This is Part II of the Security for a New Year series.
This topic was originally requested by a reader at my former employer, his question was simply, “what are your thoughts on security questions?” Well, considering that the topic for part one of this series was passwords, it seemed appropriate to make this part two. Security questions are a very sticky subject when it comes to security. Security questions are used to ‘verify’ your identity by using something typically more ‘complex’ than your password. There are generally two instances when you encounter security questions: the first, and most common, is to reset your password if it has been forgotten, and the second is in the form of additional identity verification such as for a banking login.
Server Side Considerations:
The first issues regarding security questions arise on the server side, and this comes in the form of their storage in the database. If there are already bad practices in place for passwords (e.g. storing them in plain text) then it is extremely likely that these same practices will carry over into what is often considered a less important aspect of account security. If the database is ever compromised on the server, and passwords are stored in plain text, then it doesn’t matter how strong your password is, the attacker already has it. Even if your password is 64 characters long and is completely randomly generated (e.g. using KeePass) it doesn’t matter if the attacker can simply copy and paste it. Before I digress any farther, lets get back to security questions. Since as I mentioned earlier, security questions are often used for password resets, it is also important for the answers to be hashed as well. If you have a good strong password, it is hashed in the database, but the answers to the security questions are not, then the password security has failed. For example if the database is compromised, then the attacker does not need to crack the hash of the password, he can simply use the security question and answer to reset the password and gain access to the account. Now the best practice for this function of security questions would be to send an email with a link that allows the user to reset their password; however, this is not always the case. So the first consideration for security questions is the same for passwords, hope (or if the account is important enough, verify through the company’s IT department) that their passwords and answers to security questions are hashed, preferably with something stronger than MD5.
The second issue on the server side for security questions is of the questions offered. Most websites offer a standard list of security questions such as these:
- What is the name of the High School you graduated from?
- What is your pet’s name?
- What is your mother’s maiden name?
- What is your father’s middle name?
- What is your favorite team?
- What is the name of your hometown?
- In what city were you born?
For a more detailed list of security questions there is an extensive list here: http://goodsecurityquestions.com/examples.htm
Now the first issue with these questions is that they are easily answered with a bit of research. With the advent of social media, these questions are almost completely obsolete. The second issue is with the storage of the questions chosen. Unlike the answers which can be encrypted using a unidirectional hash, the questions need to be able to be read, and as a result should be stored using a bidirectional encryption. This way the website can reverse the encryption, and display the question, but the data is not easily attained from the database directly. The third issue is with the ability for a user to make their own questions up. This is the best solution as the user can use something that may be unrelated to them, but still memorable. For example, something you will likely never find anywhere might be the security question of “What is the Hamburglar’s middle name?” To which I might respond with “Bacon” as the answer. The answer cannot be found on the internet, because to the best of my knowledge if the Hamburglar had a middle name, it probably isn’t bacon. However, anyone that knows me might guess that I would say Bacon to that question, but I will cover answering these questions later in this article. If you encounter an issue with very simple security questions for an important service it would probably be best to contact their IT department to ensure their other security practices are up to par. So in conclusion of the second server side issue, the considerations are the difficulty of the security questions to research, their storage method on the server, and whether or not the user has the ability to create their own questions.
Before I go into the second portion of this article, I want to share some of my favorite ‘made up’ questions I found while doing my research. Humor is definitely encouraged in the creation of security questions.
Courtesy of: http://usablyauthentical.blogspot.com/2010/08/truly-secure-security-questions.html
- What color was your first grade teacher’s house?
- When will global warming end?
- Why did your girlfriend say that about your mother?
- How much wood could a woodchuck chuck?
- What happens when an irresistible force meets an immovable object?
- Why didn’t you live up to your parent’s expectations?
- Why is a raven like a writing desk?
- Why don’t Americans use the metric system?
- Mrs. Robinson, are you trying to seduce me?
- To be, or not to be?
- What is your favorite security question?
- Bueller? Bueller? Anyone? Bueller?
- What are you looking at?
- Do these pants make me look fat?
Choosing Security Questions – Considerations:
Now that the server side considerations are out of the way, lets say all is good with their security and you have a list of questions to choose from. If you intend to answer these questions with some reasonable level of sincerity, then it is best to choose questions that the answers cannot be easily found on the internet or by knowing you. The “what is your mother’s maiden name” question should almost always be avoided if you intend to answer truthfully. Questions that only you, or perhaps only a select few people would know the answer to are best in these circumstances. Unless it has been revealed online, a question such as this one, “In what city or town did your mother and father meet?” this one, “What is the name of a college you applied to but didn’t attend?” or this one, “Where were you when you first heard about 9/11?” would be great choices. Ultimately, if you can make up your own questions, this is the way best option. You can be as creative as you want, with your questions and answers. Often times these can also be easily remembered.
Answering Security Questions – Considerations:
Now if you know me, or know you have learned enough about my thoughts on security from the other articles, you can imagine this is where my enthusiasm lies. I prefer to answer security questions, regardless of the question with something either randomly generated (using KeePass), or by banging my hands on the keyboard like an enraged drunken monkey. The primary reason I choose to use randomly generated answers is the same reason I choose to use randomly generated passwords. I do not believe that something that is used as an additional layer of security should undermine the previous layer of security.
The truth of the matter is this, if it is something that you will always remember (e.g. your mothers maiden name or your favorite sports team) then it is also something that can typically be discovered with very little research. Social media has made identity theft extremely easy because people are always sharing so many different things about themselves that they often do not realize that they are undermining the security of many of their services. As a result answering security questions (sometimes even the self created ones) truthfully, drastically weakens the security of the service you are using.
This is where the core problem with security questions rests, they are a tool that is meant to be easily remembered in case you forget your stronger and harder to guess password or to supplement that password. If you use my approach to answering these questions with more random gibberish, you end up negating one of the primary purposes of security questions. If you do not use KeePass or a similar password vault for your passwords and security questions, then it is best to answer the question with something you will remember, but not the actual answer to the question.
For example, if you choose the “what is your mother’s maiden name” question, consider answering with something your mother used to always say to you instead of her name. If you choose the question “what is your favorite team” answer with something relating to a specific memory from watching them, such as “Three touchdowns in the first quarter!” or something like that. In short, use your imagination, and when you read the question try to focus more on the memories the question brings to mind, rather then the answer it wants. This technique will help you strengthen your security questions, while still making the answers easy to remember, but hard to guess or research.
This concludes part II of security for a new year, and as always comments are encouraged.
Until next time, live free; surf secure!
This article was originally posted on 4-6-2014, but has been updated to still be current.