The-Secret-Question-Threat_SQWhen it comes to security it can be hard to strike a balance between infrastructure safety and user convenience. A security professional’s life is never easy and definitely never boring. This is because at its core, security is all about allowing convenient access to a system for all those who have legitimate access to it. Yet, at the same time, that convenience, in turn, also creates security risks.

Let’s think about that for a second. Strong security is pretty easy to achieve. Disconnect a machine from the network and lock it up in a vault. There. Now you have a pretty secure machine.The problem however is that the ‘cure’ is worse than the ‘illness’ itself because you, as the sysadmin, are the one denying your users access to that machine, and not forced downtime resulting from a malware infection. Humor aside, this concept is actually very true. The more secure you make a system, the harder it is for users to gain access and the easier you make it accessible to users, the less secure that system is likely to be.

Striking a balance can be difficult and sometimes things can take a troubling turn. In this article I would like to address the phenomena of secret questions. At first glance, the concept of secret questions seems to be a great idea. When you forget your password, secret questions can be a great way to reset it without having to go through IT or in some cases without needing to rely on email, thus avoiding issues that may arise in relation to spam rules/filters.

Secret questions have increased in popularity and you can come across them nearly everywhere today. They have become so popular that there is an unofficial standard list for secret questions:

  • What is your mother’s maiden name?
  • Who is your favorite author?
  • Which is your favorite book?
  • Which is your favorite movie?
  • Who is your favorite actor?
  • What is your first pet’s name?
  • What is the name of the street where you grew up?

Simple questions that raise complex security issues.

Apart from the name of the street where you grew up and perhaps, to a very small degree, your mother’s maiden name, they are really terrible choices for security questions.

These questions were designed to be secure against external attackers before the advent of social media. Someone living on the other side of the world had no way of knowing who your favorite author is. Nowadays, a quick search on social media will probably give someone all the information they might need. How about a post on your favorite social network notifying the world that your favorite author has just released a new book? That can be enough for an attacker to know who your favorite author is and also deduce which one of the author’s books is your favorite; since there is a good chance your favorite author wrote your favorite book.

Even at the time these questions were chosen, they were not ideal. Without social media, someone 1,000 miles away would never know who your favorite author is but what about a co-worker?

This brings me to the next problem. Few would believe that secret questions have anything to do with insider attacks. Insider attacks are the biggest risk to an organization. If by knowing the answer to a secret question you can change a password, then all a co-worker has to do is casually ask that very same question during a conversation. How many employees would raise a red flag if a co-worker asks them what their favorite movie is? Would you think the reason behind the question is to circumvent security?

Is this a real or perceived risk?

It has happened before. Ask US Vice Presidential candidate Sarah Palin. Her email account was hacked a few years ago and the alleged hacker appeared to have gained access by resetting her password using her secret questions. The answers to the questions were found online. Sarah Palin is not the only one to fall victim to these attacks. Several celebrity email accounts were compromised using the same strategy.

Does this mean we should ditch security questions?

No, because they still play an important role. Account self-service is a useful function to have and the convenience it provides can save both time and money. That said, there are some important precautions to take. Never choose questions about favorite authors or pet names. The answers, somehow, will be found on social networks, making it very easy for an attacker to break into an account. You need to ask questions that only you know the answers to.

Questions like:

  • Who was your second crush? (important not to use first crush)
  • Who was your favorite cartoon character when you were a child?
  • Which subject did you get the lowest non-failing marks in?

Why are these ‘strong’ questions? First, there are quite personal. Users are not likely to talk about their second crush on social media, they most likely learnt a lesson when they talked about their first. Second, they’re likely to become suspicious – who would ask a similar question during the course of a casual conversation?

The same goes for a favorite cartoon character. It’s not a question most people would ask anyway. The lowest non-failing mark question is another good choice because this is a topic highly unlikely to be discussed on social media. To be safe choose a subject that you did not hate at school. People are more likely to talk about that ‘hated’ subject on social media.

There is one other important thing you need to do when using secret questions. Never depend on secret questions alone for your online security. Do you want to create a self-service system? That’s a good idea but make sure you use a two-factor authentication system where the secret question is part of the equation. The other factor can be a code that is either sent by email or text message. These measures will ensure that discovering the answer to a secret question will not be enough to compromise the user’s security.