Re: Exposing security questions

[Jonathan Byrne <jobyrne () CISCO COM>]

On 1/20/10 10:09 AM, "Rob Tanner" <rtanner () LINFIELD EDU> wrote:

> password management using security questions.  Out of a group of about twenty
> questions, the user will initially be required to select and answer three

As Tim Payne pointed out, answering these questions truthfully can lead to
compromises, since many people have a lot of the answers to those questions
available online somewhere.

IMO, part of that problem is the security questions that are asked tend
toward the sort of information that people might innocently put online. I'm
careful about what I say about myself for just that reason; still, a
diligent search might turn up some potential security question answers that
I overlooked.

One way to help with that problem would be to allow people the option of
entering their own security questions rather than choosing from a list. No
site that I use allows this, which is a shame, because the answers to my
security questions would be simple enough to remember (and kept in an
encrypted wallet on my PDA) but impossible to guess.

You could also suggest that people not answer the questions truthfully, but
I can see that turning into a support nightmare as people forget the bogus
answers they gave to their security questions.

There is also another security fringe benefit to writing your own security
questions: it wouldn't be hard to construct a phishing site in which fake
security questions are asked and the answers are stored, either for later or
immediate use. If a user's security questions are self-written, the "Hey,
wait a minute - those aren't my security questions!" moment when the user
sees generic security questions on a site purporting to be her/his bank
gives the phishers another opportunity for failure.

Cheers,

Jonathan
--
Jonathan Byrne
Software Engineer
Cisco IronPort Systems, LLC