Sophos Cloud Optix
We’ve long known that humans are really, awfully bad at choosing passwords. Just terrible.
Well, it turns out that we’re just as bad at answering those secret, security questions like “What was your first pet’s name?” or “What’s your favourite food?” too.
We’re so bad at it that when we try to be good at it, we actually get worse.
Secret questions like the ones above are often used to supplement passwords on websites and as an authentication method in password recovery systems.
The reason that they’re used in password recovery systems is that in theory they’re supposed to be both secure and memorable. Recently some researchers at Google decided to find out if that idea held up in practice.
It didn’t:
We conclude that it appears next to impossible to find secret questions that are both secure and memorable.
The problems with passwords are well understood and well documented, and all boil down to the fact that the whole idea of passwords seems to have been dreamt up in a vacuum by maths nerds.
Passwords are fine in theory – hit about twelve keys on your keyboard completely at random, commit them to memory and don’t tell anyone else. Now repeat that about twenty five more times so that you have a unique, strong password for every different site and service you use.
Do that and your accounts are pretty much as safe as houses.
The trouble is, the theory relies on humans being quite good at something our biology doesn’t want to do. Our brains are singularly unsuited to either generating randomness or remembering it.
It should be no surprise then that secret questions suffer a similar fate for similar reasons.
The theory behind secret questions is fine. They ought to be more memorable than passwords because:
- They rely on cued recall; and
- They’re things we’d remember anyway.
Unfortunately the kinds of questions that are easy to remember are often insecure because answers are common or distributed unevenly across the user population.
According to research cited by the Google paper, about 40% of questions are things like “Who’s your favourite superhero?” where there is a “trivially small” number of answers.
That means that attackers are only a few good guesses away from your secret stuff.
It’s even worse if we choose the questions ourselves. The chances are that if we’re let loose to decide our own questions then we’ll choose questions with very few possible answers.
If the number of possible answers increases, attackers can rely on the fact that because we’re all very similar, our answers tend to be too:
Statistical attacks against secret questions are a real risk because there are common answers shared among many users. For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question "Favorite food?".
The researchers also determined that attackers can use cheap crowd-sourcing tools like Amazon’s Mechanical Turk to determine the likely distribution of answers within a user population quite easily.
Some questions are harder to crack this way because each person’s answer should be unique or at least very, very rare. The trouble is, we find those answers more difficult to remember.
The potentially safest questions have abysmal recall: ... "Library card number?" has a 22% recall and "Frequent flyer number?" only has a 9% recall rate.
... The decay of memorability over time is greater for questions about numbers assigned to people vs personal questions: for the question "Frequent flyer card number?" the recall rate decreased by 18% after a month.
And it doesn’t stop there.
The researchers also uncovered that in an effort to be more secure, people often lie and because we’re so very bad at trying to be unpredictable our lies make the answers easier to guess and therefore less secure.
We’re also less likely to remember our lies:
...people provide untruthful answers to secret questions because they try to make it harder to guess (37% of the 1500 respondents) or easier to remember (15%). Ironically of course, this behavior achieves exactly the opposite effect.
As time goes by we also get worse at remembering our answers, particularly our lies.
If we do forget, we might be able to remind ourselves by looking at our public records and outpourings because, according to research by Ariel Rabkin:
...16% of questions had answers routinely listed publicly in online social networking profiles ... Other questions can be found in publicly available records. For example, at least 30% of Texas residents' mothers' maiden names can be deduced from birth and marriage records.
That’s assuming we don’t just pony up the answer when we’re asked. Another researcher, Chris Karlof, was able to use email phishing to extract answers from 92% of his targets.
The performance of personal knowledge questions is so bad that the authors recommend that websites restrict their use to low risk situations. For password recovery, email and SMS-based systems are, they say, more secure and more reliable.
As a user you may not have a choice about what form of password recovery you’re offered so if you find yourself faced with personal knowledge questions I recommend you treat them as additional passwords.
Passwords might be a poor fit for humans but we’ve been living with them long enough that there is at least some useful technology to knock the sharpest corners off.
To avoid using common, easy to guess or poorly-chosen answers, generate yourself some random combinations of letters, numbers and wacky characters and store them in a password manager.
Image of girl, something forgotten and beats his hand on the head courtesy of Shutterstock.
That is exactly I do – I generate a random password as a security answer for the question and store it in a password manager. I use Sticky Password but there are many others like Lastpass etc.
I usually just bang my hand on the keyboard to those “in case you forget your password” questions, but then I get in trouble when the site decides it would be a great idea to ask them even though I remember my password.
What I really wish is that the sites would let me choose the questions as well as the answers. I could come up with some unique questions that only I know the answer to and am not likely to forget, but wouldn’t apply to anyone else. Alas, very few places do that.
I’ve found the best solution is to use an unlikely answer–such as, what’s your favorite food? Answer: Mount Rushmore. Keep the answer fairly long–just like the password.
Regards,
That’s what I do as well.
Where did you go on your first date? – Snuffleupagus
Key parts being:
-Totally unrelated to the question
– Significant length
– Non-Complex (BD$1k4S!dff72 just won’t work out well)
– Related to your life, but not a hobby, personal interest, person, address, etc..
I had a buddy who used “beer” as his favorite drink. Imagine how fast that account was compromised. (It was faster than it is taking me to write this post).
Avoid answers that are of public record as well. If you’re a selected/specific target, finding your mother’s maiden name is _NOT_ hard.
The problem with this method is that you then have to have some way of mapping your responses, as pointed out in this article and in the study. I suppose one method would be to map out all the common security questions and then make a chart where you swap the answers — but the result won’t be any more secure than if the question was “password.”
I like places that let you create your own Secret. Then I use something like “What’s Jim’s phone number?” Jim being best friend in 5th grade. First phone number I commited to memory other than my own.
Password managers are OK to a point. But what if you have a problem with the password manager. Recently whilst travelling I found my password manager had not synchronised.
I also had the issue where to help work around a technical problem with a secure system we were told to clear all our cached data. Despite the password manager being outside of this system, it no longer recognised the site I was trying to log in to.
I have not yet had chance to get to the bottom of it, which is why I won’t name the password manager (but it is one of the better ones and I actually pay for it).
I am just highlighting that password managers are not the complete answer either.
It is interesting to think back to the pre-computer age – how did we prove our identity? A document that was hard to obtain e.g. our passport which used a picture of our face. And in day to day life, we “verify” people by their face, voice, gait (I am short sighted and without glasses I can recognise some people by the way they move).
What this tells me is that whilst we use a QWERTY or a numeric keypad, we are always going to struggle with something we can easily remember but is secure. And for safety, it should be different for each use. I have dozens of PINs and hundreds of passwords, and am getting to the start of “senior moments”. This is where it gets tricky.
Take EA’s Origin service. One of largest digital-distributors of games in the world and they have made a massive security-blunder with this;
They FORCE you to pick a security question from a small dropdown and type in the answer. Things like “mothers maiden name” and other silly stuff. Their client software simply will not let you close the window or reject the request. You can kill the process, but within a few weeks it will pop up again and they will again try to coerce you into adding a mind-numbingly stupid security question/answer.
So like Luke said above, ignore the question and add a password instead. Don’t use a password you don’t want anyone to see, though, as security questions & answers usually are viewable by support staff (generally, not specific to EA).
Another big issue with “secret” questions is that they are seldom hashed. In my experiences, even low ranking admins of a system (e.g. customer service reps) have full access to your secret questions. Since so many places user similar questions and since some questions have personal info hacking these can be a goldmine.
I’ll stick with the mother’s-maiden-name one (which is as close to 2fa as my bank gets for non-mobile customers). I was adopted at the age of 2, and was then issued a new birth certificate in my adopted name, and the “long form” version shows the names, dates and places of birth of my adopted parents, as is standard practice most places.
I’m in the unusual position of having known my natural mother, so I supply *her* maiden name when necessary. I’d love to see a hacker track that down, since it hasn’t been of record for nearly 70 years now, and her family wasn’t the sort to keep family info in, say, their Bible.
Bad answers? What about bad questions?
My credit union (similar to a bank) is not a rinky-dink outfit. Deposits are nearly $2 billion. But they don’t get the password thing.
Not only are their dropdown password choices simple, as described here, and they sometimes challenge with these questions even if the password is entered correctly, but some of their questions are ambiguous. My favorite is “What is your grandfather’s first name?” When I reminded them that I had TWO grandfathers and couldn’t be expected to remember which one’s name I had entered five years ago, they simply couldn’t understand what the problem was.
Your suggestion to “… generate yourself some random combinations of letters, numbers …” and save it with a password manager or on a USB, really just makes the security question only another password, with the same memory / recall problems as the original.
These so called security questions should just be abandoned as they become another entry point for “hackers”, with actually less security than the original password.
The only redeeming aspect is those sites that use the questions as part of a two factor ID scheme.
What are really irritating are the one they get from public records, such as my marriage date. We were common law married in one state and moved to another state that did not recognize common law, so we were forced to get married ‘really’. Now when they ask when was I married, I have do dig it out of some place as it’s not really when we were married. So the public questions are not only stupid, but can be found by anyone. I don’t know who came up with this, but it is a loser.
Lets face it, secrete questions are not really secrete! These need to be flushed. I’ve resolved to a password manager that generates randomized passwords with whatever they site needs, like two characters and start with a number and 1 special character. There are still problems, especially with banks as they have some types of ways to enter answers that don’t allow you to paste it in, and I rarely can type one of these randomized passwords back in, even looking at it.
Dan is also very right as many are not any kind of question that I would ask or have a specific answer…
Jack
We had a recovery in place where our users could enter their own questions. One day a user phoned in asking us for help with his question/answer and said: ‘Yeah, I see the question is “My girlfriend”, but – which one do you mean?’
And that most-famous of all “standard” questions: “What high school did you attend?” You would have to have lived in a cave to not know the corresponding answer: Wasila High School!
Today’s (May 2015) report that “The [US] Internal Revenue Service has confirmed that attackers accessed 100,000 taxpayers’ accounts using personal data stolen elsewhere …” shows that since they were stolen, not researched, it really doesn’t matter if your answers are true, false, nonsense, or cryptic.
Thus, you should follow all the rules for “safe passwording”, including unique for each site.
But that kinda defeats the purpose, doesn’t it?
Great article.