3. Why do they do this?
It’s a cheaper way to do account recovery
4. Characteristics
PASSWORD SECURITY ANSWER
COMPLEXITY
Complexity often “enforced” by
complex rules
Often a word or name
SECRECY
Users are told to keep passwords
secret
Security answers available on
Facebook, Ancestry…(OPM?)
SHARING
Attempts to train users not to share
passwords between sites
Security questions are common
between sites
STORAGE Should be salted and hashed
Can’t salt/hash if need to do fuzzy
matching
5. Best Practices?
—OWASP, “Choosing and Using Security Questions Cheat Sheet”
https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet
“…make the
Forgot Password
solution as palatable
as possible”
7. Opting out
• Answering security questions is rarely optional
• Many recommend answering the questions with jibberish
• Many users don’t realize they can (or should) make up answers
• Security questions often eliminate better methods for account recovery
• We aren’t trying to solve this problem just for security professionals!
9. Looking up the answer
What is your mother’s maiden name?
What is your oldest sibling’s birthday month and year?
What high school did you attend?
What school did you attend for sixth grade?
What was the last name of your third grade teacher?
What was your childhood phone number?
What hospital were you born in?
And, of course…
10. But if you need to guess…
First name Favorite team Family name
First/favorite petColor of first car
Street names
(by state)
11. Some questions are just bad!
• “What is your favorite season?” (eDisclosure/SouthTech Systems)
Only 4 choices, unless you include “football”, “strawberry”, etc.
• “Who is the first president you voted for?” (California DMV)
Very limited choices, especially if approximate age of user known
• “What is the year in which you were married? (YYYY)” (Fidelity Investments)
Easy to guess, especially if user is young
12. False negatives, too
• Many questions have more than one “right” answer:
• “What is the last name of your childhood best friend?”
• “What is your favorite color?”
• “What is the name of a college you applied to but didn’t attend?”
• Many questions have ambiguous formatting, difficult to canonicalize:
• (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167
• West Maple Street vs. W. Maple St.
• Throttling strategies need to accommodate guessing by the intended user as
well as by attackers
13. What to do?
• Challenge questions might have some role in nuisance limitation
• Example: Challenging user prior to sending password reset email
• Choose questions that have deterministic, hashable answers
• Don’t expect any real security, even when multiple questions are asked
• Consider insider threats, e.g., disgruntled ex-spouses
14. References
• M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability
assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM,
2009.
• Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on
Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography.
Tenerife, Spain.
• Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies,
and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In
Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World
Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150.
• OWASP, Choosing and Using Security Questions Cheat Sheet
https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet
• Insecurity Questions blog, https://insecurityq.wordpress.com