rememember - making many security questions useless.

Many security questions are less than creative, and worse, because they're intended to be something that everybody can provide an answer for, they're likely to be something that others also know or can find out from easily accessible records.

  • What is your mother's maiden name?
  • What is your father's middle name?
  • What is your favorite sports team?
  • What is your favorite color?
Most users proceed to use actual answers to these, meaning that the answers are easy to find in today's connected, database driven world of available information. How hard is it to go from a first name, a last name, and a geographic location to a user's personal details? Not that difficult. Parents names can be found in birth records, or you may be able to simply check their LinkedIn, Facebook, or other profile. Their favorite color or sports team can be found in similar places - and there are a limited number of guesses for most people.

Worse, family, friends, and acquaintances can often guess their way into such sites. Security staffers will tell you stories of disgruntled spouses logging into their partner's accounts using the facts that they know about the person to reset their password.

Many sites handle this with an email based password send capability - which shrdlu notes that he simply uses every time he visits the site so that he doesn't have to remember the site's password. I'm sure many of the rest of us have developed similar bad habits - and, of course, if you can get passwords sent via email, anybody who takes over your email account needs only visit those sites and request a password reset to take over those accounts too.

But security questions serve a very useful purpose, particularly for sites that have a large number of users, or who have users who may use the site only infrequently. They're a somewhat reasonable way of allowing users to have the ability to reset their password, and they push some responsibility to those users to keep their security questions difficult. The problem remains that without better options, users often create a back door into their account.

So, what alternatives are there?
  • Out of band methods, such as sending an SMS
  • Multiple factor methods, such as
  • Validate against another data point or preferably, data points
  • Skip a reset method and have customer service deal with it
Of course, not having security questions can also be a problem for some sites - social engineering to get passwords reset has worked many times in the past too.

I'll keep my eyes open for clever ways to handle this problem, and, perhaps more importantly for ways to explain the risk model effectively to management.

No comments: