Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Apr 4, 2011

Why security questions are not

The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a first-time recipient receiving a password-protected secure envelope, you will be asked to register with the service to set the password which will be used to authenticate you.
I had never used the service, so I had to register before I could get access to the e-mail. To my surprise, I had to choose three security questions and provide an answer to them before the registration could be completed.

If you examine the list of questions, you'll find that most people have shared the answer on their Facebook profiles. How easy would it be for you to get access to that information? Just look at this experiment carried out by Sophos: Facebook: The privacy challenge, indicating that close to half the user population on Facebook would friend strangers and in turn divulge information that probably answers most of the "security" questions above. Personal questions about your family or stuff you would put on your CV are simply unsuitable for authentication (they function as a "something you know" factor, see my last blog post: Introduction to authentication).

As an interesting exercise you could have lunch with a colleague and try to get the answer to as many of these questions as possible. Picture yourself having lunch with the colleague, look at the list, and think about it. It wouldn't be too hard, right? How difficult would it be for a charming colleague to get these answers from you?

Another problem with these questions are that the correct answers never change. Combined with the fact that many websites use the same questions, you probably get the picture. The risk posed by these "security questions" should not be overlooked. Accounts do get compromised, a famous case was when Sarah Palin's e-mail account got "hacked."

So, what to do? One way to work around this would simply be to give the wrong answer. Now you're burdened with remembering a city you weren't born in, but hey, it beats an account compromise. You should also complain to the website, and suggest a password reset by e-mail or by SMS (if you're comfortable with giving them your number).

By now you might think that the Registered Envelope system is completely broken. I haven't covered the entire security design of the system in this post, so please note: The security of a Registered Envelope account does not solely rely on these security questions. To reset a user's password, you would also need access to her registered e-mail account, or be able to intercept her e-mail in transit. The security questions disregarded, they offer a password reset by e-mail.

That was my take on the so called security questions. Unfortunately the story does not quite end there, of course I had to test the password reset procedure.

Appendix: The Registered Envelope password reset
After clicking the "Forgotten password" link from the logon page I had to supply my e-mail address to reset my password. I promptly received an e-mail with a link to reset my password. And yes, I was asked the three "security questions".

For the record I haven't put the answers to these questions on my Facebook profile. After providing the correct answer to all three I got to set a — wait for it — six character password!

I entered a lowercase password containing one number. Cool.


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts