Educause Security Discussion mailing list archives
Re: Challenge/response questions?
From: "Schumacher, Adam J" <ADAMSCHUMACHER () CREIGHTON EDU>
Date: Wed, 15 Apr 2009 15:11:18 -0500
On 4/14/09 4:15 PM, "Gary Flynn" <flynngn () JMU EDU> wrote:
Schumacher, Adam J wrote:We use security questions plus having access to a secondary email account or cellphone capable of receiving text messages to reset passwords. We provide 15 possible questions to choose from, of which they must select three (and answer a random selection of 2).Did you write the application or are you using a commercial application? We've been contemplating modifying out accounts portal for similar functionality to front-end our Oracle OIM based IdM system.
I wrote the application. Well, I should qualify that we already had an in-house account management application; I just developed the new process for resetting passwords.
Best practices for questions would involve things that aren't likely to change over time (excludes "whats your favorite _____?" type questions), things that aren't too easy to guess or find out, and have high entropy (lots of possible answers). Some examples of decent questions might include:Though the use of the out of band email/cellphone communications channel decreases risk, I don't like some of these questions...What is your oldest sibling's birthday?This results in storage of personal information for unaffiliated person.
Like "mother's maiden name"? Or people using that sort of info as a password? Or storing emergency contact information?
What is the address of the first house you lived in?OKWhat hospital where you born at?How hard would it be to find the city a person was born in? Having that, how hard would it be to find a list of hospitals in that city?
Probably about as difficult as it would be to find the answer to most any of these questions or just about any others you could ask. That's why you ask more to make it that much more difficult. Also why you don't rely on just questions alone. I'm sure we all have heard of the celebrities and politicians who've gotten their email hacked into through guessing questions.
What was the color of your first car?Bad question. Easily brute forced. Red, white, blue... I've seen a favorite color question compromised.What was the make/model of your first car?Could be brute forced. Or show up on myspace/facebook.
Most any of them could be brute forced, but the system will lock out after a certain number of failures (3 if I remember correctly).
A lot probably depends upon the account the person is attempting to regain control over. The more sensitive the data, functionality, or shared resource, the stronger the authentication needed. In some cases, these "forgot password" convenience features shouldn't even be used. I don't think its too much to ask of people whose account has been entrusted with access to bulk sensitive constituent data to use a more reliable means to authenticate their identity before providing access to their account.
Probably true, but these procedures are meant for more ease of use with students (in our case, particularly distance students) resetting their passwords rather than for access to privileged accounts. Privileged account resets are handled differently. The idea is to make the process of trying to break in more difficult than the reward merits. There will always be risk to mitigate, the question is how to do it well while still keeping systems usable. sha1( Adam Schumacher Information Security Engineer Creighton University Don't share your password with ANYONE, EVER. This means YOU! 402-280-2383 402-672-1732 ) = 1a72637cf94189654ab1a827520a5e41738f41b0
Attachment:
smime.p7s
Description:
Current thread:
- Re: Challenge/response questions?, (continued)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Bob Bayn (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Charles Buchholtz (Apr 14)
- Re: Challenge/response questions? Gary Flynn (Apr 14)
- Re: Challenge/response questions? Leon DuPree (Apr 14)
- Re: Challenge/response questions? Ken Connelly (Apr 14)
- Re: Challenge/response questions? Brian Desmond (Apr 15)
- Re: Challenge/response questions? Schumacher, Adam J (Apr 15)