Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
Everyone has seen this
Why do they do this? It’s a cheaper way to do account recovery
Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECR...
Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_...
But, to be fair… —OWASP
Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Man...
} } } 8 Context is important Must be truthful Must be truthful Make something up
Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high...
But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you...
False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best f...
What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending...
References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Pro...
Thank you! (No, it’s not)
Upcoming SlideShare
Loading in …5
×

Security Questions Considered Harmful

3,874 views

Published on

Presentation at Passwords '15 Las Vegas (part of BSides Las Vegas) on the problems with using security questions for account recovery.

Published in: Technology
no profile picture user

  • Be the first to comment

Security Questions Considered Harmful

  1. 1. “Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
  2. 2. Everyone has seen this
  3. 3. Why do they do this? It’s a cheaper way to do account recovery
  4. 4. Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
  5. 5. Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
  6. 6. But, to be fair… —OWASP
  7. 7. Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
  8. 8. } } } 8 Context is important Must be truthful Must be truthful Make something up
  9. 9. Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
  10. 10. But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
  11. 11. Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
  12. 12. False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
  13. 13. What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
  14. 14. References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com
  15. 15. Thank you! (No, it’s not)

×