Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Apr 4, 2011

Why security questions are not

The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a first-time recipient receiving a password-protected secure envelope, you will be asked to register with the service to set the password which will be used to authenticate you.
I had never used the service, so I had to register before I could get access to the e-mail. To my surprise, I had to choose three security questions and provide an answer to them before the registration could be completed.



If you examine the list of questions, you'll find that most people have shared the answer on their Facebook profiles. How easy would it be for you to get access to that information? Just look at this experiment carried out by Sophos: Facebook: The privacy challenge, indicating that close to half the user population on Facebook would friend strangers and in turn divulge information that probably answers most of the "security" questions above. Personal questions about your family or stuff you would put on your CV are simply unsuitable for authentication (they function as a "something you know" factor, see my last blog post: Introduction to authentication).

As an interesting exercise you could have lunch with a colleague and try to get the answer to as many of these questions as possible. Picture yourself having lunch with the colleague, look at the list, and think about it. It wouldn't be too hard, right? How difficult would it be for a charming colleague to get these answers from you?

Another problem with these questions are that the correct answers never change. Combined with the fact that many websites use the same questions, you probably get the picture. The risk posed by these "security questions" should not be overlooked. Accounts do get compromised, a famous case was when Sarah Palin's e-mail account got "hacked."

So, what to do? One way to work around this would simply be to give the wrong answer. Now you're burdened with remembering a city you weren't born in, but hey, it beats an account compromise. You should also complain to the website, and suggest a password reset by e-mail or by SMS (if you're comfortable with giving them your number).

By now you might think that the Registered Envelope system is completely broken. I haven't covered the entire security design of the system in this post, so please note: The security of a Registered Envelope account does not solely rely on these security questions. To reset a user's password, you would also need access to her registered e-mail account, or be able to intercept her e-mail in transit. The security questions disregarded, they offer a password reset by e-mail.

That was my take on the so called security questions. Unfortunately the story does not quite end there, of course I had to test the password reset procedure.

Appendix: The Registered Envelope password reset
After clicking the "Forgotten password" link from the logon page I had to supply my e-mail address to reset my password. I promptly received an e-mail with a link to reset my password. And yes, I was asked the three "security questions".


For the record I haven't put the answers to these questions on my Facebook profile. After providing the correct answer to all three I got to set a — wait for it — six character password!


I entered a lowercase password containing one number. Cool.

6 comments:

  1. When looking for the best yachting shirts in 2017, comfort should be one of the most important considerations. After all, you would surely not want to be in a situation wherein you would want to immediately get rid of your shirt because of the comfort that it provides. One thing that makes this shirt very comfortable is the fact that it is made from 100% cotton pique. It also has the right fit, provided that you choose the size that is right for your body. The Best Polo Shirt is well-stitched, which can provide you with the assurance that it can be used longer.

    ReplyDelete
  2. Are You looking Polo shirts ? When looking for the best yachting Polo shirts in 2017,
    comfort should be one of the most important considerations. After all,

    you would surely not want to be in a
    situation wherein you would want to immediately get rid of your shirt because of the comfort that it provides.
    luxurious organic bamboo sheets
    luxurious bamboo sheets
    100% bamboo bed sheets
    silky bamboo sheets
    with Deep Pockets 300 Thread Count per square inch are most likely the silkiest and softest sheets.



    Exkash.org offers automatic and honest Bitcoin Exchange services worldwide.
    Exkash.org is one of the best bitcoin exchanges in USA that is
    mostly suggested and recommended by all bitcoin users. Sell more detail bitcoin nigerian


    Exkash.org offers automatic and honest Bitcoin Exchange services worldwide.
    Exkash.org is one of the best bitcoin exchanges in USA that is
    mostly suggested and recommended by all bitcoin users. Sell more detail bitcoin american



    “These Mayweather vs Mcgregor boxing question and answer sessions are a totally unexpected setup in comparison to what we are utilized to, yet 20,000 individuals, it is awe-inspiring,
    I am completely respected to be here before you to give you this extraordinary scene,” he said. “Also, some individual’s 0 must go! that the fight that the spirit of this mega boxing event.

    Amazon Product SEO is as yet essential, you ought to likewise be actualizing At your showcasing collection.
    Before we get into the particular things you can do to rank higher on Amazon, it’s vital for you to comprehend the objective of amazon change rates. In the event that you’re posting will get Amazon more deals.That Will Exhibit To Amazon That Your Item Will Really Offer Once It Is Seen.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts