Saturday, July 19, 2008

How did the "secret question" get out of control?

Recently I had to answer 4 "secret questions" for some investment account that controls a bit of our retirement.

Four.

All different from the usual "mother's maiden name", because so many people have hacked that answer that the questions have moved on.

Now they ask what model my first car was.

That will be hacked, and then I'll be asked a different secret question. Eventually some future AI will be able to reconstruct my entire life from hacked "secret" questions.

How did this get so out of control? When Schneier wrote this 3 years ago, I figured the stupidity would die off (emphases mine) ...
Schneier on Security: The Curse of the Secret Question

....It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a 'secret question' to answer. Twenty years ago, there was just one secret question: 'What's your mother's maiden name?' Today, there are more: 'What street did you grow up on?' 'What's the name of your first pet?' 'What's your favorite color?' And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

I think the lesson is that even when something is an "ex-parrot" humans will keep it propped up in the corner for a very long time. I used to follow Schneiers "random answer" technique, but then some sites started asking me both my regular password and my "secret question".

The idiocy of the "secret question" will never end.

1 comment:

Unknown said...

These secret questions all assume a very stable Middle America existence. "What street did you grow up on?" as if you grew up on one street. "What was your first pet?" though you may have had a number of pets at once. And so forth. These are cognitive tests that oldsters will not be able to answer, and I struggle with today!