I'm dealing with the issue right now and thought I'd get your input....here's some interesting points about using questions like WHAT IS YOUR FAV COLOR? to reset passwords.

The following is quoted from: hxxp://www.owasp.org/columns/mburnett/questions.html (emphasis is mine)

"Answering secret questions requires some knowledge of the user account, but secret questions break all the rules for strong passwords and have some significant weaknesses:

-An attacker can sometimes discover the information with little research;
-The answer to the question is usually a fact that will never change;
-Users reuse the same secret questions and answers across multiple Web sites;
-Someone close to the individual could know the answers to many of the questions;
-People rarely change their secret questions;
-The answers are often case-insensitive and usually contain a limited character set;
-Some questions have a limited number of answers; and
With some questions, many people will have the same common answers." >END QUOTE

In other words, it is sometimes easier to reset a password than it is to crack it.

Just because banks, government, and multitudes of other Internet sites use simple questions and answers to manage password resets, that does not make it a good practice, just a standard one. (I hear this all the time from management: "everyone else is doing it." That's when I revert to my childhood and ask them the universal
"mom" question: If everyone jumps off a cliff, would you too?)

I'm not sure what the solution is, other than software requiring users to change their question and answer just like their password. Perhaps it is using the "email reset" option that sites are using (like GSO). The problem with this solution is that many employees in some companies don't have email access.

Furthermore, should you allow folks to reset passwords over the Internet or from outside the company using a phone? This makes me queasy; it would depend on the software and the implementation.

User productivity and the cost of resetting passwords (estimated to be $10-30 per call) is what drives automated password resets.

Your comments?

What auto resets does your company use? Is it available from outside the company via Internet or phone?

Personally, I solve the Q&A problem by:

1) never answering a security question with a standard answer. Example:

Q What is your favorite color?
A Hiroshima, Japan <-- oops, know you know I'm Asian!

Q What is your mother maiden name?
A pi=3.1469

[Why anyone would reveal their mother's m name or birthday or like data to anyone is beyond me. This question is just plain stupid. Besides, many moms never marry and change their name, so the maiden name is the surname.]

2) I also change the question/answer periodcially (if allowed).

3) Notice also that I use at least 3 different characters in the answer (lowercase, uppercase, spec characters, numbers).

Of course, this means that you now have to write down your questions and answers so you can remember them, but that's the price of security, and besides, that's what a password safe is for.

(Of course, I also write all my password info in code, so if you were to find it, it would do you no good, but that's a different discussion).

BN EDIT: My apologies...I posted this originally in the archives where no one can post Pls try again...I deleted my rant post that originally followed this one. What an egghead!

Kudos to as0l0 whose PM led me to this conclusion...

Here's as0l0's post via PM....

...the question / answer method is best when the answer is given and the person types the question...which makes it a passphrase rather than a password.

I think it's unreasonable to expect people to change these...there is a point that users just can't handle anymore and this would be beyond that point.

And BN I am not sure that I would want to many of my users writing down the answers to all of these question. By the way what password safe do you use?

I like Schneier's at hxxp://passwordsafe.sourceforge.net/

If you don't write pwds down, you forget them. I don't enable the sec questions when I have the choice. If you make the Q&A hard to guess as suggested above, you have to write those down. But if you write them in code, you'll be okay.

But you can't trust users to do anything right, so there's no real answer, except to require second factor authentication, and even less folks want that.

Wow, this is pretty interesting. I do exactly the same thing.

I'm not Japanese, but I do use japanese words for these answers sometimes.

i.e. Irimi Nage



Ha Ha, I've done this to my brother and ex-wife.



We have a password manager for internal use to reset passwords.

We use the same Q&A. i.e. mother maiden name, pets, high school.

Externally, we have to call in to the helpdesk and provide personal information to get the password reset.

I have seen some instances where a SMS text message is used. You log on to say your internet banking, then a text with a 4 digit pin is sent to your phone, you type in the pin and then you have access.

This sort of thing can be used depending on the level of access required. For example, to log on to internet banking, user/pass is fine. To pay a bill or tranfer money higher than 200 dollars, the text is required.

You could use the same thinking inside of companies, depending on the data/system being accessed. General use = user/pass, privileged use = user/pass/something extra.

I never before thought of this aspect of security, good job beardednose.
I mean i realised with hotmail, most of the secret questions are hardly secret
I mean, with most secret questions they are probably limited to like a hundred possible answers e.g. What is your favourite colour, if the software you where to trying to break into didn't have anti brute force functions, then you could just try every possible answer to the secret question.

Maybe you should write a white paper on this bearded nose?

To make multiple points of failure (using same pass everywhere) into a single point of failure I too use a password manager.

I rather not tell which one. (Always stay paranoid )
But it makes it possible for me to use completely random passwords on every site. And since I try so hard not to use the same password twice ever. it would be moronic for me to even fill in the secret question, or if I have to, it will look something like this: yU#GvHB9#uRT0bLg_@ZjK3Ha3hAL@d

But indeed sometimes you are forced to use a weak Question. Mostly these sites have no need for a high security and even when compromised. Little damage can be done when using a good password policy yourself.

Glad to see some input on this topic. Let me respond to a few things.





Don't assume I'm japanese just because I said I'm Asian! Don't assume I'm Asian just because I said so. I've also said I'm female (hence, aka Lisa Geez).

Also, don't assume I use Schneier's safe. I said I liked it, not that I used it.

Paranoia is good, especially when linked with disinformation and assumptions...



Super! Then I'm doing my job. The other reason I'm here is to learn from you folks, also, and I do!



I think the article I quoted did a pretty good job. Like Solomon said, "there ain't much new under the sun." But I am working on other articles, but they won't be released under BN.

BN said:


not in those banks i worked with and those i used
always phone is required to do so and always you must identify yourself with your ID data(birthday, adress, id number etc.) and your conversation is recorded

the only place i've seen and used was free email box but that is not that important to secure it in other way

that's my experience

[/QUOTE]
Don't assume I'm japanese just because I said I'm Asian! Don't assume I'm Asian just because I said so. I've also said I'm female (hence, aka Lisa Geez).
I think the article I quoted did a pretty good job. Like Solomon said, "there ain't much new under the sun." But I am working on other articles, but they won't be released under BN.[QUOTE]

Will they be released for us to read?

I will release them, but under a diff name and elsewhere. I can't afford to have my 'public' name connected with my "nose" name.

Not that I've done anything of ill repute; it's just for safety reasons. Many higher ups get nervous when you connect yourself with even security sites like this, mainly due to what some of the lamers post.

Here's a tip... when you see good article written with humor, you can just assume it's me

(head explodes and BN falls over dead. GSO ends up with millions $ )

GSecur, ALL USERS write down passwords, and the smart ones write down the answers to the questions...or they forget them, can't change their password, so they open another account.

Secret questions are BS, this is in regards to two Australian Banks, not letting me choose my questions and/or whether I even want password recovery as an option - if i forgot my netbank password, I expect to have to give them 100 Points of ID to regain access just as I needed to initially give myself access to the netbank...

There were three questions to choose from:

Mothers Maiden Name:
First School:
Dogs Name:
(well, pretty much thats what they were, but both banks were pretty much the same)

Not only did they give me the most generic questions possible, but they also said I cant use special characters - or longer than 6 characters, normally I would put in jiberish so that option cant be used. Both banks seems they got their security advice from the same pizza box...

I emailed the company after I took their survey and told them about my concerns. No reply, nothing.

They dont care, if they did im sure they wouldve allowed me to put in special characters for my pwd... I know eactly what this thread is about, and agree 100% that those 'Security Questions' are BS.

Why is it that the places needing the most security have the least?

Because the consumers don't care...at least not enough have spoken up to make them spend the money to change it. Once they get hit, they'll change.

So many times at work I am tempted to shut down or crash systems so that mgmt gets a clue. One time I went to the CIO and asked for permission to shut down a test system that I EASILY got into (the method didn't even rate anywhere close to a crack) during the team's demo to senior management. She said no. Bummer. Good ol politics saved the day (or lost it, depending on your point of view).

No, I haven't given into temptation and don't expect to. Being a CISSP, ya gotta play by the rules (ya don't HAVE TO, sure, but I do..reminds me of the song...good girls don't, but I do..........I'm the good girl, of course. )

I just ran across this from Bruce Schneier's CRYPTO-GRAM, February 15, 2005. I'm a bit behind on some of my critical reading

------------
The Curse of the Secret Question

It's happened to all of us: We sign up for some online account, choose
a difficult-to-remember and hard-to-guess password, and are then
presented with a "secret question" to answer. Twenty years ago, there
was just one secret question: "What's your mother's maiden name?"
Today, there are more: "What street did you grow up on?" "What's the
name of your first pet?" "What's your favorite color?" And so on.

The point of all these questions is the same: a backup password. If you
forget your password, the secret question can verify your identity so
you can choose another password or have the site e-mail your current
password to you. It's a great idea from a customer service perspective
-- a user is less likely to forget his first pet's name than some
random password -- but terrible for security. The answer to the secret
question is much easier to guess than a good password, and the
information is much more public. (I'll bet the name of my family's
first pet is in some database somewhere.) And even worse, everybody
seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a
much less secure protocol (secret questions). And the security of the
entire system suffers.

What can one do? My usual technique is to type a completely random
answer -- I madly slap at my keyboard for a few seconds -- and then
forget about it. This ensures that some attacker can't bypass my
password and try to guess the answer to my secret question, but is
pretty unpleasant if I forget my password. The one time this happened
to me, I had to call the company to get my password and question reset.
(Honestly, I don't remember how I authenticated myself to the customer
service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to
think that if I forget my password, it should be really hard to gain
access to my account. I want it to be so hard that an attacker can't
possibly do it. I know this is a customer service issue, but it's a
security issue too. And if the password is controlling access to
something important -- like my bank account -- then the bypass
mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only
work for low-security applications. The secret question is just one
manifestation of that fact.

This essay originally appeared on Computerworld:
<hxxp://www.computerworld.com/securitytopics/security/story/0,,99628,00.
html>

I've only used these questions to reset a couple of times. I still think they're useful if you set them properly (like I suggested above).

i dont write down passwords...or even the security questions Good memory goes a long way...

Good memory goes a long way only with a few.

"Chemical RAM" is the best and most secure! Spot on, Warlord!

I hate the fact that my bank has prechosen secret questions (now i just put in jiberish), without the option "If you forget your password - Provide 100 Points of ID to your nearest Bank" <- Thats the best bloody secret question that i'd prefer, or having the option "I Dont need a secret Question", and having a warning maybe saying most sites will never be able to get your password back....

The problem with Secret Questions is that : it doesnt give the element of secrecy to the answer, and to top it with cream , we are faced with dumb websites who ask us fixed secret questions and further more let us type the secret answer in a plain text form with no Masking . I say this is so immature, anyone shoulder surfing me can have access to my account, whats the use of masking the password, it can as well be kept unshaded.

The only way out of this in my opinion is :

You can have a variant 2 or 3 secret answers, which u can reuse, But a dumb and new Secret Question everytime , ie.,
You give a question like : Did my dog lick my nose or my chin?
And an answer like : Res#36Tr2fs ( just another complex password )

Ofcourse this too has shortcomings, but this is the best method i have figured out, the advantage being you dont need to write it down.

I would like to hear your feedback