Government Security
Network Security Resources

Jump to content

Photo

Security Questions Used To Reset Passwords


  • Please log in to reply
26 replies to this topic

#1 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 27 May 2005 - 12:26 AM

I'm dealing with the issue right now and thought I'd get your input....here's some interesting points about using questions like WHAT IS YOUR FAV COLOR? to reset passwords.

The following is quoted from: hxxp://www.owasp.org/columns/mburnett/questions.html (emphasis is mine)

"Answering secret questions requires some knowledge of the user account, but secret questions break all the rules for strong passwords and have some significant weaknesses:

-An attacker can sometimes discover the information with little research;
-The answer to the question is usually a fact that will never change;
-Users reuse the same secret questions and answers across multiple Web sites;
-Someone close to the individual could know the answers to many of the questions;
-People rarely change their secret questions;
-The answers are often case-insensitive and usually contain a limited character set;
-Some questions have a limited number of answers; and
With some questions, many people will have the same common answers." >END QUOTE

In other words, it is sometimes easier to reset a password than it is to crack it.

Just because banks, government, and multitudes of other Internet sites use simple questions and answers to manage password resets, that does not make it a good practice, just a standard one. (I hear this all the time from management: "everyone else is doing it." That's when I revert to my childhood and ask them the universal
"mom" question: If everyone jumps off a cliff, would you too?)

I'm not sure what the solution is, other than software requiring users to change their question and answer just like their password. Perhaps it is using the "email reset" option that sites are using (like GSO). The problem with this solution is that many employees in some companies don't have email access.

Furthermore, should you allow folks to reset passwords over the Internet or from outside the company using a phone? This makes me queasy; it would depend on the software and the implementation.

User productivity and the cost of resetting passwords (estimated to be $10-30 per call) is what drives automated password resets.

Your comments?

What auto resets does your company use? Is it available from outside the company via Internet or phone?

Personally, I solve the Q&A problem by:

1) never answering a security question with a standard answer. Example:

Q What is your favorite color?
A Hiroshima, Japan <-- oops, now you know I'm Asian! ;)

Q What is your mother maiden name?
A pi=3.1469

[Why anyone would reveal their mother's m name or birthday or like data to anyone is beyond me. This question is just plain stupid. Besides, many moms never marry and change their name, so the maiden name is the surname.]

2) I also change the question/answer periodcially (if allowed).

3) Notice also that I use at least 3 different characters in the answer (lowercase, uppercase, spec characters, numbers).

Of course, this means that you now have to write down your questions and answers so you can remember them, but that's the price of security, and besides, that's what a password safe is for.

(Of course, I also write all my password info in code, so if you were to find it, it would do you no good, but that's a different discussion).

BN EDIT: My apologies...I posted this originally in the archives where no one can post <_< Pls try again...I deleted my rant post that originally followed this one. What an egghead! :ph34r:

Kudos to as0l0 whose PM led me to this conclusion...
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#2 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 June 2005 - 12:04 AM

Here's as0l0's post via PM....

...the question / answer method is best when the answer is given and the person types the question...which makes it a passphrase rather than a password.

I think it's unreasonable to expect people to change these...there is a point that users just can't handle anymore and this would be beyond that point.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#3 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 02 June 2005 - 01:46 AM

And BN I am not sure that I would want to many of my users writing down the answers to all of these question. By the way what password safe do you use?

#4 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 June 2005 - 03:05 AM

I like Schneier's at hxxp://passwordsafe.sourceforge.net/

If you don't write pwds down, you forget them. I don't enable the sec questions when I have the choice. If you make the Q&A hard to guess as suggested above, you have to write those down. But if you write them in code, you'll be okay.

But you can't trust users to do anything right, so there's no real answer, except to require second factor authentication, and even less folks want that.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#5 Sano

Sano

    Specialist

  • Members
  • 141 posts

Posted 02 June 2005 - 07:35 AM

Q What is your favorite color?
A Hiroshima, Japan <-- oops, know you know I'm Asian! 

Q What is your mother maiden name?
A pi=3.1469

Wow, this is pretty interesting. I do exactly the same thing.

I'm not Japanese, but I do use japanese words for these answers sometimes.

i.e. Irimi Nage

-Someone close to the individual could know the answers to many of the questions;


Ha Ha, I've done this to my brother and ex-wife. :ph34r:

What auto resets does your company use? Is it available from outside the company via Internet or phone?


We have a password manager for internal use to reset passwords.

We use the same Q&A. i.e. mother maiden name, pets, high school.

Externally, we have to call in to the helpdesk and provide personal information to get the password reset.

#6 as0l0

as0l0

    Sergeant

  • Members
  • 248 posts

Posted 02 June 2005 - 11:54 AM

so there's no real answer, except to require second factor authentication, and even less folks want that.

<{POST_SNAPBACK}>

I have seen some instances where a SMS text message is used. You log on to say your internet banking, then a text with a 4 digit pin is sent to your phone, you type in the pin and then you have access.

This sort of thing can be used depending on the level of access required. For example, to log on to internet banking, user/pass is fine. To pay a bill or tranfer money higher than 200 dollars, the text is required.

You could use the same thinking inside of companies, depending on the data/system being accessed. General use = user/pass, privileged use = user/pass/something extra.

#7 aelphaeis_mangarae

aelphaeis_mangarae

    Members

  • Sergeant Major
  • 973 posts

Posted 02 June 2005 - 06:38 PM

I never before thought of this aspect of security, good job beardednose.
I mean i realised with hotmail, most of the secret questions are hardly secret
I mean, with most secret questions they are probably limited to like a hundred possible answers e.g. What is your favourite colour, if the software you where to trying to break into didn't have anti brute force functions, then you could just try every possible answer to the secret question.

Maybe you should write a white paper on this bearded nose?

#8 FiNaLBeTa

FiNaLBeTa

    Staff Sergeant

  • Sergeant Major
  • 461 posts

Posted 02 June 2005 - 09:28 PM

To make multiple points of failure (using same pass everywhere) into a single point of failure I too use a password manager.

I rather not tell which one. (Always stay paranoid ;) )
But it makes it possible for me to use completely random passwords on every site. And since I try so hard not to use the same password twice ever… it would be moronic for me to even fill in the secret question, or if I have to, it will look something like this: yU#GvHB9#uRT0bLg_@ZjK3Ha3hAL@d

But indeed sometimes you are forced to use a weak Question. Mostly these sites have no need for a high security and even when compromised. Little damage can be done when using a good password policy yourself.

#9 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 03 June 2005 - 12:09 AM

Glad to see some input on this topic. Let me respond to a few things.

I'm not Japanese, but I do use japanese words for these answers sometimes.

I too use a password manager.

I rather not tell which one. (Always stay paranoid wink.gif )


Don't assume I'm japanese just because I said I'm Asian! Don't assume I'm Asian just because I said so. I've also said I'm female (hence, aka Lisa Geez).

Also, don't assume I use Schneier's safe. I said I liked it, not that I used it.

Paranoia is good, especially when linked with disinformation and assumptions... :)

I never before thought of this aspect of security, good job beardednose.

Super! Then I'm doing my job. The other reason I'm here is to learn from you folks, also, and I do!

Maybe you should write a white paper on this bearded nose?


I think the article I quoted did a pretty good job. Like Solomon said, "there ain't much new under the sun." But I am working on other articles, but they won't be released under BN.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#10 ShadowRun

ShadowRun

    Corporal

  • Sergeant Major
  • 170 posts

Posted 03 June 2005 - 12:22 AM

BN said:

Just because banks, government, and multitudes of other Internet sites use simple questions and answers to manage password resets, that does not make it a good practice, just a standard one


not in those banks i worked with and those i used :P
always phone is required to do so and always you must identify yourself with your ID data(birthday, adress, id number etc.) and your conversation is recorded :ph34r:

the only place i've seen and used was free email box but that is not that important to secure it in other way ;)

that's my experience :D

#11 Sano

Sano

    Specialist

  • Members
  • 141 posts

Posted 03 June 2005 - 01:24 AM

[/QUOTE]
Don't assume I'm japanese just because I said I'm Asian! Don't assume I'm Asian just because I said so. I've also said I'm female (hence, aka Lisa Geez).
[quote]Noted.   ;)[/quote]I think the article I quoted did a pretty good job. Like Solomon said, "there ain't much new under the sun." But I am working on other articles, but they won't be released under BN.[QUOTE]

Will they be released for us to read?

#12 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 July 2005 - 04:54 AM

Will they be released for us to read?


I will release them, but under a diff name and elsewhere. I can't afford to have my 'public' name connected with my "nose" name.

Not that I've done anything of ill repute; it's just for safety reasons. Many higher ups get nervous when you connect yourself with even security sites like this, mainly due to what some of the lamers post.

Here's a tip... when you see good article written with humor, you can just assume it's me ;)

(head explodes and BN falls over dead. GSO ends up with millions $ :lol: )
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#13 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 02 July 2005 - 04:56 AM

And BN I am not sure that I would want to many of my users writing down the answers to all of these question.


GSecur, ALL USERS write down passwords, and the smart ones write down the answers to the questions...or they forget them, can't change their password, so they open another account.
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS

#14 myth

myth

    Staff Sergeant

  • Members
  • 408 posts

Posted 02 July 2005 - 11:43 AM

Secret questions are BS, this is in regards to two Australian Banks, not letting me choose my questions and/or whether I even want password recovery as an option - if i forgot my netbank password, I expect to have to give them 100 Points of ID to regain access just as I needed to initially give myself access to the netbank...

There were three questions to choose from:

Mothers Maiden Name:
First School:
Dogs Name:
(well, pretty much thats what they were, but both banks were pretty much the same)

Not only did they give me the most generic questions possible, but they also said I cant use special characters - or longer than 6 characters, normally I would put in jiberish so that option cant be used. Both banks seems they got their security advice from the same pizza box...

I emailed the company after I took their survey and told them about my concerns. No reply, nothing.

They dont care, if they did im sure they wouldve allowed me to put in special characters for my pwd... I know eactly what this thread is about, and agree 100% that those 'Security Questions' are BS.

#15 beardednose

beardednose

    Retired GSO First Lieutenant

  • Sergeant Major
  • 1,916 posts

Posted 04 July 2005 - 04:39 AM

Why is it that the places needing the most security have the least?

Because the consumers don't care...at least not enough have spoken up to make them spend the money to change it. Once they get hit, they'll change.

So many times at work I am tempted to shut down or crash systems so that mgmt gets a clue. One time I went to the CIO and asked for permission to shut down a test system that I EASILY got into (the method didn't even rate anywhere close to a crack) during the team's demo to senior management. She said no. Bummer. Good ol politics saved the day (or lost it, depending on your point of view).

No, I haven't given into temptation and don't expect to. Being a CISSP, ya gotta play by the rules (ya don't HAVE TO, sure, but I do..reminds me of the song...good girls don't, but I do..........I'm the good girl, of course. <_< )
Don't post just a THANKS! Here's why...

Forum Rules you need to know...RuLeS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users