Re: Challenge/response questions?

["Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>]

On 4/14/09 4:15 PM, "Gary Flynn" <flynngn () JMU EDU> wrote:

> Schumacher, Adam J wrote:
> > We use security questions plus having access to a secondary email account or
> > cellphone capable of receiving text messages to reset passwords.  We provide
> > 15 possible questions to choose from, of which they must select three (and
> > answer a random selection of 2).
>
> Did you write the application or are you using a commercial
> application? We've been contemplating modifying out accounts
> portal for similar functionality to front-end our Oracle OIM
> based IdM system.
    I wrote the application.  Well, I should qualify that we already had an
in-house account management application; I just developed the new process
for resetting passwords.

> > Best practices for questions would involve things that aren't likely to
> > change over time (excludes "whats your favorite _____?" type questions),
> > things that aren't too easy to guess or find out, and have high entropy
> > (lots of possible answers).
> > Some examples of decent questions might include:
>
> Though the use of the out of band email/cellphone communications
> channel decreases risk, I don't like some of these questions...
>
> > What is your oldest sibling's birthday?
> This results in storage of personal information for
> unaffiliated person.
    Like "mother's maiden name"?  Or people using that sort of info as a
password?  Or storing emergency contact information?


> > What is the address of the first house you lived in?
> OK
>
> > What hospital where you born at?
> How hard would it be to find the city a person was born in?
> Having that, how hard would it be to find a list of hospitals
> in that city?
    Probably about as difficult as it would be to find the answer to most
any of these questions or just about any others you could ask.  That's why
you ask more to make it that much more difficult.  Also why you don't rely
on just questions alone.  I'm sure we all have heard of the celebrities and
politicians who've gotten their email hacked into through guessing
questions.


> > What was the color of your first car?
> Bad question. Easily brute forced. Red, white, blue...
> I've seen a favorite color question compromised.
>
> > What was the make/model of your first car?
> Could be brute forced. Or show up on myspace/facebook.
    Most any of them could be brute forced, but the system will lock out
after a certain number of failures (3 if I remember correctly).



> A lot probably depends upon the account the person is
> attempting to regain control over. The more sensitive
> the data, functionality, or shared resource, the stronger
> the authentication needed.
>
> In some cases, these "forgot password" convenience features
> shouldn't even be used. I don't think its too much to ask
> of people whose account has been entrusted with access to
> bulk sensitive constituent data to use a more reliable means
> to authenticate their identity before providing access to
> their account.
    Probably true, but these procedures are meant for more ease of use with
students (in our case, particularly distance students) resetting their
passwords rather than for access to privileged accounts.  Privileged account
resets are handled differently.  The idea is to make the process of trying
to break in more difficult than the reward merits.  There will always be
risk to mitigate, the question is how to do it well while still keeping
systems usable.


sha1(

Adam Schumacher
Information Security Engineer
Creighton University

Don't share your password with ANYONE, EVER.  This means YOU!

402-280-2383
402-672-1732

)

= 1a72637cf94189654ab1a827520a5e41738f41b0

Attachment: smime.p7s
Description: