The secret question guessing game.

http://www.schneier.com/essay-081.html
http://www.schneier.com/blog/archives/2009/05/secret_question.html

I am blogging about the effectiveness of using “Secret questions” as a method to recover ones account on a particular page or web service, or more simply a back up / secondary password for any account. The articles I posted above come from bruce schneier’s website( the author of our book), and it regards this very issue of secret question security. He points out a few different security flaws with this system. The main problem with these questions is that they are much easier to guess than a users primary password. We often see repeates of the same question on multiple websites. Mothers maiden name? First pet? High school or year you graduating in? With the social networking juggernaut that is facebook answers to these questions can be found in a just a few clicks. He mentions that he typically answers these questions with a good keyboard slap or face roll but also brings up the inconvenience if you actually forget your password and calling the company might be your only hope. A user that commented on one of his posts brought up a good point that typically answering secret question only emails the current registered email a new password. So if you received and email like this than you know that a hacker is trying to break in. What do you guys think someone effective or completely flawed. should changes for secondary passwords be made?

Advertisements

4 thoughts on “The secret question guessing game.

  1. Overall I feel that this system is effective enough for the average persons needs. As you said, the password reset notification gets sent to an email address, so unless both are comprised then the system works. Another thing that’s good about it is its ease of use. Once you start making it more complex you run the risk of alienating the user, which should be avoided. So if someone can come up with a system that’s more secure while still maintaining its simplicity then I’m all for it.

    The biggest drawback I’ve seen with the secret question though is when its actually used for the email address itself. If you all remember back in 2008 Sarah Palin’s yahoo email address was “hacked” by people finding her birthday online and using that to gain access to her emails.

  2. I always wondered why websites forced you to enter a security question – they only cause more confusion and open your account up to more problems. On Facebook, it’s pretty easy to get into someones account. If you forget an answer to a security question it allows you to send a message to three Facebook friends to validate you are resetting your password. This can easily be used among groups of “friends” to play pranks, or worse yet, cause damage in school. If you share mutual friends with someone you dislike, it’s really not hard to get into their account.

    Also: Facebook gives you an option so when you login to your account, you type in the name of the device you are on. It sends a text to your phone saying what just logged in your account. So even if someone got into my account I’d immediately get a text message and have time to change my password.

  3. A Facebook page can contain many answers to so called “secret” questions. People who are lax on their privacy settings potentially are exposing answers that would allow hackers to recover passwords and access accounts.

  4. Yes, the secret question is great for average users and it would be hard to find a middle ground between that and something more complex so i guess it does its job for the most part.
    And yes the Sarah Palin incident is entirely to blame on yahoos poorly design email account recovery and at least sites have learn to some degree from this incident.

    Responding to the next post, I never knew of that facebook account recovery feature and i feel if someone had enough motivation they could easily repossess and account with a few friends. I also didn’t know about the text message feature which seems a little reassuring, I should probably set my account up to do the same .

Comments are closed.