[ISN] The curse of the secret question

InfoSec News isn at c4i.org
Thu Feb 10 05:23:41 EST 2005


Opinion by Bruce Schneier
Counterpane Internet Security Inc.
FEBRUARY 09, 2005 

It's happened to all of us: We sign up for some online account, choose
a difficult-to-remember and hard-to-guess password, and are then
presented with a "secret question" to answer. Twenty years ago, there
was just one secret question: "What's your mother's maiden name?"  
Today, there are more: "What street did you grow up on?" "What's the
name of your first pet?" "What's your favorite color?" And so on.

The point of all these questions is the same: a backup password. If
you forget your password, the secret question can verify your identity
so you can choose another password or have the site e-mail your
current password to you. It's a great idea from a customer service
perspective -- a user is less likely to forget his first pet's name
than some random password -- but terrible for security. The answer to
the secret question is much easier to guess than a good password, and
the information is much more public. (I'll bet the name of my family's
first pet is in some database somewhere.) And even worse, everybody
seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a
much less secure protocol (secret questions). And the security of the
entire system suffers.

What can one do? My usual technique is to type a completely random
answer -- I madly slap at my keyboard for a few seconds -- and then
forget about it. This ensures that some attacker can't bypass my
password and try to guess the answer to my secret question, but is
pretty unpleasant if I forget my password. The one time this happened
to me, I had to call the company to get my password and question
reset. (Honestly, I don't remember how I authenticated myself to the
customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to
think that if I forget my password, it should be really hard to gain
access to my account. I want it to be so hard that an attacker can't
possibly do it. I know this is a customer service issue, but it's a
security issue too. And if the password is controlling access to
something important -- like my bank account -- then the bypass
mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only
work for low-security applications. The secret question is just one
manifestation of that fact.


Bruce Schneier is a security expert and chief technology officer at
Counterpane Internet Security Inc. in Mountain View, Calif. His latest
book is Beyond Fear: Thinking Sensibly About Security in an Uncertain
World. He also publishes the monthly "Crypto-Gram" newsletter. He can
be reached at his Web site, www.schneier.com/.

More information about the ISN mailing list