SlideShare uma empresa Scribd logo

Security Questions Considered Harmful

Jim Fenton
Jim Fenton

Presentation at Passwords '15 Las Vegas (part of BSides Las Vegas) on the problems with using security questions for account recovery.

Tecnologia
1 de 15
Baixar para ler offline
“Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
Everyone has seen this
Why do they do this? It’s a cheaper way to do account recovery
Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
But, to be fair… —OWASP
Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
} } } 8 Context is important Must be truthful Must be truthful Make something up
Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com
Thank you! (No, it’s not)

Recomendados

Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
Jim Fenton
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
iBeacon security overview
iBeacon security overviewiBeacon security overview
iBeacon security overview
Localz
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Security
kontakt.io
 
Empowerment 4
Empowerment 4Empowerment 4
Empowerment 4
Sam Hager
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 

Recomendados

Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
Jim Fenton
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
iBeacons: Security and Privacy?
iBeacons: Security and Privacy?iBeacons: Security and Privacy?
iBeacons: Security and Privacy?
Jim Fenton
 
LOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest ProposalLOA Alternatives - A Modest Proposal
LOA Alternatives - A Modest Proposal
Jim Fenton
 
iBeacon security overview
iBeacon security overviewiBeacon security overview
iBeacon security overview
Localz
 
Beacon Security
Beacon SecurityBeacon Security
Beacon Security
kontakt.io
 
Empowerment 4
Empowerment 4Empowerment 4
Empowerment 4
Sam Hager
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Survey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy ResearchersSurvey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy Researchers
Elissa Redmiles
 
Typology of questions
Typology of questionsTypology of questions
Typology of questions
shaziazamir1
 
Research Writing Survey
Research Writing SurveyResearch Writing Survey
Research Writing Survey
Aiden Yeh
 
IAM Challenge Questions
IAM Challenge QuestionsIAM Challenge Questions
IAM Challenge Questions
Aidy Tificate
 
Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
habibpak
 
Secrets, Lies, and Account Recovery
Secrets, Lies, and Account RecoverySecrets, Lies, and Account Recovery
Secrets, Lies, and Account Recovery
Sergey Ulankin
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
lvmiller
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
TechWell
 
Simple Guide About Survey
Simple Guide About SurveySimple Guide About Survey
Simple Guide About Survey
Ade Majid
 
Chapter20
Chapter20Chapter20
Chapter20
Ying Liu
 
Questionnaire development
Questionnaire developmentQuestionnaire development
Questionnaire development
Dr. Anugamini Priya
 
Multiple choice-questions
Multiple choice-questionsMultiple choice-questions
Multiple choice-questions
Pitcha Charoenmitmongkol
 
Survey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part ISurvey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part I
Qualtrics
 
Effective Surveys
Effective SurveysEffective Surveys
Effective Surveys
ltownson
 
Data Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurveyData Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurvey
Sogolytics
 
Questionnaire design spring2004
Questionnaire design spring2004Questionnaire design spring2004
Questionnaire design spring2004
Jaseme_Otoyo
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Questionnaire - Research Method
Questionnaire - Research MethodQuestionnaire - Research Method
Questionnaire - Research Method
Psychology Pedia
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
brannow
 
Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
Jim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
Jim Fenton
 

Mais conteúdo relacionado

Semelhante a Security Questions Considered Harmful

Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
habibpak
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
lvmiller
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
TechWell
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
rebeccaweiss
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
brannow
 

Semelhante a Security Questions Considered Harmful (20)

Survey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy ResearchersSurvey Methodology for Security and Privacy Researchers
Survey Methodology for Security and Privacy Researchers
 
Typology of questions
Typology of questionsTypology of questions
Typology of questions
 
Research Writing Survey
Research Writing SurveyResearch Writing Survey
Research Writing Survey
 
IAM Challenge Questions
IAM Challenge QuestionsIAM Challenge Questions
IAM Challenge Questions
 
Types of questions and requests in different contexts
Types of questions and requests in different contextsTypes of questions and requests in different contexts
Types of questions and requests in different contexts
 
Secrets, Lies, and Account Recovery
Secrets, Lies, and Account RecoverySecrets, Lies, and Account Recovery
Secrets, Lies, and Account Recovery
 
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentationEme6635 online safety_usabilitypowerpoint_fina_lpresentation
Eme6635 online safety_usabilitypowerpoint_fina_lpresentation
 
The Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, ConfidenceThe Tester's Three C’s: Communication, Criticism, Confidence
The Tester's Three C’s: Communication, Criticism, Confidence
 
Simple Guide About Survey
Simple Guide About SurveySimple Guide About Survey
Simple Guide About Survey
 
Chapter20
Chapter20Chapter20
Chapter20
 
Questionnaire development
Questionnaire developmentQuestionnaire development
Questionnaire development
 
Multiple choice-questions
Multiple choice-questionsMultiple choice-questions
Multiple choice-questions
 
Survey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part ISurvey Methodology and Questionnaire Design Theory Part I
Survey Methodology and Questionnaire Design Theory Part I
 
Effective Surveys
Effective SurveysEffective Surveys
Effective Surveys
 
Data Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurveyData Collection: Year-End Clear-Up | SoGoSurvey
Data Collection: Year-End Clear-Up | SoGoSurvey
 
Questionnaire design spring2004
Questionnaire design spring2004Questionnaire design spring2004
Questionnaire design spring2004
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
 
Questionnaire - Research Method
Questionnaire - Research MethodQuestionnaire - Research Method
Questionnaire - Research Method
 
Writing surveys that work
Writing surveys that workWriting surveys that work
Writing surveys that work
 
Developing good research questions
Developing good research questionsDeveloping good research questions
Developing good research questions
 

Mais de Jim Fenton

Identity systems
Identity systemsIdentity systems
Identity systems
Jim Fenton
 

Mais de Jim Fenton (10)

Notifs 2018
Notifs 2018Notifs 2018
Notifs 2018
 
REQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS RequirementsREQUIRETLS: Sender Control of TLS Requirements
REQUIRETLS: Sender Control of TLS Requirements
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
 
User Authentication Overview
User Authentication OverviewUser Authentication Overview
User Authentication Overview
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
 
Notifs update
Notifs updateNotifs update
Notifs update
 
IgnitePII2014 Nōtifs
IgnitePII2014 NōtifsIgnitePII2014 Nōtifs
IgnitePII2014 Nōtifs
 
OneID Garage Door
OneID Garage DoorOneID Garage Door
OneID Garage Door
 
Identity systems
Identity systemsIdentity systems
Identity systems
 
Adapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTICAdapting Levels of Assurance for NSTIC
Adapting Levels of Assurance for NSTIC
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Security Questions Considered Harmful

  • 1. “Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
  • 3. Why do they do this? It’s a cheaper way to do account recovery
  • 4. Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
  • 5. Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
  • 6. But, to be fair… —OWASP
  • 7. Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
  • 8. } } } 8 Context is important Must be truthful Must be truthful Make something up
  • 9. Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
  • 10. But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
  • 11. Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
  • 12. False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
  • 13. What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
  • 14. References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com