Educause Security Discussion mailing list archives
Re: Exposing security questions
From: Jonathan Byrne <jobyrne () CISCO COM>
Date: Wed, 20 Jan 2010 12:00:55 -0800
On 1/20/10 10:09 AM, "Rob Tanner" <rtanner () LINFIELD EDU> wrote:
password management using security questions. Out of a group of about twenty questions, the user will initially be required to select and answer three
As Tim Payne pointed out, answering these questions truthfully can lead to compromises, since many people have a lot of the answers to those questions available online somewhere. IMO, part of that problem is the security questions that are asked tend toward the sort of information that people might innocently put online. I'm careful about what I say about myself for just that reason; still, a diligent search might turn up some potential security question answers that I overlooked. One way to help with that problem would be to allow people the option of entering their own security questions rather than choosing from a list. No site that I use allows this, which is a shame, because the answers to my security questions would be simple enough to remember (and kept in an encrypted wallet on my PDA) but impossible to guess. You could also suggest that people not answer the questions truthfully, but I can see that turning into a support nightmare as people forget the bogus answers they gave to their security questions. There is also another security fringe benefit to writing your own security questions: it wouldn't be hard to construct a phishing site in which fake security questions are asked and the answers are stored, either for later or immediate use. If a user's security questions are self-written, the "Hey, wait a minute - those aren't my security questions!" moment when the user sees generic security questions on a site purporting to be her/his bank gives the phishers another opportunity for failure. Cheers, Jonathan -- Jonathan Byrne Software Engineer Cisco IronPort Systems, LLC
Current thread:
- Exposing security questions Rob Tanner (Jan 20)
- <Possible follow-ups>
- Re: Exposing security questions Scott O. Bradner (Jan 20)
- Re: Exposing security questions Timothy Payne (Jan 20)
- Re: Exposing security questions Jonathan Byrne (Jan 20)
- Re: Exposing security questions Kevin Shalla (Jan 22)