Jim Fenton, profile picture
Uploaded byJim Fenton
PDF, PPTX4,272 views

Security Questions Considered Harmful

The document critiques the effectiveness of security questions for account recovery, highlighting their common pitfalls such as complexity, shared answers, and predictability. It suggests that many users are unaware they can create nonsensical answers and emphasizes the need for better recovery methods. The author recommends choosing questions with deterministic answers and warns against relying on security questions for genuine security.

Embed presentation

Download as PDF, PPTX
“Security” Questions
 Considered Harmful Passwords 2015 Las Vegas Jim Fenton @jimfenton
Everyone has seen this
Why do they do this? It’s a cheaper way to do account recovery
Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexity often “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
Best Practices? —OWASP, “Choosing and Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
But, to be fair… —OWASP
Opting out • Answering security questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
} } } 8 Context is important Must be truthful Must be truthful Make something up
Looking up the answer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
But if you need to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
Some questions are just bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
False negatives, too • Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
What to do? • Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
References • M. Just and D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com
Thank you! (No, it’s not)

More Related Content

PPTX
Using Assessment Tools on ICS (English)
byDigital Bond
 
PDF
Beacon Security
bykontakt.io
 
PDF
Toward Better Password Requirements
byJim Fenton
 
PDF
iBeacons: Security and Privacy?
byJim Fenton
 
PDF
The journey to ICS - Extended
byLarry Vandenaweele
 
PDF
iBeacon security overview
byLocalz
 
PDF
LOA Alternatives - A Modest Proposal
byJim Fenton
 
PPT
Empowerment 4
bySam Hager
 
Using Assessment Tools on ICS (English)
byDigital Bond
 
Beacon Security
bykontakt.io
 
Toward Better Password Requirements
byJim Fenton
 
iBeacons: Security and Privacy?
byJim Fenton
 
The journey to ICS - Extended
byLarry Vandenaweele
 
iBeacon security overview
byLocalz
 
LOA Alternatives - A Modest Proposal
byJim Fenton
 
Empowerment 4
bySam Hager
 

Similar to Security Questions Considered Harmful

PPTX
Survey Methodology for Security and Privacy Researchers
byElissa Redmiles
 
PPTX
IAM Challenge Questions
byAidy Tificate
 
PDF
Secure the experience, experience security
byRan Liron
 
PPTX
Passwords
byGrittyCC
 
PDF
Disney princess-you 33328
bymesaboulfadl
 
PDF
Secrets, Lies, and Account Recovery
bySergey Ulankin
 
PDF
Password and Account Management Strategies - April 2019
byKimberley Dray
 
PDF
IRJET- Autobiographical Fallback Authentication using Smartphones
byIRJET Journal
 
PPTX
Personal internet security
byMostafa Siraj
 
PDF
How i stole someone's identity scientific american
byCheck People
 
PPT
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
byJason Hong
 
PDF
IRJET- Smartphone Sensor based Security Questions and Location
byIRJET Journal
 
PPTX
So whats in a password
byRob Gillen
 
PDF
SELF AUTHENTICATION” AN APPROACH FOR PASSWORD FREE AUTHENTICATION
byAM Publications
 
ZIP
Pragmatic Designer's Guide to Identity on the Web
byJamie Reffell
 
ODP
„The four most-used passwords are love, sex, secret, and God“: password secur...
byKaido Kikkas
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Passwords: Security vs Usability
byPer Thorsheim
 
PPTX
Human/User-Centric Security
byShujun Li
 
PDF
IRJET - Secure Banking Application with Image and GPS Location
byIRJET Journal
 
Survey Methodology for Security and Privacy Researchers
byElissa Redmiles
 
IAM Challenge Questions
byAidy Tificate
 
Secure the experience, experience security
byRan Liron
 
Passwords
byGrittyCC
 
Disney princess-you 33328
bymesaboulfadl
 
Secrets, Lies, and Account Recovery
bySergey Ulankin
 
Password and Account Management Strategies - April 2019
byKimberley Dray
 
IRJET- Autobiographical Fallback Authentication using Smartphones
byIRJET Journal
 
Personal internet security
byMostafa Siraj
 
How i stole someone's identity scientific american
byCheck People
 
Usable Security and Passwords, Cylab Corporate Partners Oct 2009
byJason Hong
 
IRJET- Smartphone Sensor based Security Questions and Location
byIRJET Journal
 
So whats in a password
byRob Gillen
 
SELF AUTHENTICATION” AN APPROACH FOR PASSWORD FREE AUTHENTICATION
byAM Publications
 
Pragmatic Designer's Guide to Identity on the Web
byJamie Reffell
 
„The four most-used passwords are love, sex, secret, and God“: password secur...
byKaido Kikkas
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
Passwords: Security vs Usability
byPer Thorsheim
 
Human/User-Centric Security
byShujun Li
 
IRJET - Secure Banking Application with Image and GPS Location
byIRJET Journal
 

More from Jim Fenton

PDF
User Authentication Overview
byJim Fenton
 
PDF
User Authentication: Passwords and Beyond
byJim Fenton
 
PDF
Notifs 2018
byJim Fenton
 
PPTX
REQUIRETLS: Sender Control of TLS Requirements
byJim Fenton
 
PDF
Making User Authentication More Usable
byJim Fenton
 
PDF
IgnitePII2014 Nōtifs
byJim Fenton
 
PPTX
Adapting Levels of Assurance for NSTIC
byJim Fenton
 
PDF
Notifs update
byJim Fenton
 
PPTX
OneID Garage Door
byJim Fenton
 
PDF
Identity systems
byJim Fenton
 
User Authentication Overview
byJim Fenton
 
User Authentication: Passwords and Beyond
byJim Fenton
 
Notifs 2018
byJim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
byJim Fenton
 
Making User Authentication More Usable
byJim Fenton
 
IgnitePII2014 Nōtifs
byJim Fenton
 
Adapting Levels of Assurance for NSTIC
byJim Fenton
 
Notifs update
byJim Fenton
 
OneID Garage Door
byJim Fenton
 
Identity systems
byJim Fenton
 

Recently uploaded

PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
PPTX
Cloud Backup Tips for IT Professionals..
byordersoftwarekeys
 
PDF
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
Cloud Backup Tips for IT Professionals..
byordersoftwarekeys
 
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
API-First Architecture in Financial Systems
bycyy111112
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 

Security Questions Considered Harmful

  • 1.
  • 2.
  • 3.
    Why do theydo this? It’s a cheaper way to do account recovery
  • 4.
    Characteristics PASSWORD SECURITY ANSWER COMPLEXITY Complexityoften “enforced” by complex rules Often a word or name SECRECY Users are told to keep passwords secret Security answers available on Facebook, Ancestry…(OPM?) SHARING Attempts to train users not to share passwords between sites Security questions are common between sites STORAGE Should be salted and hashed Can’t salt/hash if need to do fuzzy matching
  • 5.
    Best Practices? —OWASP, “Choosingand Using Security Questions Cheat Sheet”
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet “…make the Forgot Password solution as palatable as possible”
  • 6.
    But, to befair… —OWASP
  • 7.
    Opting out • Answeringsecurity questions is rarely optional • Many recommend answering the questions with jibberish • Many users don’t realize they can (or should) make up answers • Security questions often eliminate better methods for account recovery • We aren’t trying to solve this problem just for security professionals!
  • 8.
    } } } 8 Context is important Mustbe truthful Must be truthful Make something up
  • 9.
    Looking up theanswer What is your mother’s maiden name?
 What is your oldest sibling’s birthday month and year? What high school did you attend? What school did you attend for sixth grade? What was the last name of your third grade teacher? What was your childhood phone number? What hospital were you born in? And, of course…
  • 10.
    But if youneed to guess… First name Favorite team Family name First/favorite petColor of first car Street names (by state)
  • 11.
    Some questions arejust bad! • “What is your favorite season?” (eDisclosure/SouthTech Systems)
 Only 4 choices, unless you include “football”, “strawberry”, etc. • “Who is the first president you voted for?” (California DMV)
 Very limited choices, especially if approximate age of user known • “What is the year in which you were married? (YYYY)” (Fidelity Investments)
 Easy to guess, especially if user is young
  • 12.
    False negatives, too •Many questions have more than one “right” answer: • “What is the last name of your childhood best friend?” • “What is your favorite color?” • “What is the name of a college you applied to but didn’t attend?” • Many questions have ambiguous formatting, difficult to canonicalize: • (213) 555-2368 vs. 213/5552368 and +44 7786 230167 vs (07786) 230167 • West Maple Street vs. W. Maple St. • Throttling strategies need to accommodate guessing by the intended user as well as by attackers
  • 13.
    What to do? •Challenge questions might have some role in nuisance limitation • Example: Challenging user prior to sending password reset email • Choose questions that have deterministic, hashable answers • Don’t expect any real security, even when multiple questions are asked • Consider insider threats, e.g., disgruntled ex-spouses
  • 14.
    References • M. Justand D. Aspinall. Personal choice and challenge questions: a security and usability assessment. In Proceedings of the 5th Symposium on Usable Privacy and Security, pages 1–11. ACM, 2009. • Joseph Bonneau, Mike Just and Greg Matthews. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. FC '10: The 14th International Conference on Financial Cryptography. Tenerife, Spain. • Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 141-150. • OWASP, Choosing and Using Security Questions Cheat Sheet
 https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet • Insecurity Questions blog, https://insecurityq.wordpress.com
  • 15.