{"id":218,"date":"2005-02-18T01:56:18","date_gmt":"2005-02-18T01:56:18","guid":{"rendered":"\/?p=218"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-30T04:00:00","slug":"the-curse-of-the-secret-question","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=218","title":{"rendered":"The Curse of the Secret Question"},"content":{"rendered":"<p>I was at <a href=\"http:\/\/www.schneier.com\/blog\/\">Bruce Schneier&#39;s<\/a> site reading about the <a href=\"http:\/\/www.schneier.com\/blog\/archives\/2005\/02\/sha1_broken.html\">problems with SHA-1<\/a> and came across <a href=\"http:\/\/www.schneier.com\/blog\/archives\/2005\/02\/the_curse_of_th.html\">this perfectly articulated gem<\/a>:<\/p>\n<blockquote dir=ltr style=\"MARGIN-RIGHT: 0px\">\n<p>It&#39;s happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a &#8220;secret question&#8221; to answer. Twenty years ago, there was just one secret question: &#8220;What&#39;s your mother&#39;s maiden name?&#8221; Today, there are more: &#8220;What street did you grow up on?&#8221; &#8220;What&#39;s the name of your first pet?&#8221; &#8220;What&#39;s your favorite color?&#8221; And so on. <\/p>\n<p>The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It&#39;s a great idea from a customer service perspective &#8212; a user is less likely to forget his first pet&#39;s name than some random password &#8212; but terrible for security. <strong>The answer to the secret question is much easier to guess than a good password, and the information is much more public<\/strong>. (I&#39;ll bet the name of my family&#39;s first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions. <\/p>\n<p><strong>The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers. <\/strong><\/p>\n<p>What can one do? My usual technique is to type a completely random answer &#8212; I madly slap at my keyboard for a few seconds &#8212; and then forget about it. This ensures that some attacker can&#39;t bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don&#39;t remember how I authenticated myself to the customer service rep at the other end of the phone line.) <\/p>\n<p>Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can&#39;t possibly do it. I know this is a customer service issue, but it&#39;s a security issue too. And if the password is controlling access to something important &#8212; like my bank account &#8212; then the bypass mechanism should be harder, not easier. <\/p>\n<p><strong>Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact<\/strong>. <\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>I was at Bruce Schneier&#39;s site reading about the problems with SHA-1 and came across this perfectly articulated gem: It&#39;s happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a &#8220;secret question&#8221; to answer. Twenty years ago, there was just one &hellip; <a href=\"https:\/\/www.identityblog.com\/?p=218\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The Curse of the Secret Question<\/span><\/a><\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/218"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=218"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/218\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}