Saturday, February 12, 2005

The stupidity of the Secret Question and the death of passwords

Schneier on Security: The Curse of the Secret Question

I'm going to take some credit for this post by Schneier, the god of modern security. I wrote him a few weeks ago asking him to address the use of these inane "secret questions". Here he's done it, and in fine form. The stupidity behind these "secret questions" is breathtaking, but Schneier correctly points out (hey, it was in my email to him!) that this is yet another sign that passwords have passed their prime.
It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a 'secret question' to answer. Twenty years ago, there was just one secret question: 'What's your mother's maiden name?' Today, there are more: 'What street did you grow up on?' 'What's the name of your first pet?' 'What's your favorite color?' And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.
In my case I wrote Schneier when a corporate system asked me for both my password and my secret question. Of course I knew the password (I use my generic ultra-low-security password for unimportant internal systems), but my "secret answer", like Schneier's, was a string of flailing keystrokes. I had to spend some days fighting with a mailbot to get both the secret answer and password reset. (BTW, corporate systems are usually far less service oriented than public systems, after all, the users have no power and no choice. Senior execs have power of course, but their admins deal with the software.)

No comments: