"Security Question"
by Jon Shea
13 January 2006
Ever notice how some web sites, often banks or credit cards, have crazy strict rules for their passwords, like 2 numbers and 3 capitals, but no punctuation, except again underscores.
That drives me nuts, because my good passwords always have punctuation. Also, if you allow punctuation, then mandating 2 numbers actually makes the passwords worse rather than better.
But what really drives me nuts, is when my awesome password is followed by a “Security Question”, which has all of the power of the original password, except that it is extra guess-able / hackable. Who designs these security systems? What’s the point of making everyone come up with a new “secure” password, if you going to ask for a shitty password too (in case they forget). Might as well just use the shitty password.
When confronted with the “security question”, I suggest you type in a long string of random letters and numbers, and then forget that it even exists.
Jan 14, 01:04 PM
Most of the web sites I have seen with security questions do not make them password equivalent. The usual idea is that you give them an e-mail address when you register, and choose a password. Often, they send you a confirmation code to the e-mail address, to make sure the person at the web site actually has access to the e-mail account.
If you lose your password, and you answer the security question correctly, they reset your password and send the new one to the original e-mail address. So, even if somebody guesses your security question and its answer correctly, the most they can do is cause you to get sent a new password, and then you know something’s fishy. Unless they also hack your e-mail (which is possible, but implies a much more sophisticated attacker), this isn’t really an exposure.
Security questions are analogous to the PIN for an ATM card. It isn’t a high-security measure, it just raises the bar on a few of the more trivial ways to hack the system.
When I bother answering security questions at all, I usually invent an answer at random, and record it along with the password in my encrypted password archive. I figure it can’t hurt to have a backup, and if anybody can guess that I was born in “b7qm,x(-:01, kY” deserves to win.
Jan 15, 10:56 PM
I had to fill in a few forms for my security clearance. At the beginning you need to set three security questions. The sticky bit is that I am not going to touch this data again perhaps for years, but when I do, I need to still know the answers to all three. I had trouble deciding whether to use truly random passphrases and record them on something that I might lose or that terrorists might easily find by ransacking my house. But if I didn’t do that, then what to do instead?
To be honest, random was out of the question unless I reused old passwords since I was sitting at the security guy’s computer. I am posed with the problem of what could I ask that future Tom could answer but the terrorists couldn’t… even if they had the fastest bestest passpharse guesser imaginable, even if the terrorists had any record ever available, and surveiled me for years and rounded up all my friends, relatives, teachers and co-workers for my whole life and tortured them.
Too bad I can’t tell you about the brilliant solution I came up with.
Before you worry too hard, cracking this would give the terrorists no more than access to my personal information, all of which would they would necessarily need to possibly crack the code. So there you go.