How To

Your “Secret Question” May Not Be So Secret: Easy-to-Guess Password Retrieval Questions You Should Avoid and Why

Posted on August 20th, 2012 by

You’ve learned how to create a secure password and you’re feeling pretty pleased with your security savvy. But wait – what is the reset procedure for the site you just made that awesome password for? Can someone Google a couple facts about you to unlock your secret questions? Well, nuts. That’s all your hard work out the window.

We recently discussed the various types of authentication, including how Secret Questions are still one-factor authentication when used with a username and password. They all rely on using something you know in order to authenticate. To choose a good Secret Question, you will need to find a question that has these traits:

  • Applicable – It should pertain to your life events
  • Definitive –It should have only one correct answer that does not change
  • Memorable – It should be easy to remember
  • Secure – It should be difficult to guess or find through research, and it should be long enough act as a pass-phrase

Many Secret Questions are less secure than the passwords they’re intended to act as a fail-safe for because they don’t operate with the same restrictions as passwords do:

  • Can you use special characters?
  • Is it case-sensitive?
  • Is there a minimum of characters that must be used?
  • Can you use at least 16 characters?
  • Is there a limit on the number of unsuccessful attempts?

In many cases, the answer to these questions is “no.” The last one in particular makes Secret Questions incredibly easy to brute-force; if someone’s trying to reset your password, he or she oftentimes has an infinite number of attempts to answer your Secret Question before ultimately cracking it.

Let’s look at Secret Questions for a few popular services and determine which might be the good choices.

Right off the bat, let’s just say the last two questions about your parents’ birthplace (“What town was your father/mother born in?”) are a very bad idea. This information is easily searchable. The other questions about relatives (“What’s the name of your niece/nephew/etc?”) are not much better. Most people are not shy about publicly discussing their relatives. Nicknames of children may also be a very bad idea, as many of us use those nicknames in front of people outside the family, or the children themselves may freely dispense this information.

The spouse/honeymoon questions (“Where did you meet your spouse/spend your honeymoon?”) are potentially more useful, as you could come up with a less-known detail about how you met or spent your honeymoon. Was your first date at a particular coffee shop? Did you spend much of your honeymoon at a certain beach? If this isn’t the sort of detail you’ve shared widely, this is the right sort of answer, particularly if the answer includes words or names you would not find in a dictionary. But if that’s not the case, you’re better off creating your own question.

Wow, this one has a lot of options. For me, most of these questions still are no good because most of the “favorite” questions (favorite book, musician, movie character, etc) fail to be definitive. Your favorite book may have changed from the time you initially set the answer as your Secret Question, plus a lot of your “favorites” might be known to anyone who knows you fairly well or can sneak a peek at your list of interests on Facebook.

I don’t remember (or know) the answers to several of these historical questions (make of your first car, first pet’s name, etc). Several of them are not applicable to me and may not be for you either. Others are pieces of information I share freely. The name of the street you grew up on is a horrible idea, as old addresses are very easy to research. The only answer that doesn’t immediately make me cringe is the one about your main Frequent Flier Number. It’s vague enough that you could decide which of your Frequent Flier accounts you considered “main,” and the information is harder to guess or steal.

Oh boy, here’s the parents’ birthplace question again. Does anyone over the age of 15 remember the last name of their grade school teachers? If so, do they routinely show off this feat of memory? Besides, any old classmate with a yearbook could dredge up this information. Address questions are still risky. The questions about your grandparents’ occupations aren’t great, but they might at least take a little work to research, and people might be less apt to discuss them publically.

Are you starting to see the patterns here? The first one (the name of your best friend from childhood) is either not definitive or fairly obvious. It would be moderately miraculous for me to remember the name of my teacher or manager from years and years ago. Phone numbers could potentially be looked up. The vehicle registration number can be known by anyone who has ever seen your car, so this is a monumentally bad question. Your library card number might be a decent choice if it’s applicable, as it’s unlikely most people would know this about you. If you combine it with your favorite branch name, that could improve the security a bit. Otherwise, I would choose to write my own question here.

If you do decide to choose your own question, here are a few tips that can guide your choice:

  • Your answer should be a piece of information that few (if any) people know. Do you have a secret desire to be an astronaut when you grow up? Is there something people frequently get wrong about you?
  • Your answer should not have a very limited number of possible answers. Favorite colors are a bad choice, unless yours is puce or crawdad. Obscure dates are better, because there are at least 365 options.
  • Choose a question that can be answered with letters and numbers and/or in several words. Remember, no addresses or phone numbers and not birthdays, as those are matters of public record.
  • Choose different questions for different sites, as secret questions are sometimes exposed in security breaches. These are like another kind of password, and they should not be reused.

Many people are suggesting that the best answer to a Secret Question is one that is fictitious – if you make it up, it will definitely be harder to guess or research. The problem with making up a response, however, is that it fails as a definitive answer, which will make it more difficult to remember. If you’re certain you can commit your fake response to memory though, it can be a more secure answer.

If you keep the above tips in mind, you can still enjoy the benefits of being able to safely retrieve your password without lowering your overall security. Do you have any tricks that you use for choosing a good Secret Question? Should Secret Questions should be abandoned entirely? If so, what would you like to see replace them?

  • http://www.goldmark.org/jeff/ Jeffrey Goldberg

    [Disclosure: I work for AgileBits, the makers of 1Password]

    I rarely disagree with you and your excellent blog, but this is one of those cases. I have recommend that people abandon the “definitive” criterion and use a password manager instead. It simply isn’t possible for an answer to be both definitive and secure in the sense that you list. Instances of answers that will meet both the definitive and secure criteria will be exceedingly rare. Thus making it even harder have different questions for different sites.

    You have outlined the criteria of good security questions and answers far far better than I have, but I think that helps us realize that the task is actually impossible.

    Cheers,

    -j
    –- Jeffrey GoldbergChief Defender Against the Dark Arts @ AgileBitshttp://agilebits.com

    • LysaMyers

      Many folks in the security industry would agree with you, and many InfoSec folks I talk to do use a password manager. Whether or not it’s possible to come up with a good question, using a password manager can certainly help simplify password security. My intent with this article was to make people aware of what constitutes a good question (and how difficult that can be) and they can choose for themselves what to do with that information. I appreciate hearing different opinions on this – thank you!

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}