Security Questions Considered Harmful

cheap too this is a cheap way of doing account whatever account recovery is a big cost to all these of online services everything from your bank down with social networking you name it if if they can solve the problem in an automated way with some sort of some sort of drifted ask you the answer your questions then hey that's kind of like Kwazii Greek if they have to staff a call center with good people or if they have to do something online or then there's a direct cost of them the other some of the other ways of doing account recovery tape sometime I mean another thing to do that that's possible it costs a little bit but I mean you could

when somebody loses their you know can't can't log into their account you could maybe send them a post party and it's not it not a great class but everybody is used to I'm instant gratification and to the point that I mean there are people that playing don't even bother remembering passwords they just depend on account current procedures for those accounts they don't use regular no account recovery questions challenge questions security president started for call them are basically break all the rules that we set for passports really another password or another set of passwords your account but it I mean all of the things that we tell people not to do with passwords we just do it for

these these sites just do it for four security questions we tell them we need the upper and lowercase letters and special characters and all those sorts of things five as far as the security question your mother's maiden name is you know one of the pops one of the things that they're looking no no complexity at all um secrecy you know keep your passwords secret don't even write it down they often say but but the the answers to these questions are things that you can find online many cases for a lot of people baseball ancestry and who knows what the the people that have the the OPM data probably have the answer through a lot of things that people thought were very

very protected about don't share your password between multiple websites but how many websites have you seen ask for your mother's maiden name or ask for your best friend childhood best friends for things like that I mean this is another example and then and then for storage and this is harder or he very hard to get information on how come hope actually are storing passwords and answers to security questions but passwords you want to salt and hash then the three will establish security questions sometimes you need to be able to do a fuzzy match on those and you can't salt and ass we're going to do some sort of a pleasant man so these are these are more

vulnerable at reston law now in with good apologies prepare because is its company's name in Norwegian means good practices I've always had trouble with the term best practices because they're so hard to nail down you know I ask any number of sort of IT administrators and why are we doing this well it's a best practice sin well tow cable we're home times it's like is this if you don't want to answer the question being all investor yeah but you know that's not what they're gonna come so so it's really hard to hard to nail these things now I found one source of information and corresponds to and it's from whole wats I guess exhibit and so I not I don't need to single them

out but this is just one that I was able to find and they have a best practice her Everett a cheat sheet we're choosing and using security questions while Olympics it says and it says you know a number of things about them but one of their objectives here is to make forget password solutions is Alabama as possible so if the point is to make it palatable they're really focused on it sort of instant gratification they are not focused on making me forgotten password scenes and as secure as it needs to be now on the other hand they do say at the beginning of another section of you stop that aspirins that security questions are less robust than that and I have

agreement there but then if you read a little bit further down the young paragraph here it scares me a little bit more because it says it's talking about possibly being considered it as an opponent mill compactification and you know we're just talking a completely different realm of security we're talking about you challenge but and in anything that might require multiple an occasion so yes they're recognizing the problem but I mean then they kind of unwrapped something that's even a little bit scary now one of one thing I have never seen a situation where they prompt you for security questions and say and give you the option to opt out it's always like you must answer these

questions now before we would let you do anything else so security professionals how many of you here make up answers to these questions lots of them yes okay you are not representative of the population so here's here's an example or if you just pull it in with gibberish actually that one came from my password manager and generates an infidel in on but most people don't realize that they can or should make up answers now that of course the danger was making up an answer is that if you if somebody forgets their password and they have made up answer to a security question when they're likely not there even perhaps more likely not to not to do

that and there's some great research that indicates that I mean different different methods of doing that people even forget even when they don't make them an answer they forget what they ask and that's a significant problem we'll get into that a little bit more but one of the issues here is that when a site is using security questions for account recovery that's usually the way of doing if you don't have the answer to the security question then your other options are occurring in our account are much more limit either because they don't exist or because eight this person isn't able answer the challenge questions so their horses so let's remember when we talked about this and so many times when it when I

brought up security questions I just hangender junk but I'm always talking to securing it but let's remember when we're designing this thing that we are not designing them for ourselves we are designing them for the general hub and we need to be thoughtful about how we how we do these things if we want to provide security to everybody not just the selected so here's an example of an area where I think we're actually killing the public even that they shouldn't make up an answer so this is the California Department Motor Vehicles account registration and I had to go through this recently because my I was given the option to renew my driver's license online so I can create an

account on their site and this is what you read what you do to register an account at work and I don't know if you can see all of this but it talks about in ring hello folks antique here unfortunately looks like we had a root video freezer so audio and the speaker bourbon and such should we zoom and about the 11 min 45 sec involved or thereabouts-- sorry for the inconvenience you you you you

school journey are in the area the government has all occult possibly were warming good look Google here mr. Massachusetts where growth my his normal image I don't forget things like a menorah that you've you live in issue of the past I'm imagine my god says elementary school from several years ago and you know i was able to look at from the teacher Mildred heaters work in community ray she seemed close if you've hardly been for so long um and then of course is that there's me and I have pride Gucci butters the 48 recommended business services my vessel is you can also guess enter you know you want to probably the basis for getting up yet

first names get actually pretty good job on on getting proceed to start

yeah popular techniques property names I look at Hanley names on the mirror on the census website that is kind of interesting project in a few months ago and while it was important rear on where the Popular's readings are each taste that translate the secret also QE you know it gives an attacker nice yes then there are lots of resources and my point here is try and encourage it she designed these person really digital music at all I love it if you didn't have these intense I have been doing a collection of security budget on on on lot enemy and so equals a Manhattan are the worst questions that I'd ever seen and so these are the ones that are just

there what is your favorite season 2 comments recent articles California Department of Motor Vehicles ask one of their choices or area per question is who's in first president is murder and armed a memorable a lot of people so there are people will select and it unfortunately will go select a beautiful is important and most people aren't thinking about first of these questions we're going to be secure for me they're thinking about Portland are cancerous their conservative the security and it's over there the whole first you know we put in there the go Oh weakness of the system is screwed what is your humor Mary I mean that not a lot of person through the residual to marry

then small group but now I've been focusing on the questions that are early hacker yet the right answer but it's also a problem for the people who are the intended user a lot of the questions have more than one right answer sometimes you don't have necessarily one best friend that you had a best friend in third grade and maybe a different one in seventh grade or something like that you know that number of these what's the name of this is one that I've seen is what is the name of a college you applied to but didn't attend I kind of like that one from security skin because mean people don't necessarily broadcast hey while i apply to such and such a

school in and didn't get in so it's good from that standpoint but most of us have applied to more than one college and not gotten in and so which one did I use canonicalization problems there are lots of different ways of typing phone numbers there are lots of different ways taking addresses very hard to canonicalize these things in a uniform way that you'd be able to solve enhance the answer salt and hash that cannot cause result and and another thing to care bear in mind is that no part of the strategy here is you don't want to allow people to guess too many times you need to implement a throttling thread you want to make sure that your prattling

strategy doesn't unduly work against the intended use so that if the intended user has to take five guesses to get for the right answer want to make sure the problems amount of that so a lot about problems what are the things that I would do with security play um you might be able to use them for something very low security it's not it's not the thing that you're going to depend on for security but maybe something to depend on just avoiding a nuisance notifications so you know if your site is maybe going to send somebody email in order to reset their password let security that subject but if you're going to do that then perhaps

you might want to ask a security question in order to make sure that at least the user has some likelihood that they are the equal of any mail addresses somebody's been hammering on somebody else's email address um you want to choose questions because that are deterministic have answers will be able to a song even if you're going to ask multiple questions don't expect any real security remember that something you know plus something else that you know is not compact authentication and remember that sometimes the attacker is an inside we hear situation for disgruntled ex spouses want to get into the ex thousand bank account maybe is part of a divorce settlement or something I have to see going on insider

threats room there's been a lot of really good academic really much more rigorous research done on this dear three of the top three bullets there are papers that are their excellent other papers on the subject I really recommend them much more rigorous than what we do is that as the first hot second day of besides and a lot of stuff have included memorability the questions how I Stefan how much entropy is there or whether interviews the right measure a lot of that sort and then the bottom is the blog google gallery of these questions that i'm collecting and if you have more please simmons i like that i like their postitive post more exams and then will

pose with what fidelity put up on my screen app right answer their questions announcing me that my account much more secure now that I'm Anthony's but I couldn't disagree more um so that's that's it I welcome any person yes

okay I'll repeat it for the I'll repeat it for the microphone because it's a good one the the favorite security question was what is your favorite internet password if you get a screenshot of that I'd love that Oh

wonderful great

you

we attend horn

gee I'm off the hook I don't I don't like a lot of the incident means to drink but you know I guess maybe SMS depends you know depends on which a threat model isn't religious Prague Czech Republic skin because uh oh um here's a rush