Feeds

back to article Password reset questions dead easy to guess

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers. In the paper What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (pdf), Joseph Bonneau of the University of Cambridge and two colleagues from the …

COMMENTS

This topic is closed for new posts.

Page:

only an idiot

actually uses the correct stuff.

Password question = Mothers maiden name

Use a weird word like scalpel or ardvark or similar.

When ever I speak to the bank they ask if my mothers maiden name is really the weird word I have given them.

7
1
Thumb Down

uh...

If your going to use an unrelated word then you might as well just dispense with password recovery as a feature all together. If your the kind of person who forgets passwords your just as likely to forget the obscure answer (more so infact since you use it less often).

Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records. Better just to ask them to setup some kind of SECURE password system instead of retarded questions.

1
3

Helps if you can spell

It is spelt aardvark, and this is a poor choice of password, being the first word in the English dictionary

2
0
Thumb Up

totally agree..

Whenever giving security awareness training I always tell people to LIE when answering security questions (other than those scenarios where they company uses personal details they have on record as confirmation). The rules are simple (and I have actually written standards on good security questions for use in government systems): never ask for anything that is in the public domain, never use anything that can be easily discovered, or has too few potential answers (I even had to rank security questions as to how good/bad they were).

When a company does ask a stupid security question like 'mother's maiden name' that IS in the public domain, then LIE. So long as you remember your LIE you are OK. I have NEVER used my real mother's maiden name, nor real first school, nor real first company...

1
0
Stop

Helps more if you can think

@Alyn: "Aardvark" is bad if you expect a dictionary attack --- and a dictionary attack is exceedingly unlikely (and very stupid) on a "maiden name" question.

Possibly a directory attack there (let's start with Patel and Smith as likeliest surnames) but nobody named Aardvark exists in the UK, and that was the point. Also note the "strange word like" and "or similar" in the sentence, as in "no, mine's not Aardvark but Beerwolf, actually factually".

0
0
WTF?

@Thomas 18

What utter rubbish. Conflicting bank record....what on earth are you on about. We are talking about the 'additional' security questions here - normally for things like password resets (which you would have even WITH a secure password system). I have NEVER given my real mother's maiden name when answering the question - and have never had any banking problems. It is just a question with preset answers - answer it how you like (and preferably in a way that other won't guess).

I would be more concerned about the bank's security for actually using the question in the first place - 'cos it's VERY bad security practice to ask anything where the answer is in the public domain.

1
0
Thumb Down

@Thomas 18

And when you forget your SECURE password, how do you suggest you confirm your identity to have it reset?

Secure passwords will not negate the use of security questions for resets (or phone calls for that matter).

Also..please explain "Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records." WTF are you on about? I'm guessing that this is really not your area of knowledge, and have never had the pleasure of setting up security for a call centre.

0
0
FAIL

Fool!

Its a simple challenge and response you fool. If you chose always to respond to MMN with "Queen of Sheba" or name of first school as "Padre KiddieDiddler" that is memorable to you but not in the public domain, unless you reveal it to someone (oh damn!).

0
0

you dont get it...

what better than misspelling a security word. thats genius! clever chap poster #1!

0
0
Silver badge
Unhappy

Oh crap!

I thought I was the only one to lie when answering those questions. Now everyone will know that chipotle mousse is my favorite color.

0
0
Bronze badge
Thumb Down

but if...

the attacker anticipates a proportion of targets lying, a dictionary attack becomes much more likely.

Obviously, my mother's maiden name was Zyfgdsbvcxvgfdsou

0
0

@alyn

You need a better dictionary. Mine starts with 'a' - a noun, preposition and the indefinite article.

0
0
Anonymous Coward

ooooo

They have the internet on computers now?

"whose research currently focuses on security and privacy in social networks"

lol he thinks there might be security and privacy in social networks? Poor bloke.

1
0
FAIL

Problem Being

Whilst sending the rest to a mobile may be more secure, who wants to have to give thier mobile number to yet more companies? Sensible people put absolute garbage in as the answer, make no attempt to memorise it, and simply don't forget the flaming password!

I hate services that insist on you setting a hint, even more so if they give you a drop down of questions to use rather than let you set your own question!

Why do people have such problems remembering their passwords, I have 8 different alphanumeric-specialcharacter passwords of at least 8 characters on the go, but don't feel the need to write them down. OK some may struggle with this, but it's really not that hard!!!!

2
0
FAIL

> I have 8 different passwords on the go...

So what are you going to do on month nine? People really have trouble with frequent changes and no reuse rules. Then consider folk who have the sort of job where you don't sign onto computers every day...

0
0
K T
Megaphone

Exactly

The only sensible answer to any security question is to mash the keyboard like a drunk, coked-up monkey. Nothing companies think you can easily remember is unable to be found out easily.

On the SMS front, my bank has recently started to send SMS messages with a code to confirm online transactions (only with online payment systems who support the extra security, though). I've done two so far and the SMS arrived within a minute. However, I'd like to know how that will work when the mobile network is busy.

I shop online for the convenience. If a payment session times out (as they are bound to do), I might as well go queue up with the other proles.

0
0
Boffin

Ýùö Ćâŋ Ƌő ĩŤ Ļīķĕ Ţħıš

or you can mung it like this:

Ý;ù_ö#Ć~â)ŋ@ƋőppppĩŤ%55Ļ£ī$ķ22ĕ^Ţ*ħ-ı+š

The permutations are endless and if you use the same permutation each time you won't forget it. Exemplar gratis:

MÝyùmöo tĆhâeŋr sƋnőa mĩeŤi sĻīķĕ Ţħıš

What's the big deal? Most simple cryptography relies on word spacing and "most common letters".

Anyone out to target you is going to get you.

So if you are in a job such as a senior government official in I'llaskher or somewhere out the back of back-wad, you need professional assistance, a secure server and a tad more sense than a lip stuck, porcine brained, sock mother.

Speaking of Chimpanzees. How are things progressing with Rumsfeldgate over the loss of emails in the aweful Orifice of the Wit House?

0
0
Alert

8 passwords on the go

@Ben Tasker

Do yourself a favor, and find bit of encrypting software and write them down.

Why?

1) As you add more passwords, each one becomes more difficult to remember.

2) You might have a method for generating passwords. This works only until some stupid website doesn't allow you to use your chosen password as it doesn't match their password quality check.

3) Under pressure, things like passwords can be difficult to remember.

4) Non-fatal accidents involving head trauma will be even more traumatic if you can't remember your Twitter password...

0
0
Stop

What is your favourite colour?

Well, that would be "#rW^Xy60tfA?mS?", of course.

It's just another password. Treat it as such and you effectively work around the stupidly short password length restrictions on some sites.

Even more stupid than password reminder Q&A is the "Password hint" concept which you find in various places (yes, Windows, I'm looking at you).

My favourite "Password hint" which unfortunately I can't claim credit for is "Remember the password"

0
0

Except they won't let you.

A few months ago I went to set up an account with some site or other and was asked for a reminder so I chose "What is your favourite color?" and attempted to answer with something which, while not impossible to guess, wouldn't be quite as easy as a standard one* -- but I couldn't use "Bible Black" because it had a space in it! Yes, I know I could have taken the space out and used it anyway, but that's not the point -- they were effectively trying to push users to use red|green|blue|black|white|grey rather than a passphrase.

Then there's the second problem -- if I forgot my password how in teapot's name am I supposed to remember a "clever" answer to a security question?

It's hard to implement a consistent and secure password system when every damn site has different password dos and don'ts from "must use mixed case" to "only use letters".

Please, please, please web-app-designers of the world, for the love of the unicorn, just allow complex passwords and my own choice of security question[s] for every site!

*the site wasn't that important, really, but I wanted to try to be a little more secure than default.

2
0
Thumb Up

Favourite colour?

Green! Oh ahr no blue! (falls into chasm of doom)

--

The colour question is easily correctly remembered (and hard to guess) if you actually have a favourite colour. For example, #993333 (in HTML) or {.39 .13 .13} (in PSTricks/LaTeX) or whatever. Just use your favourite coordinate system, being RGB, CMYK, HSV, or other, with numbers 0.0--1.0, 0--256, 00--FF, or other. The problem is to invent a favourite colour and stick by it --- probably easiest is the colour code of your car's paint, as needed for small repair jobs.

1
0
Anonymous Coward

Bible Black...

... as in the Anime?

1
0

To begin at the beginning

or as in "spring, moonless night in the small town, starless and bible-black" ?

0
0

...must contain only letters of the alphabet...

... and it's "Starless and..." I was listening to.

0
0
Bronze badge

Favourite colour?

For Gawds sake, don't let David Icke use that one..

Or, 'Your favourite animal?'

Turquoise, and Lizard, natch.

As far as names are concerned, my mum told me a story. (I think it's apocryphal, but she worked in a supermarket).

A woman was at the checkout, and the cashier asked for her name for some reason. "Emma Chizzit" came the reply. Think about it, but nice password.

I did have an idea I tried to code for password security. Give the system the correct password, the code would say "Incorrect password". You'd have to enter the same password 3 times before it'd let you in.

0
0

For Black Bible

I'd use the passphrase "Read religion with good Sunglasses"

Means nothing to anybody else but does to you.

You need to make the passphrase trigger a memory which helps trigger the password

1
0
Paris Hilton

Bzzzzt! Copycat!

well not exactly

....but in the film Twilight's Last Gleaming the main man is trying to gain entry into an ICBM nuclear missile silo. He is challenged for an extra character to the code but he only has what he has. He has to repeat to the operator a couple of times that there are no more letters before he is let in.

Now that was for a 1977 ICBM nuclear missile silo.

So what are you trying to protect?!!??

Perhaps some naughty pictures of Paris with some other scantily clad ....oh that's already on google.

0
0
Paris Hilton

It's the age old battle...

... between usability and security again...

Yes you can make things much more secure by asking multiple questions and such, but it will make it harder (or just generally more annoying) for average joe when his mates tell him to sign up for a [insert new hip brand] account somewhere...

The main problem here is really with the users - they basically need educating a lil, or at least telling that use of spouse/friend/pet's name is a no no, without at least including caps or numbers somewhere.

Paris because it should be common sense =)

0
0
Alert

Who tells the truth with these questions?

When ever I'm asked one of the questions I always use a different answer for each place, and never the "true" answer.

0
0
FAIL

A simple solution to the problem

Q: What was the name of the first school you attended?

A: Orangutan sublimation

Q: What is your mother's maiden name?

A: Tescoshoppingbags

Q: How do you guard against easy-to-guess question security holes?

A: CHEESE WAFFLE CAR TYRES!

It's not rocket surgery.

0
0
Anonymous Coward

Precisely!

I had rocket surgery. They put a kerosine tank into my left leg and a lox one into my right and I've been walking askew ever since, and it fucking hurts too!

Q: What is your favourite meal?

A: Flaming stuffed dog shit turnips with steamed pantyhose.

But it's definately better to lie.

1
0
Grenade

I used fake ones ever since my divorce.

Well, she knows enough family facts to answer every question about me and steal more from me.

3
0
Thumb Up

Yep

"Verified by Visa" - exactly the same problem - idiotically simple questions to guess and even when you gave them a proper one, it complained that you can't use special characters.

I refuse to use it on those grounds alone.

On the brighter side, when I last spoke to my bank, the chap on the other end was highly approving of my first school - "!gydBJ$%dZ^gs9q@ Primary"

And yes, my mom IS called "Robert'); DROP TABLE Students;--" ( http://xkcd.com/327/ )

1
0
Anonymous Coward

Well that’s not at all obvious was it!

I’m buggered... mother was a Smith, my pet dog is called Spot, I was born in London and my favourite colour is red!

0
0
Happy

and you're female

...if you were a man your favourite colour would be Blue.

0
0
Anonymous Coward

Limitations

I too am sick of all these stupid limitations that these retarded companies foist on us.

Stupidly short maximum character limit's, restriction to alphanumeric characters only, no spaces allows etc. It's like they are going out of their way to force you to choose a password that is easy to crack.

I prefer the hint systems where (a) you get to choose your own question and (b) at least 3 answers to different questions have to be provided in order to allow any kind of reset.

If you can choose your own questions like "what's the name of the song that reminds of my first holiday in Portugal" then not only do you have a better chance of remembering it, but it's also harder to crack (because you can frame the question to allow you too use a real, non-trivial answer that gives away no personal information about you).

0
0
Silver badge
FAIL

Making it easy for them

A former employer implemented a single-sign-on system across business critical applications and windows logins. One of the older systems required a password of up to 8 alphanumeric characters. A newer system required a password of at least 8 characters. Rather than make (expensive) changes to the older system, everyone had to have an 8 character alphanumeric password.

They also reduced the password expiry period from 90 days to 30, but left the warning period at 14 days.

0
0
WTF?

Why the warning?

Why, oh why, do network passwords have "warning periods"?

"Your password will expire in 15 days. Do you want to change it now?"

No, you fucking idiot, I'll change it in 15 days, but I'd rather not change it from the 16-character random sequence I already memorised at all!

Seriously, who in the whole world says "Actually, I could do with a new password. Why not? Let's change it to BUBBLES now."

0
0
Bronze badge

Passwords, Smashwords.

Years ago, when the only 'puter we had at work was a PDP-11, I asked Austin, the chief honcho, what's the 'root' password. (OK, I was naive, in my 20's).

He replied "It's a complex key sequence".

A few years later he told me the real password.

itsacomplexkeysequence

Pretty good! Years later I tried to put Finnish words into Linux passwords - with umlauted characters - but The Penguin - ubuntu - (oddly, considering it's origin) does't like that. Now, I have to scan the Finnish dictionary for words like 'KYVYKKYYS' (capability) which really'll fuck 'john-the-ripper'. No, I don't use that one anymore.

0
0
Linux

Personal info is the key

What's wrong with

Name of your first crush. You never forget that and it's unlikely you told anyone who still knows you (if you're my age)

Reg no of your first car

Your Grandmother's maiden name in place of your old dear's

Name of the woman in Project Management who you have a thing for instead of your pet's surname...

Etc etc.

The trick is to know that you lied, but that you remember the lie.

0
0

The problem...

...is when you finally get it together with the woman in Project Management it immediately becomes a very insecure password ;-)

0
0
Anonymous Coward

Stupid password restrictions

I recently had to use a system that wouldn't let you have too many repeated characters in a password. I gave it a randomly generated password, RitCcLntnTGH3tZD, say, and it objected, so I shortened it to RitCcLntn and the system was happy. So, RitCcLntnTGH3tZD is easier to guess than RitCcLntn, is it?

It is my opinion that a password system should accept any password consisting of at least 6 ASCII characters. By all means give a warning if the password seems to be guessable, but don't refuse it as the password may be automatically generated or shared between multiple systems. You can't force users to choose secure passwords if they don't want to, so don't bother trying as you'll only annoy the users who know what they're doing.

0
0
Anonymous Coward

Re: Stupid password restrictions

That's pretty dangerous but I see where you're coming from.

You can go too far with password restrictions and it actually makes it less secure in many cases.

For example forcing users to change their password every 30 days results in passwords appended with 1, 2, 3 or the month which is hardly useful. But worse than that, faced with dozens of passwords changing all the time makes people much more likely to write them down. I've seen it many times now... a bit of paper with passwords on or worse, text files stored on shared storage with their passwords in!

0
0
Bronze badge
Headmaster

ASCII characters?

Including LF, NUL, EOJ? Good luck, or just choose the printable ones. Alternatively, allow all the printable Unicode characters.

0
0
FAIL

Careful now

Many years ago a friend of mine set the reset passphrase in some utility software to "I'm not telling you you fascist bastard".

Oh how we laughed.

His boss then sent copies to our distributors in Germany, USA, Israel...

1
0
Paris Hilton

Up the C**** or up the Ar**?

- caused no end of embarassment to the poor girl on the helldesk who had to ask me that question over the phone before she could reset my password, I can tell you.

2
0
Flame

Hard questions

Some bank I used asked for a whole bunch of these (so it could present me with random ones). I found them really hard -"who is your favourite author?", "who is your favourite band?" It was like one of those getting-to-know-you chain emails.

Favourite author? It varies from time to time, and did I include "." after any initials? Same with my musical tastes, I like various bands. Favourite book? I think I can remember what I picked, but did I omit "The" from the title?

Even my mother's maiden name is ambiguous, she sometimes uses a hyphenated double name for the family name, sometimes not.

0
0
Anonymous Coward

If you really think you might forget

then answer the question truthfully, but spell it backward/ROT-13/shift left/whatever other transformation you can think of. This works, because you will still only be using the allowed characters, but the answer is not really predictable. Just be consistent, or at least only use two or three methods, so you can get it in three guesses.

0
0
Anonymous Coward

Scramble

I can't say that I do it, but one answer to these conundrums would be to answer correctly, but scramble the correct answer in some way, following a procedure you can reasonably remember.

0
0
Silver badge
Terminator

"Hey Janelle...

... what's wrong with Wolfie?"

"Wolfie's fine...."

A little bit of knowledge can go a long way :D

0
0

Page:

This topic is closed for new posts.