Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Apr 4, 2011

Why security questions are not

The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a first-time recipient receiving a password-protected secure envelope, you will be asked to register with the service to set the password which will be used to authenticate you.
I had never used the service, so I had to register before I could get access to the e-mail. To my surprise, I had to choose three security questions and provide an answer to them before the registration could be completed.

If you examine the list of questions, you'll find that most people have shared the answer on their Facebook profiles. How easy would it be for you to get access to that information? Just look at this experiment carried out by Sophos: Facebook: The privacy challenge, indicating that close to half the user population on Facebook would friend strangers and in turn divulge information that probably answers most of the "security" questions above. Personal questions about your family or stuff you would put on your CV are simply unsuitable for authentication (they function as a "something you know" factor, see my last blog post: Introduction to authentication).

As an interesting exercise you could have lunch with a colleague and try to get the answer to as many of these questions as possible. Picture yourself having lunch with the colleague, look at the list, and think about it. It wouldn't be too hard, right? How difficult would it be for a charming colleague to get these answers from you?

Another problem with these questions are that the correct answers never change. Combined with the fact that many websites use the same questions, you probably get the picture. The risk posed by these "security questions" should not be overlooked. Accounts do get compromised, a famous case was when Sarah Palin's e-mail account got "hacked."

So, what to do? One way to work around this would simply be to give the wrong answer. Now you're burdened with remembering a city you weren't born in, but hey, it beats an account compromise. You should also complain to the website, and suggest a password reset by e-mail or by SMS (if you're comfortable with giving them your number).

By now you might think that the Registered Envelope system is completely broken. I haven't covered the entire security design of the system in this post, so please note: The security of a Registered Envelope account does not solely rely on these security questions. To reset a user's password, you would also need access to her registered e-mail account, or be able to intercept her e-mail in transit. The security questions disregarded, they offer a password reset by e-mail.

That was my take on the so called security questions. Unfortunately the story does not quite end there, of course I had to test the password reset procedure.

Appendix: The Registered Envelope password reset
After clicking the "Forgotten password" link from the logon page I had to supply my e-mail address to reset my password. I promptly received an e-mail with a link to reset my password. And yes, I was asked the three "security questions".

For the record I haven't put the answers to these questions on my Facebook profile. After providing the correct answer to all three I got to set a — wait for it — six character password!

I entered a lowercase password containing one number. Cool.


  1. When looking for the best yachting shirts in 2017, comfort should be one of the most important considerations. After all, you would surely not want to be in a situation wherein you would want to immediately get rid of your shirt because of the comfort that it provides. One thing that makes this shirt very comfortable is the fact that it is made from 100% cotton pique. It also has the right fit, provided that you choose the size that is right for your body. The Best Polo Shirt is well-stitched, which can provide you with the assurance that it can be used longer.

  2. Bitcoin to Western union is among the best methods to turn your coins to real money.

  3. Notwithstanding developing consumptions for security innovation, psychological militant episodes will keep on increasing. As the defensive rings of security fix around corporate workplaces, aircraft terminals, atomic power plants, army bases and government offices, fear mongers are probably going to wind up noticeably bolder. Fast Guard Service

  4. It is a great website.. The Design looks very good.. Keep working like that!.
    Security System Provider

  5. But the (New Jordan Releases 2020) slice of (Ray Ban Outlet) debris would likely street up. It often flew a very few thousand mls prior to a camshaft played dried up. Their spraybar's layout used to be changed in the past, Which motivates troubles, Make sure the essential acrylic and sift are usually converted on a daily basis, Just about requires to be well. (Cheap Yeezys For Sale)

    The reality is when any u. S. Consists of openly said the actual (Coach Outlet Store Online) here's a great looking, That you are next.. Its Flexweave the computer industry interlocks material to (Ray Ban Outlet Store) develop a single working appear (Cheap Jordan Shoes Websites) fabrication, Modernizing compared to solidity. Simply because sure enough a little much convenient in contrast to new ipod ipod nano (Coach Outlet Online) 7 even so strongest discrepancy is also comfortableness. A heavier sole ensures they are suddenly considerably soft on you

  6. Hello everyone)) How are you doing? I want to ask you some advice. I need to order academic paper, but I am not sure if I can trust the essay writing services. I was advised this service, but I haven't decided yet. Have you ever bought academic papers?

  7. I liked a very interesting article. I would also like to share with you an excellent site which at one time helped me finish my essay and submit it on time. Thanks you type a paper

  8. We are Best Professional Writers for Assignment Writing Services online in the world at very affordable charges for students to get good grades in university. Best Human Resource assignment writing services by our experts because we follow strict university guidelines so that our students will get proper assignments on time. For more services:-
    Treat Assignment Help in comocreatuweb
    UK Assignment Writing Services
    Best Essay Writing Services
    Online Assignment Help UK
    Treat Assignment Help at doctorslounge

  9. Because many users forget their security questions, and they face many issues. I think, this step is not good for those, who have short memory. They should apply captcha for security purpose. Dissertation writing services.

  10. Hi thank for sharing such a nice post on your blog keep it up and share more. also visit best propane generator for camping

  11. Thanks for sharing this, Keep on writing, great job! Are you looking for the Best Laptop for Computer Science Students visit my blog!!

  12. BestReviewInfo is helping people in choosing the best product. We have reviewed thousands of products. Our dedicated editors and experts checkout each and every product properly before featuring it on the website. Check out this product review website here.

  13. It turns out that even the hottest port has a few places where you can get off the beaten path. Here are some recommendations that will make you feel like you're in the know
    toddler fall jackets

  14. https://whatsappdelta.com/

  15. This blog is what im exactly looking for. Great! and Thanks to you. 경마

  16. What an interesting article! I'm glad i finally found what i was looking for . 바카라사이트

  17. I am overwhelmed by your post with such a nice topic. Usually I visit your site and get updated through the information you include but today’s blog would be the most appreciable. 토토사이트


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts