Security question rant
Jul. 21st, 2006 09:33 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
sniffnoySecurity questions. I don't get it.
Let's quote Facebook:
"If you ever need to write us for help with your Facebook account, we need a way to confirm that you are the owner of the account. As a new security measure, please provide a question and answer to help identify you."
...isn't that what my *password* is for? What, are they afraid sending passwords over unencrypted email is insecure? Well it's not like sending security question answers over unencrypted email is any more secure!
What's worst is when something asks you for a security question so that they can send you your password if you forget it. Everyone knows you're not supposed to store plaintext passwords!
So what about if someone loses their password and wants it reset? How do you verify that the email you're receiving is from the same person? Answer: You don't, because you don't have to, you just email the new password to the person who owns the account. So even if someone fakes the address and thereby resets someone else's password, the victim will still get an email telling them their new password, and the imitator won't.
The exception is if the imitator has taken over his victim's email account, in which case, as I see it, all is pretty much already lost for the victim - well, not really, but he'll have to call whoever provides his email or go to them in person or something, he'll have to find some non-electronic way of verifying his identity, and in the meantime the imitator can probably do all sorts of things. And if the imitator can't reset passwords on something, well, if he can crack one password, why can't he crack another? Especially since I don't think most people use different passwords for everything. I mean, I only use 5 or 6, and I'm told a lot of people only use one!
And why should cracking a security question be harder than cracking a password? Indeed, I'd say it's probably easier. If a person makes his security answer just another password, I'd imagine it would be just as hard, but that's not the point of a security question, now is it? When a person can provide his own security question, I'd imagine that's already easier simply because the answer will consist of words, but when it really gets stupid is when you only have a finite number of choices.
Let's take an example, and examine the possibilities Facebook provides. I think we can sort them into 3 (overlapping) categories.
PUBLIC INFORMATION:
What time were you born?
Who was your third grade teacher?
Questions to which the answer can be looked up, if not by everyone. Anyone who went to a Glen Rock school when I was at Coleman and has kept their phone directory can just check, Harry Altman was in class 3-K, taught by Ms. Kaufman. And birth certificates are public information, right? Anyone willing to drive to wherever mine is stored (Hackensack? Maywood? Glen Rock?) can look it up. I'm sure one day people will even be able to look it up on the web (hell, maybe they can already, I haven't checked).
THINGS OTHER PEOPLE WILL KNOW:
What was the name of your first stuffed animal?
Who was your first kiss?
What was the first concert you attended?
Not something that can be looked up, but something that certain other people will know. If something should happen, are you willing to track down everyone you told that story to, and everyone they told that story to, et cetera?
THINGS THAT CAN CHANGE:
What is your least favorite nickname?
What are your favorite pizza toppings?
A security question, unlike a password, is not something you'll be typing repeatedly, so you'd better be able to recall it from the question itself. These questions do not meet that criterion. If someone tries to steal my account n years from now, am I going to remember what my least favorite nickname was when I filled this out? Asking about favorites is especially bad, as most people don't really have definite favorites about things.
If you must make a security question and it won't be just another password, it should be:
1. Something that only you know. Perhaps a question that's only meaningful to you in the first place. But don't go too far in that direction, because it should also be
2. Something that is constant. No favorite movies or anything. Nothing you're not going to remember in several years. No "what is delicious". For that matter, since it has to be something you need to remember, it should be
3. Something short - a single, definite, phrase, that can be remembered word for word, character for character. If it's something like, "It was yellow and had a purple disk on it", what are the chances you're going to remember that as is? (Assuming that it's actually a description of something and not just a phrase or something you would say commonly (because if it were, other people would presumably know it).) "Damn... was it 'It was yellow with a purple disk?' or 'It was a purple disk on yellow?'" Or maybe it was "circle" instead of "disk"? Maybe even, if he was feeling especially heraldic at the time, it was "Or, a golpe". There's so many possible variations on the word order... and what if the thing is case-sensitive?
Since Facebook isn't locking me out if I don't make a security question, I'm not going to make one. Sure, I could have it just be a second password, but even then, I'm actually making my account less secure - instead of figuring out a specific password, someone trying to crack my account need only figure out either of two. It's probably not *significantly* less secure, but it is less secure.
In short: Not only do security questions make things less secure instead of more, the stupid things that people are often presented with as choices for security questions (or, I suspect, come up with themselves) are either very insecure or are such that not even the person himself will remember the answer. And these are a good thing why?
-Sniffnoy
Let's quote Facebook:
"If you ever need to write us for help with your Facebook account, we need a way to confirm that you are the owner of the account. As a new security measure, please provide a question and answer to help identify you."
...isn't that what my *password* is for? What, are they afraid sending passwords over unencrypted email is insecure? Well it's not like sending security question answers over unencrypted email is any more secure!
What's worst is when something asks you for a security question so that they can send you your password if you forget it. Everyone knows you're not supposed to store plaintext passwords!
So what about if someone loses their password and wants it reset? How do you verify that the email you're receiving is from the same person? Answer: You don't, because you don't have to, you just email the new password to the person who owns the account. So even if someone fakes the address and thereby resets someone else's password, the victim will still get an email telling them their new password, and the imitator won't.
The exception is if the imitator has taken over his victim's email account, in which case, as I see it, all is pretty much already lost for the victim - well, not really, but he'll have to call whoever provides his email or go to them in person or something, he'll have to find some non-electronic way of verifying his identity, and in the meantime the imitator can probably do all sorts of things. And if the imitator can't reset passwords on something, well, if he can crack one password, why can't he crack another? Especially since I don't think most people use different passwords for everything. I mean, I only use 5 or 6, and I'm told a lot of people only use one!
And why should cracking a security question be harder than cracking a password? Indeed, I'd say it's probably easier. If a person makes his security answer just another password, I'd imagine it would be just as hard, but that's not the point of a security question, now is it? When a person can provide his own security question, I'd imagine that's already easier simply because the answer will consist of words, but when it really gets stupid is when you only have a finite number of choices.
Let's take an example, and examine the possibilities Facebook provides. I think we can sort them into 3 (overlapping) categories.
PUBLIC INFORMATION:
What time were you born?
Who was your third grade teacher?
Questions to which the answer can be looked up, if not by everyone. Anyone who went to a Glen Rock school when I was at Coleman and has kept their phone directory can just check, Harry Altman was in class 3-K, taught by Ms. Kaufman. And birth certificates are public information, right? Anyone willing to drive to wherever mine is stored (Hackensack? Maywood? Glen Rock?) can look it up. I'm sure one day people will even be able to look it up on the web (hell, maybe they can already, I haven't checked).
THINGS OTHER PEOPLE WILL KNOW:
What was the name of your first stuffed animal?
Who was your first kiss?
What was the first concert you attended?
Not something that can be looked up, but something that certain other people will know. If something should happen, are you willing to track down everyone you told that story to, and everyone they told that story to, et cetera?
THINGS THAT CAN CHANGE:
What is your least favorite nickname?
What are your favorite pizza toppings?
A security question, unlike a password, is not something you'll be typing repeatedly, so you'd better be able to recall it from the question itself. These questions do not meet that criterion. If someone tries to steal my account n years from now, am I going to remember what my least favorite nickname was when I filled this out? Asking about favorites is especially bad, as most people don't really have definite favorites about things.
If you must make a security question and it won't be just another password, it should be:
1. Something that only you know. Perhaps a question that's only meaningful to you in the first place. But don't go too far in that direction, because it should also be
2. Something that is constant. No favorite movies or anything. Nothing you're not going to remember in several years. No "what is delicious". For that matter, since it has to be something you need to remember, it should be
3. Something short - a single, definite, phrase, that can be remembered word for word, character for character. If it's something like, "It was yellow and had a purple disk on it", what are the chances you're going to remember that as is? (Assuming that it's actually a description of something and not just a phrase or something you would say commonly (because if it were, other people would presumably know it).) "Damn... was it 'It was yellow with a purple disk?' or 'It was a purple disk on yellow?'" Or maybe it was "circle" instead of "disk"? Maybe even, if he was feeling especially heraldic at the time, it was "Or, a golpe". There's so many possible variations on the word order... and what if the thing is case-sensitive?
Since Facebook isn't locking me out if I don't make a security question, I'm not going to make one. Sure, I could have it just be a second password, but even then, I'm actually making my account less secure - instead of figuring out a specific password, someone trying to crack my account need only figure out either of two. It's probably not *significantly* less secure, but it is less secure.
In short: Not only do security questions make things less secure instead of more, the stupid things that people are often presented with as choices for security questions (or, I suspect, come up with themselves) are either very insecure or are such that not even the person himself will remember the answer. And these are a good thing why?
-Sniffnoy
