It's a mystery to me why websites think "secret
questions" are a good idea, writes Bruce Schneier, chief
security technology officer at BT. We sign up for an online
service, choose a hard-to-guess (and equally hard-to-remember)
password, and are then presented with a "secret question" to
answer.
Twenty years ago, there was just one secret question: what's
your mother's maiden name? Today, there are several: what street
did you grow up on? what's the name of your favorite teacher?
what's your favorite colour? Often, you get to choose.
The idea is to give customers a backup password. If you forget
your password, then the secret question is a way to verify your
identity. It's a great idea from a customer service perspective -
users are less likely to forget their first pet's name than some
random password - but terrible for security.
Easier to crack
The answer to the secret question is much easier to guess than a
good password, and the information is much more public. I'll bet my
childhood address is in some database somewhere. And worse,
everybody seems to use the same series of secret questions.
The result is that the normal security protocol (passwords)
falls back to a much less secure protocol (secret questions). The
security of the entire system suffers. I'm sure the designers of
the system thought the fallback system would only be used rarely,
when a user forgot their password. But any good security engineer
realises that bad guys can force the failure whenever they want,
and that the whole security of the system rests on the security of
the weaker of the two subsystems.
What can be done? As a customer, my usual technique is to type a
completely random answer for the security question I madly slap at
my keyboard for a few seconds, and then forget about it. This
ensures that an attacker has little chance of bypassing the
password protection by successfully guessing the answer to my
secret question, but it is pretty unpleasant if I forget my
password. The one time this happened to me, I had to call the
company to get my password and question reset. Yes, it was a right
pain.
Which is maybe what should happen in the first place. I like to
think that if I forget my password, it is really hard to gain
access to my account. I want it to be so hard that an attacker
can't possibly do it. I know this is a customer service issue, but
it's a security issue, too. And if the password is controlling
access to something important - like my bank account - then the
bypass mechanism should be harder, not easier.
Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is
just one manifestation of that fact.
Bruce Schneier is chief security technology officer of BT
and will be speaking in the keynote programme atInfosecurity
Europe
Password strength >>
Poor password habits >>