Why I hate 'security questions'

November 22, 2008

You know 'security questions'; they are the extra questions that websites (and other services) attach to your account that will theoretically let you regain access to the account if you forget your password. I really don't like them, and it's not because they are a terrible security idea. Well, not directly.

Hopefully everyone already knows the primary problem with security questions: if you pick questions and answers that you can remember, it's quite likely that an attacker can work out the answers themselves from public or semi-public information (especially if you are paranoid enough to be concerned about people that know you to at least some extent, not just random strangers). Even without that, it may be easier to guess answers to the security questions than to guess your password.

What this means is that security questions are effectively additional passwords to your account, and your answers need to follow all of the rules for passwords. So what security questions are is hard to remember, rarely used passwords. That I have to write down and keep track of, securely, and worry about.

Gee, thanks.

But that's just the obvious reason to hate security questions. The more subtle reason is the underlying reason why they exist in the first place. We can see this real reason by asking the question of what would happen if they didn't exist and you forgot your password: you'd go talk to customer service to sort out the situation. So security questions really exist so that companies don't have to have customer service people; in other words, they're making my life more painful (and reducing my security) in order to save themselves some money.

(The case of free services is one of those hard ones, since it might not be possible to provide the free services at all if you had to provide full customer support too. In some cases, such as free webmail providers, I would consider this a benefit.)

Comments on this page:

From at 2008-11-23 04:51:47:

We use security questions, if you can guess the right answer to the security question, a new password is generated, and it is emailed to you. Thus you need something you know, and something-else-you-have-access-to. The reason for the security question is that it's really really really frustrating to have someone force change your password for you when you didn't want them to, not to protect the account. The email address you registered with us is the primary system to protect the account.

Another good idea that we've not implemented yet, is to disable the "forgotten password" if the user has logged in within the last n days (since, obviously, they haven't forgotten their password!)

-- PerryLorier

From at 2008-11-23 09:10:51:

That's why I always lie. I just have a consistent set of false answers.

I suppose it wouldn't be too difficult to work out a pretty simple hash-type solution where your answers were based on the information of the querying party...

By cks at 2008-11-23 13:15:20:

My problem with having a consistent set of false answers is that the questions aren't consistent, and sometimes you have to pick which questions you'll give answers to. I suppose the solution there is just to use answers in order and always pick the first N questions to answer (and then hope that they ask you the questions in order, and never change the order).

From at 2008-11-25 09:49:20:

I've heard its because the websites in question would like to have two factor authentication but can't really figure out how to do it properly in a cost effective manner. Thus they settle for the cheap, easy, answer this security question style two factor authentication. Which, as anyone here knows, isn't really secure.

I like the idea of taking the md5sum of the question and encrypting it with a hash and then using that as your answer. That way, you only have to remember one answer, and from that one answer you can define the correct answer to any question. 42.

By cks at 2008-11-25 17:25:11:

The security questions I've seen have been used as a password recovery mechanism, not (effectively) as an additional password. I think I would have a violent reaction to a rotating secondary password (which is the only real way of making it even vaguely effective against phishers and the like).

Written on 22 November 2008.
« Limiting how much load Exim puts on your system
My sign of a good graphical interface »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Nov 22 23:41:20 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.