Secret Questions – A soft target

balaji
By balaji

June 17, 2011

Security is not only about the product but also about the process and people. When we say 'people', it includes the employees of the service provider as well as the end users. Therefore, end users also need to take some responsibility and put in efforts to ensure application security. Traditionally, we have been writing articles for developers, CISOs, system and network administrators, security architects, etc. This time, however, we have written an article for the end user. People in the previously mentioned roles must be using one website or another for financial transactions, storage of personal data or transfer of sensitive information. So, in a way, this article is also meant for them.

secret-questions.jpg

Security is not only about the product but also about the process and people. When we say 'people', it includes the employees of the service provider as well as the end users. Therefore, end users also need to take some responsibility and put in efforts to ensure application security. Traditionally, we have been writing articles for developers, CISOs, system and network administrators, security architects, etc. This time, however, we have written an article for the end user. People in the previously mentioned roles must be using one website or another for financial transactions, storage of personal data or transfer of sensitive information. So, in a way, this article is also meant for them.

We all are guilty of some bad human habit. One of these habits is the selection of easy-to-guess weak passwords. Of late, we are tending to overcome this habit thanks to the flood of information from hundreds of blogs, millions of bytes of data and numerous books regarding the awareness of the "need for strong passwords". Moreover, the strong password policy imposed by the application has left the user with no choice but to use a relatively strong password. There are other bad human habits, which can pose a threat to the password and identity of a user.

'A chain is only as strong as its weakest link', they say. With passwords being more and more difficult to crack/guess, attackers have identified the password recovery feature of an application as the weakest link required to steal the password. In most applications, the "Forgot Password" feature is implemented in such a way that a secret question is asked in order to authenticate the user in case the user does not remember his/her password. The user is allowed to reset the password only after answering the question correctly. The application refers to the "secret question" as an additional layer of security, but it often proves to be completely the opposite.

These are a few 'categories' of secret questions that are generally used in the Forgot Password feature, each with their own problems.

  1. Questions with very few possible answers: These are questions whose answers are not unique to the user. Many sites still use "What is your favorite color?". Generally people will choose black, white or colors that are present in VIBGYOR. Hence, the possible answers are very limited.
  2. Questions containing 'Personal' details: These questions include the mother's maiden name, date of birth, hometown, etc. This information is easily available over the internet especially with the growing popularity of social networking sites.
  3. Questions that can be answered through research: These questions include the name of the first school, the name of the first bike, etc. Answers to these questions can also be extracted either by social engineering or in some cases, these are readily available over the internet.
  4. Questions set by the user: This is the category wherein the user is allowed to set his/her own question. The rationale that drives this category is that the user will choose a question whose answer is known only to him/her. Again, in this case, most people set questions that are easy to remember and very obvious. If IT professionals face difficulties in writing good questions for themselves, how can we expect other users to create a good secret question within moments? Hence, this question is eventually placed under the above-mentioned categories.

Therefore, the answer to most of the secret questions can either be guessed or can be discovered. As social networking continues to grow, more and more people are getting comfortable with sharing information online, hence becoming more vulnerable to password recovery attacks.

Let me draw a physical analogy – If a user's account is a 'safe or lock' and the password is a 'key', then the secret question will be the 'duplicate key'. Hence, your 'safe or lock' will be unsafe even though you've secured your 'key', but kept the 'duplicate key' readily available. Similarly, what's the point of having a good password like Qi&@hD$!1s, if your answer to the so-called secret question 'What is your hometown?' is something as simple as 'New Jersey'?

Giving the user an option to guess the name of a pet or hometown in lieu of actually knowing a password dramatically shortens the odds for the attacker. The service is essentially telling the attacker: "We understand that it is difficult to guess passwords, so let us help you narrow them down from potentially millions of combinations to around a dozen, or even better, if you know how to use Google, just one".

Doing it Wrong

The security questions that you pick can make a difference. Your favorite color and hometown can probably be guessed, and if they can't, you may be revealing that information anyway. By searching for people using a search engine, browsing their social networking profile, or accessing other public sources of information, it is now increasingly easy to gather a lot of information about who they are, where they are, where they've been to, what they do, who they know, what they like, what they don't, etc. The list goes on. This is a gold mine of information that can be used to answer relatively simple secret questions, and even carry out sophisticated social engineering attacks. The concept of over-sharing has become increasingly popular as people have posted increasingly absurd amounts of personal information online (thus allowing anyone to see it).

Doing it Right

The 'right' answer to this problem is always debatable; however, there are a few things that you can do to protect yourself from the secret question abuse. The primary recommendation would be, fairly and obviously, "Don't forget your password!". You would be better off storing your passwords in a secure password storage program (e.g. KeePassX).

The answer to the secret question should be not be easily guessable similar to that of the password. Consider using a simple code word that you would append to the beginning or end of any answer. Thus, your hometown or favorite baseball team would become "Virginiarocks" and "Crazy_New_York_Yankees". You can also write your answer backwards (e.g. ainigriv). Note that this is not by any means perfect, but it improves the security by vastly increasing the possible number of answers, and makes the response nonguessable (even if the attacker knows the answer to the question). If you think you are really tech-savvy, you can encode your answer using http://infoencrypt.com/, etc.

As an application developer, we should make sure that we do not offer questions that would potentially have easily guessable answers (as mentioned earlier in this article) to the user. There are no absolute GOOD security questions, but the following ideas present the best that are available. A fairly good security question has four common characteristics:

  • The answers should not be easily guessable or researched (safe).
  • The answers should not change over time (stable).
  • The answers should be memorable.
  • The answers should be definitive.

A few examples of good security questions are given below:

  • What was your dream job as a child?
  • In which city did you meet your spouse?
  • What is the name of your favorite childhood friend?

Additionally, an application should challenge a user with more than one secret question in order to authenticate him/her. If cost is not an issue, then an organization can implement multilayer security to authenticate a user (e.g. security token).

Conclusion

The security question is a vital component in identity theft. Hence, it should be handled very carefully by both developers and end users. An application should provide good and multiple (more than one) security questions to authenticate a user. However, users should choose strong and non-guessable answers to secret questions (provided during registration); it is as important as selecting a strong password for your account. Users should not expose data (if not necessary) through social media or other Web 2.0 applications (e.g. Twitter, Facebook, LinkedIn, Wikipedia, Second Life, blog posts, webmail, text messaging, instant messaging, etc.) that would otherwise have remained acceptably private, confidential and anonymous.


Tags: Best Practices

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset