The Curse of the Secret Question

The Curse of the Secret Question.

It's
happened to all of us: We sign up for some online account, choose a
difficult-to-remember and hard-to-guess password, and are then
presented with a “secret question” to answer. Twenty years ago, there
was just one secret question: “What's your mother's maiden name?”
Today, there are more: “What street did you grow up on?” “What's the
name of your first pet?” “What's your favorite color?” And so on.

The point of all these questions is the same: a backup password. If
you forget your password, the secret question can verify your identity
so you can choose another password or have the site e-mail your current
password to you. It's a great idea from a customer service perspective
— a user is less likely to forget his first pet's name than some
random password — but terrible for security. The answer to the secret
question is much easier to guess than a good password, and the
information is much more public. (I'll bet the name of my family's
first pet is in some database somewhere.) And even worse, everybody
seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to
a much less secure protocol (secret questions). And the security of the
entire system suffers.

What can one do? My usual technique is to type a completely random
answer — I madly slap at my keyboard for a few seconds — and then
forget about it. This ensures that some attacker can't bypass my
password and try to guess the answer to my secret question, but is
pretty unpleasant if I forget my password. The one time this happened
to me, I had to call the company to get my password and question reset.
(Honestly, I don't remember how I authenticated myself to the customer
service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like
to think that if I forget my password, it should be really hard to gain
access to my account. I want it to be so hard that an attacker can't
possibly do it. I know this is a customer service issue, but it's a
security issue too. And if the password is controlling access to
something important — like my bank account — then the bypass
mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is just
one manifestation of that fact.

This essay originally appeared on Computerworld.  [Schneier on Security]

Leave a comment