On security questions

Tags: security, websites.
By lucb1e on 2012-02-29 23:39:43 +0100

Security questions, as still used by many websites among which Windows Live, are conceptually flawed in many ways. They should never have been launched on the scale that they have, they should never have been taken as seriously as they have, and they should have been phased out long ago by now--the only thing they haven't. Also I discovered recently that their purpose is a mystery to many users, which only increases the security risk they introduce by a lot.


Basics and simple hacks
Security questions work very simple:
- You either choose a question, or type your own question;
- You give in the answer to the question;
- If you ever forget your password, you enter the answer to the question and you can reset your password without any further trouble.

The trouble already begins with the first step. Many websites do not allow you to enter your own question. Why? I don't have any clue. I'll get to why this, like many other things about it, is so incredibly bad in a minute.

Let's say I choose the security question on Windows Live "What was the name of your first pet?" How many people do you imagine know the answer to that question? Probably my parents, grandparents, brothers, sisters, maybe close friends from primary school, maybe other close family. In my case, that means 2 parents + 3 grandparents + 1 brother + 1 friend + maybe an uncle or cousin or so, let's say 1.
That makes 8 people already having access to my account, and so far there is no hacking or social engineering involved. Sure they are people I know and who might not mean any harm, but that friend from primary school might not like me after a few years and do something harsh in his teen years. Or someone trying to play a joke. Or that father interested in what I do on Windows Live. Or even for no reason at all, I'm just aversed to the idea of anyone having access to my e-mail.

Your e-mail account is probably one of the most important accounts you have right now. What is not tied to it? Maybe your bank account, that might require two-step authorization. Besides that, pretty much everything else. From websites you own, to social networking accounts to, of course, the e-mail itself together with the address book. Do you have a folder with emails containing passwords? From the few people I know it from, a couple have. I figure a lot of people do.

Now let's say it's not my best friend from the primary school who is trying to get access, but just someone I know. He might ask the following questions:
- Do you like animals?
- Do you have any pets?
- Have you always had pets?
- What was your first pet?
(You might already get the name now)
- Let me guess, his name was {insert common name}? :P
(You might already get the name now)
- hmm... {other common name} maybe?
- What was his (or her) name then?

If you can't get the name, you might get what kind of pet they had, or even the gender. This narrows down the possibilities quite a bit already. But I expect nearly everyone would answer.

Trying this with Frédéric Schertenleib (a good friend--we talked about security questions a couple hours earlier and he had given me permission to try), but I was too direct (not patient enough) and he saw trough me. He told me though that any other night, when we hadn't been talking about security questions before, he would have given me the answer.

This would not only have given me access to his Windows Live account. His Gmail account had "f-----07@---e.fr" as recovery e-mail address. Knowing his MSN address starts with an f and ends on 07@live.fr, it wasn't hard to figure that one out... Just send a password-forgot e-mail, click the link and voilá!

One of the reasons I can't imagine why any service would disallow you to choose your own security question is the above problem. You may, as user, realize that this will provide access to your account and that there are almost always people who know the answer to any question on the list, or who could obtain it easily. If you can choose your own question, you might think of one which doesn't have either of those problems, or at least a reduced risk.


When you aren't a friend or acquaintance,
things get a little harder. Still though, it's (statistically seen) always easier than trying to get his password. (Although I'd recommend to try common passwords and combinations with his birthday too. Then put on a (hybrid) dictionary attack while you're going to exploit other ways.)

- You can try social engineering attacks on him or people who might know the answer.

- You can try guessing common answers.

- There doesn't seem to be something like "good practices" for answers.
(Passwords should be unguessable, not contain common words, get changed often, et cetera, et cetera. Ever seen those tips for a security question? Can you even imagine a security question answer which follows all of those recommendations? Not sure about you, but my first pet doesn't change that often...)

- You know the data you are looking for.

This last one is bad. This is the second reason why I can't imagine that any service disallowing you to choose your own security question. Do you know anyone whose pet is called 00R3tNa$@? Or Robert');DROP TABLE students;--? Unlikely. A little more likely is Oscar or Princess. Heck, I even know someone whose first pet is named Princess (and I was just looking at Wikipedia's list of common pet names). But what I mean to say, you know what to look for: one word, probably first letter capitalized, possibly a prefix like Mr.
Or another common question: your favorite food. How many possibilities are that? How easy is that to guess? How easy is that to social-engineer out of his wife? (Claim to be an old friend who wants to surprise him? Just brainstorming.) Or your frequent-flyer number, although I never owned one it's not hard to lookup some examples and probably get to know the format and length. It might even have some validation check which limits the number of possibilities even further (like adding the individual digits together and getting a certain number, or something similar they do with your Social Security Number).


Problems for the user
So you thought the security problems alone were bad enough to get rid of security questions? Well okay I'd prefer having users loose access to their account than getting them hacked I guess. Marginally, but still. Yet having them keep access and not get hacked seems a bit better...

Can you remember what your favorite food was, six years ago when you created that hotmail account as a 13 year old? Remember how you spelled it too? Fairly unlikely. Microsoft should never have choosen a question with a variable answer.

Also, people learn by rehearsing. Your password is something you rehearse, even when you remain logged in or set the password to be remembered. From time to time, you'll need to log in. Even more when you use the password on other websites (which is not uncommon as we all know). Your security question on the other hand is something you set once and then never need again until the day you forgot your practiced and rehearsed password.
"So you forgot the practiced and rehearsed password? Well let us try your security question, surely you will remember that one!"

Okay I might be exasperating a little now, but for the variable answers this is very true. Your first pet name might be a bit more memorable, but that too is subject to the same problems: not being rehearsed, spelling errors, remembering the spelling wrong, having set the wrong answer (the first pet you remember instead of the first pet that was yours, perhaps?), and maybe other problems.

Another problem for users is that they might not understand the purpose of the question, and fill the correct answer in to one of the pre-set questions. About the worst thing you can do, as you probably understood by now.


So what do we do?
(This is for users. For admins: Get rid of security questions already!)
Don't set a security question, but use a secondary e-mail address instead. Give that other account a different password (not an unused one though, something you are sure you remember). Set the recovery option of your secondary e-mail address to your primary e-mail address. Then you will always have two chances at remembering a correct password.

The main thing though: Simply don't forget your password. If you are afraid of it, I think the best thing to do is:
- Out of your passwords, choose one master password you are SURE never to forget (preferably a strong password, but if that is the one you are unsure to remember, a weak password is better than nothing).
- Create a textfile, or a Word document if you don't know how to create a textfile. Preferably on a computer you are sure of that it hasn't got viruses (or use a Linux live boot).
- In this file, write the first half of all your passwords. If you are really scared to death you forget them, note which password is used for what service. This will make it easier if it ever gets cracked, but it is more ensurance for you. If you are paranoid or unsure of any viruses, use the on-screen keyboard to type the first one or two letters of every password. You can find the on-screen keyboard in Windows in the Start menu, then under Accessoires and Accessibility. Alternatively: click start, type osk (just type these 3 letters) and press enter.
- Create a zip, rar, 7z or other archive with this master password. There are easy guides on the web how to encrypt (for example) a zip archive. Stuff like Locknote does the job as well, but be careful about which tools you can really trust.
- After encrypting, remove the original and unencrypted file. Backup the encrypted file a couple times, maybe mail it to yourself as well (preferably on Gmail, that's relatively safe storage).
- Write down the other halfs of the passwords on a paper and hide it safely.

Pro tip: Give each password in the file and on paper a number, so you never mess up which half belong to which other half.

So if I had a password Q8sM23zk, I would write "Q8sM" in the textfile (and optionally Q8 with the on-screen keyboard) and "23zk" on paper.


If you can't use a secondary e-mail address like described above, either because the security question is required or because you don't have any other e-mail address (or not one which you use regularly to be sure you won't forget its password), I'd choose an own question: "Q". The Q is the unique identifier of this password to me, because of this I know which password to use. (Sidenote: I use password hints the same way). The first letter of your password is probably a good unique identifier, as long as you don't have any double ones.

A variant on this is setting the question: "What is my password? (X)" and then using your password (whose identifier is X) as answer to the question. Then you got a similar two-password system set up, similar to when you would have two e-mail addresses. The password hint, X, is optional here.

If you also can't choose your own question, I'd personally either pick a random question and give another one of my passwords as the answer, or pick a random question and give "aisjfdoajszufqw" as answer (random stuff you won't ever remember). The latter is pretty much equivalent to having no security question set.

The only (technical) problem with using passwords for answers in security questions: the answer is more unlikely to be hashed than your password. Whereas people generally got it for passwords now, even if it's a single-pass unsalted md5, hashing security question answers is one thing I think hasn't sunk in yet.


Worst case scenario or Quite likely scenario right now
I think this was my first 'hack' (yeah okay pure luck that it worked, but still you have to get on the idea). I was like 13 years old and got into the MSN account of my cousin. How? She had the security question set to "What is your favorite food?" and I answered the first thing I could come up with: "fries". Voilá!

You know things are bad when a security system gets broken by a thirteen-year-old. Users can never be at fault, only the system can be designed badly.
Well okay I probably get back on that last statement, and probably soon too, but in general it holds quite true. Users shouldn't be able to do something wrong, especially with security, and especially for their e-mail account, which is the most important of all after your bank account.
lucb1e.com
Another post tagged 'security': My experiment about user privacy

Look for more posts tagged security or websites.

Previous post - Next post