{"id":315,"date":"2009-05-26T02:20:58","date_gmt":"2009-05-26T07:20:58","guid":{"rendered":"http:\/\/vgable.com\/blog\/2009\/05\/26\/secret-questions-are-a-bad-idea\/"},"modified":"2009-05-26T10:12:14","modified_gmt":"2009-05-26T15:12:14","slug":"secret-questions-are-a-bad-idea","status":"publish","type":"post","link":"https:\/\/vgable.com\/blog\/2009\/05\/26\/secret-questions-are-a-bad-idea\/","title":{"rendered":"Secret Questions Are a Bad Idea"},"content":{"rendered":"<p><a href=\"http:\/\/www.schneier.com\/essay-081.html\">Secret questions are an easier way for someone to hack your account.<\/a> I don&#8217;t see that they offer much over asking people to pick an insecurely <em>convenient<\/em> password.<\/p>\n<p>Here&#8217;s some data on how insecure secret questions are,<\/p>\n<blockquote><p> Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to <strong>guess 17% of their answers<\/strong> (to &#8220;secret&#8221; questions). Participants <strong>forgot 20% of their own answers<\/strong> within six months. What&#8217;s more, <strong>13% of answers could be guessed within five attempts by guessing the most popular answers<\/strong> of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.<\/p><\/blockquote>\n<p>&#8212; <a href=\"http:\/\/research.microsoft.com\/apps\/pubs\/default.aspx?id=79594\"><cite><br \/>\nIt&#8217;s no secret: Measuring the security and reliability of authentication via &#8216;secret&#8217; questions<\/cite>, Stuart Schechter, A. J. Bernheim Brush, Serge Egelman, 17 May 2009<\/a><\/p>\n<p>(Via <a href=\"http:\/\/www.schneier.com\/blog\/archives\/2009\/05\/secret_question.html\">Bruce Schneier<\/a>)<\/p>\n<p>It&#8217;s important to note that <strong>people often forget answers to their own secret questions<\/strong>. Anecdotally, I&#8217;ve had to call my bank twice because I forgot <em>exactly<\/em> how I typed in my answers. <\/p>\n<p>Forgetting the answer to a secret question can be <em>embarrassing<\/em>, unlike forgetting a password. I once got my mother&#8217;s maiden name wrong repeatedly. It was pretty awkward. (A credit card was also in my mother&#8217;s name, so when they asked &#8220;for my mother&#8217;s maiden name&#8221; they really meant <em>her<\/em> mother&#8217;s maiden name.)<\/p>\n<p>I don&#8217;t know of any statistics on how often accounts are compromised by secret questions. But there have been high-profile cases, like <a href=\"http:\/\/www.wired.com\/threatlevel\/2008\/09\/palin-e-mail-ha\/\">Sarah Palin&#8217;s email<\/a>,<\/p>\n<blockquote><p>&#8230;the Palin hack didn\u2019t require any real skill. Instead, the hacker simply reset Palin\u2019s password using her birthdate, ZIP code and information about where she met her spouse \u2014 <strong>the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search<\/strong>.<\/p><\/blockquote>\n<p><a href=\"http:\/\/www.schneier.com\/essay-081.html\">Bruce Schneier says,<\/a> &#8220;Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.&#8221; If you must use password authentication, then don&#8217;t weaken it further with a questionable back door.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secret questions are an easier way for someone to hack your account. I don&#8217;t see that they offer much over asking people to pick an insecurely convenient password. Here&#8217;s some data on how insecure secret questions are, Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,24,42,8],"tags":[342,311,100,60],"class_list":["post-315","post","type-post","status-publish","format-standard","hentry","category-design","category-quotes","category-security","category-usability","tag-google","tag-password","tag-privacy","tag-web"],"_links":{"self":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/comments?post=315"}],"version-history":[{"count":0,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/posts\/315\/revisions"}],"wp:attachment":[{"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/media?parent=315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/categories?post=315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vgable.com\/blog\/wp-json\/wp\/v2\/tags?post=315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}