Don’t Put Real Answers Into Your Password Reset Questions
This recent article on how a hacker used genealogy websites to help better guess victims' password reset answers made it a great time to share a suggestion:
Don’t answer password reset questions with real answers!
It’s not Jeopardy! You don’t have to answer the questions correctly. In fact, you’re putting yourself at increased risk if you do. Instead, give a false question to any required password reset answer. Unfortunately, that means you’ll need to write down both the question and the answer, hopefully in a secure password manager.
Background
Over a decade ago, password reset questions like “What’s your mother’s maiden name?” or “What’s your favorite car?” or “Who was your favorite third grade teacher?” were very common prompts if you forgot or needed to reset your password.
They were always a bad idea. The search abilities of the internet made outright biographic questions, like “What was your high school mascot?”, insanely easy to research. Most of the questions could be found by either doing basic research or by phishing the potential victim with a fake survey to get them.
There have always been hackers…although I almost hesitate to call them that…who specialized in resetting victims’ passwords and taking over their accounts. The most famous account take over was probably the one involving vice-presidential candidate, Sarah Palin during her and John McCain’s failed U.S. presidential run in 2008.
The “hacker” was able to find and type in the correct responses to three of her Yahoo! email password reset questions. They had to do with what sport she loved. Palin had been on her high school’s state championship girls’ basketball team, so he successfully guessed ‘basketball’ as her favorite sport. Another question dealt with her husband and where Palin had met him. Answer was high school and this was on the web. The third question asked for home zip code. Palin grew up and lived in Wasilla, AK, and it only has two zip codes…so not hard to guess.
The result was the hacker was able to take over Sarah Palin’s email account and see what emails she had in her inbox and had sent. Unfortunately for him, he quickly bragged about this, including screenshots on a popular internet online chat forum (4chan) and it didn’t take too long until he was identified, arrested and sent to jail…as he should have been. I just resent them calling him a hacker because basically the “hacker” skills he used were what everyone uses on Google or Bing every day.
Password reset questions (also known as “security questions” and officially as “personal knowledge questions”) have always been bad choices for securing anything, much less online accounts. I may not be able to guess your password with ten thousand guesses, but I can guess your favorite car or your favorite veterinarian in less than two dozen guesses. And that’s only if I have to guess and your answer isn’t online.
I’ve always laughed at the ‘favorite car’ question. There are only something like 100 car models in the entire world. They don’t change that much over time. They do change, just not that much. And your favorite car is likely to be something cool, exotic, or sexy. People are far more likely to say their favorite car is a Lamborghini, Corvette, Mustang, or Lexus than Ford Escort or AMC Pacer. I can probably guess most people’s favorite cars within a dozen guesses.
And I absolutely have to laugh at the ‘favorite vet’ question. Basically, all I have to do is look up your current mailing address (very easy to find on the internet), and then research all the vets within 10 miles of your house. You’re not likely taking your pet to a vet more than 10 miles away from your house, and I’ll probably start with the vets closest to your house first.
Many of the questions can be researched, figured out, or stolen by social engineering.
In fact, in a 2015 Google whitepaper entitled, “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google ”, it was revealed that some password reset questions were exceedingly easy to figure out or guess. Some of the stats Google included were:
领英推荐
●??????? Some recovery questions can be guessed on first try 20% of the time
●??????? 40% of people were unable to successfully recall their own recovery answers
●??????? 16% of answers could be found in people’s social media profile
This study led to Google “outlawing” personal knowledge questions for any Google website or service. Microsoft and others soon followed suit. Sadly today, I still run across all kinds of sites and services that rely on personal knowledge questions for authentication or authentication resets. It shocks me every time I’m required to put one in and/or required to provide an answer.
Whatever type of authentication I’m using, backing it up with personal knowledge questions is a bad, bad risk choice. It takes whatever "awesome" authentication you are using (e.g., strong password, multifactor authentication, etc.) and essentially reduces it to a question many people can guess. The legitimate user is potentially using strong authentication, but the hacker can use one of the weakest forms of authentication available. It's insane!
So, when required to answer personal knowledge questions by a site or service, don’t give the real answers.
What’s my mother’s maiden name? Answer: pizzapizza32
What’s my favorite car? Answer: JupiterisrisingMila
Here's an example of how I answer personal knowledge questions:
Unfortunately, giving wrong answers means you have to write down both the questions and the answer. I used to store them in a password-protected Microsoft Word document, now I put them in my secure password manager. You should do the same.
And if given a chance, complain to any vendor who requires them. They are silly, weak and actively demonstrate that the vendor involved isn’t serious about authentication security.
?
Author of Designing Secure Software: A guide for developers
3 周Indeed, and finally NIST guidance says these are a bad idea (also, my take linked below). True story: for years I've been typing in gibberish for these and once had to call customer support to get into my account. They asked a questioned, I made up a plausible answer, and the person said, "Whoa, there must be a bug in the system, the answer got messed up in the system somehow." They let me in. https://designingsecuresoftware.com/writings/against_secret_questions/
VP, STRATEGIC DEVELOPMENT / ROADBLOCK BUSTER
1 个月Hi Roger, That is such great advice. I never use real data but didn't think to share that with my friends and loved ones. This is a great reminder!
Chief Technology Advisor | Founder
1 个月Yes, the only problem is, you would have to keep yet another list of codenames. Just go passkey and your problems are mostly over, for the time being. Personally, I use it whenever and wherever I can nowadays.