back to article Password reset questions dead easy to guess

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers. In the paper What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (pdf), Joseph Bonneau of the University of Cambridge and two colleagues from the …

COMMENTS

This topic is closed for new posts.
  1. KirstarK

    only an idiot

    actually uses the correct stuff.

    Password question = Mothers maiden name

    Use a weird word like scalpel or ardvark or similar.

    When ever I speak to the bank they ask if my mothers maiden name is really the weird word I have given them.

    1. Thomas 18
      Thumb Down

      uh...

      If your going to use an unrelated word then you might as well just dispense with password recovery as a feature all together. If your the kind of person who forgets passwords your just as likely to forget the obscure answer (more so infact since you use it less often).

      Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records. Better just to ask them to setup some kind of SECURE password system instead of retarded questions.

      1. Anonymous Coward
        WTF?

        @Thomas 18

        What utter rubbish. Conflicting bank record....what on earth are you on about. We are talking about the 'additional' security questions here - normally for things like password resets (which you would have even WITH a secure password system). I have NEVER given my real mother's maiden name when answering the question - and have never had any banking problems. It is just a question with preset answers - answer it how you like (and preferably in a way that other won't guess).

        I would be more concerned about the bank's security for actually using the question in the first place - 'cos it's VERY bad security practice to ask anything where the answer is in the public domain.

      2. Anonymous Coward
        Thumb Down

        @Thomas 18

        And when you forget your SECURE password, how do you suggest you confirm your identity to have it reset?

        Secure passwords will not negate the use of security questions for resets (or phone calls for that matter).

        Also..please explain "Your birth certificate has your mothers maiden name on it so its a bad idea to have conflicting bank records." WTF are you on about? I'm guessing that this is really not your area of knowledge, and have never had the pleasure of setting up security for a call centre.

        1. John Lilburne
          FAIL

          Fool!

          Its a simple challenge and response you fool. If you chose always to respond to MMN with "Queen of Sheba" or name of first school as "Padre KiddieDiddler" that is memorable to you but not in the public domain, unless you reveal it to someone (oh damn!).

    2. alyn

      Helps if you can spell

      It is spelt aardvark, and this is a poor choice of password, being the first word in the English dictionary

      1. Marvin the Martian
        Stop

        Helps more if you can think

        @Alyn: "Aardvark" is bad if you expect a dictionary attack --- and a dictionary attack is exceedingly unlikely (and very stupid) on a "maiden name" question.

        Possibly a directory attack there (let's start with Patel and Smith as likeliest surnames) but nobody named Aardvark exists in the UK, and that was the point. Also note the "strange word like" and "or similar" in the sentence, as in "no, mine's not Aardvark but Beerwolf, actually factually".

        1. Allan George Dyer
          Thumb Down

          but if...

          the attacker anticipates a proportion of targets lying, a dictionary attack becomes much more likely.

          Obviously, my mother's maiden name was Zyfgdsbvcxvgfdsou

      2. Citizen Kaned

        you dont get it...

        what better than misspelling a security word. thats genius! clever chap poster #1!

      3. scottboy

        @alyn

        You need a better dictionary. Mine starts with 'a' - a noun, preposition and the indefinite article.

    3. Anonymous Coward
      Thumb Up

      totally agree..

      Whenever giving security awareness training I always tell people to LIE when answering security questions (other than those scenarios where they company uses personal details they have on record as confirmation). The rules are simple (and I have actually written standards on good security questions for use in government systems): never ask for anything that is in the public domain, never use anything that can be easily discovered, or has too few potential answers (I even had to rank security questions as to how good/bad they were).

      When a company does ask a stupid security question like 'mother's maiden name' that IS in the public domain, then LIE. So long as you remember your LIE you are OK. I have NEVER used my real mother's maiden name, nor real first school, nor real first company...

    4. Eddy Ito
      Unhappy

      Oh crap!

      I thought I was the only one to lie when answering those questions. Now everyone will know that chipotle mousse is my favorite color.

  2. Anonymous Coward
    Anonymous Coward

    ooooo

    They have the internet on computers now?

    "whose research currently focuses on security and privacy in social networks"

    lol he thinks there might be security and privacy in social networks? Poor bloke.

  3. Ben Tasker
    FAIL

    Problem Being

    Whilst sending the rest to a mobile may be more secure, who wants to have to give thier mobile number to yet more companies? Sensible people put absolute garbage in as the answer, make no attempt to memorise it, and simply don't forget the flaming password!

    I hate services that insist on you setting a hint, even more so if they give you a drop down of questions to use rather than let you set your own question!

    Why do people have such problems remembering their passwords, I have 8 different alphanumeric-specialcharacter passwords of at least 8 characters on the go, but don't feel the need to write them down. OK some may struggle with this, but it's really not that hard!!!!

    1. JimC
      FAIL

      > I have 8 different passwords on the go...

      So what are you going to do on month nine? People really have trouble with frequent changes and no reuse rules. Then consider folk who have the sort of job where you don't sign onto computers every day...

    2. K T
      Megaphone

      Exactly

      The only sensible answer to any security question is to mash the keyboard like a drunk, coked-up monkey. Nothing companies think you can easily remember is unable to be found out easily.

      On the SMS front, my bank has recently started to send SMS messages with a code to confirm online transactions (only with online payment systems who support the extra security, though). I've done two so far and the SMS arrived within a minute. However, I'd like to know how that will work when the mobile network is busy.

      I shop online for the convenience. If a payment session times out (as they are bound to do), I might as well go queue up with the other proles.

      1. I. Aproveofitspendingonspecificprojects 1
        Boffin

        Ýùö Ćâŋ Ƌő ĩŤ Ļīķĕ Ţħıš

        or you can mung it like this:

        Ý;ù_ö#Ć~â)ŋ@ƋőppppĩŤ%55Ļ£ī$ķ22ĕ^Ţ*ħ-ı+š

        The permutations are endless and if you use the same permutation each time you won't forget it. Exemplar gratis:

        MÝyùmöo tĆhâeŋr sƋnőa mĩeŤi sĻīķĕ Ţħıš

        What's the big deal? Most simple cryptography relies on word spacing and "most common letters".

        Anyone out to target you is going to get you.

        So if you are in a job such as a senior government official in I'llaskher or somewhere out the back of back-wad, you need professional assistance, a secure server and a tad more sense than a lip stuck, porcine brained, sock mother.

        Speaking of Chimpanzees. How are things progressing with Rumsfeldgate over the loss of emails in the aweful Orifice of the Wit House?

    3. Alan_Peery
      Alert

      8 passwords on the go

      @Ben Tasker

      Do yourself a favor, and find bit of encrypting software and write them down.

      Why?

      1) As you add more passwords, each one becomes more difficult to remember.

      2) You might have a method for generating passwords. This works only until some stupid website doesn't allow you to use your chosen password as it doesn't match their password quality check.

      3) Under pressure, things like passwords can be difficult to remember.

      4) Non-fatal accidents involving head trauma will be even more traumatic if you can't remember your Twitter password...

  4. Russell Howe
    Stop

    What is your favourite colour?

    Well, that would be "#rW^Xy60tfA?mS?", of course.

    It's just another password. Treat it as such and you effectively work around the stupidly short password length restrictions on some sites.

    Even more stupid than password reminder Q&A is the "Password hint" concept which you find in various places (yes, Windows, I'm looking at you).

    My favourite "Password hint" which unfortunately I can't claim credit for is "Remember the password"

    1. Cameron Colley

      Except they won't let you.

      A few months ago I went to set up an account with some site or other and was asked for a reminder so I chose "What is your favourite color?" and attempted to answer with something which, while not impossible to guess, wouldn't be quite as easy as a standard one* -- but I couldn't use "Bible Black" because it had a space in it! Yes, I know I could have taken the space out and used it anyway, but that's not the point -- they were effectively trying to push users to use red|green|blue|black|white|grey rather than a passphrase.

      Then there's the second problem -- if I forgot my password how in teapot's name am I supposed to remember a "clever" answer to a security question?

      It's hard to implement a consistent and secure password system when every damn site has different password dos and don'ts from "must use mixed case" to "only use letters".

      Please, please, please web-app-designers of the world, for the love of the unicorn, just allow complex passwords and my own choice of security question[s] for every site!

      *the site wasn't that important, really, but I wanted to try to be a little more secure than default.

      1. Anonymous Coward
        Anonymous Coward

        Bible Black...

        ... as in the Anime?

        1. Nigel Whitfield.

          To begin at the beginning

          or as in "spring, moonless night in the small town, starless and bible-black" ?

      2. Chris007

        For Black Bible

        I'd use the passphrase "Read religion with good Sunglasses"

        Means nothing to anybody else but does to you.

        You need to make the passphrase trigger a memory which helps trigger the password

    2. Marvin the Martian
      Thumb Up

      Favourite colour?

      Green! Oh ahr no blue! (falls into chasm of doom)

      --

      The colour question is easily correctly remembered (and hard to guess) if you actually have a favourite colour. For example, #993333 (in HTML) or {.39 .13 .13} (in PSTricks/LaTeX) or whatever. Just use your favourite coordinate system, being RGB, CMYK, HSV, or other, with numbers 0.0--1.0, 0--256, 00--FF, or other. The problem is to invent a favourite colour and stick by it --- probably easiest is the colour code of your car's paint, as needed for small repair jobs.

      1. Cameron Colley

        ...must contain only letters of the alphabet...

        ... and it's "Starless and..." I was listening to.

    3. Andus McCoatover

      Favourite colour?

      For Gawds sake, don't let David Icke use that one..

      Or, 'Your favourite animal?'

      Turquoise, and Lizard, natch.

      As far as names are concerned, my mum told me a story. (I think it's apocryphal, but she worked in a supermarket).

      A woman was at the checkout, and the cashier asked for her name for some reason. "Emma Chizzit" came the reply. Think about it, but nice password.

      I did have an idea I tried to code for password security. Give the system the correct password, the code would say "Incorrect password". You'd have to enter the same password 3 times before it'd let you in.

      1. OrientalHero
        Paris Hilton

        Bzzzzt! Copycat!

        well not exactly

        ....but in the film Twilight's Last Gleaming the main man is trying to gain entry into an ICBM nuclear missile silo. He is challenged for an extra character to the code but he only has what he has. He has to repeat to the operator a couple of times that there are no more letters before he is let in.

        Now that was for a 1977 ICBM nuclear missile silo.

        So what are you trying to protect?!!??

        Perhaps some naughty pictures of Paris with some other scantily clad ....oh that's already on google.

  5. C Yates
    Paris Hilton

    It's the age old battle...

    ... between usability and security again...

    Yes you can make things much more secure by asking multiple questions and such, but it will make it harder (or just generally more annoying) for average joe when his mates tell him to sign up for a [insert new hip brand] account somewhere...

    The main problem here is really with the users - they basically need educating a lil, or at least telling that use of spouse/friend/pet's name is a no no, without at least including caps or numbers somewhere.

    Paris because it should be common sense =)

  6. Olly86
    Alert

    Who tells the truth with these questions?

    When ever I'm asked one of the questions I always use a different answer for each place, and never the "true" answer.

  7. The Original Ash
    FAIL

    A simple solution to the problem

    Q: What was the name of the first school you attended?

    A: Orangutan sublimation

    Q: What is your mother's maiden name?

    A: Tescoshoppingbags

    Q: How do you guard against easy-to-guess question security holes?

    A: CHEESE WAFFLE CAR TYRES!

    It's not rocket surgery.

    1. Anonymous Coward
      Anonymous Coward

      Precisely!

      I had rocket surgery. They put a kerosine tank into my left leg and a lox one into my right and I've been walking askew ever since, and it fucking hurts too!

      Q: What is your favourite meal?

      A: Flaming stuffed dog shit turnips with steamed pantyhose.

      But it's definately better to lie.

  8. Anonymous Coward
    Grenade

    I used fake ones ever since my divorce.

    Well, she knows enough family facts to answer every question about me and steal more from me.

  9. Anonymous Coward
    Thumb Up

    Yep

    "Verified by Visa" - exactly the same problem - idiotically simple questions to guess and even when you gave them a proper one, it complained that you can't use special characters.

    I refuse to use it on those grounds alone.

    On the brighter side, when I last spoke to my bank, the chap on the other end was highly approving of my first school - "!gydBJ$%dZ^gs9q@ Primary"

    And yes, my mom IS called "Robert'); DROP TABLE Students;--" ( http://xkcd.com/327/ )

  10. Anonymous Coward
    Anonymous Coward

    Well that’s not at all obvious was it!

    I’m buggered... mother was a Smith, my pet dog is called Spot, I was born in London and my favourite colour is red!

    1. Anonymous Coward
      Happy

      and you're female

      ...if you were a man your favourite colour would be Blue.

  11. Anonymous Coward
    Anonymous Coward

    Limitations

    I too am sick of all these stupid limitations that these retarded companies foist on us.

    Stupidly short maximum character limit's, restriction to alphanumeric characters only, no spaces allows etc. It's like they are going out of their way to force you to choose a password that is easy to crack.

    I prefer the hint systems where (a) you get to choose your own question and (b) at least 3 answers to different questions have to be provided in order to allow any kind of reset.

    If you can choose your own questions like "what's the name of the song that reminds of my first holiday in Portugal" then not only do you have a better chance of remembering it, but it's also harder to crack (because you can frame the question to allow you too use a real, non-trivial answer that gives away no personal information about you).

    1. Red Bren
      FAIL

      Making it easy for them

      A former employer implemented a single-sign-on system across business critical applications and windows logins. One of the older systems required a password of up to 8 alphanumeric characters. A newer system required a password of at least 8 characters. Rather than make (expensive) changes to the older system, everyone had to have an 8 character alphanumeric password.

      They also reduced the password expiry period from 90 days to 30, but left the warning period at 14 days.

      1. cosmogoblin
        WTF?

        Why the warning?

        Why, oh why, do network passwords have "warning periods"?

        "Your password will expire in 15 days. Do you want to change it now?"

        No, you fucking idiot, I'll change it in 15 days, but I'd rather not change it from the 16-character random sequence I already memorised at all!

        Seriously, who in the whole world says "Actually, I could do with a new password. Why not? Let's change it to BUBBLES now."

  12. Andus McCoatover

    Passwords, Smashwords.

    Years ago, when the only 'puter we had at work was a PDP-11, I asked Austin, the chief honcho, what's the 'root' password. (OK, I was naive, in my 20's).

    He replied "It's a complex key sequence".

    A few years later he told me the real password.

    itsacomplexkeysequence

    Pretty good! Years later I tried to put Finnish words into Linux passwords - with umlauted characters - but The Penguin - ubuntu - (oddly, considering it's origin) does't like that. Now, I have to scan the Finnish dictionary for words like 'KYVYKKYYS' (capability) which really'll fuck 'john-the-ripper'. No, I don't use that one anymore.

  13. 10to4
    Linux

    Personal info is the key

    What's wrong with

    Name of your first crush. You never forget that and it's unlikely you told anyone who still knows you (if you're my age)

    Reg no of your first car

    Your Grandmother's maiden name in place of your old dear's

    Name of the woman in Project Management who you have a thing for instead of your pet's surname...

    Etc etc.

    The trick is to know that you lied, but that you remember the lie.

    1. El Richard Thomas

      The problem...

      ...is when you finally get it together with the woman in Project Management it immediately becomes a very insecure password ;-)

  14. Anonymous Coward
    Anonymous Coward

    Stupid password restrictions

    I recently had to use a system that wouldn't let you have too many repeated characters in a password. I gave it a randomly generated password, RitCcLntnTGH3tZD, say, and it objected, so I shortened it to RitCcLntn and the system was happy. So, RitCcLntnTGH3tZD is easier to guess than RitCcLntn, is it?

    It is my opinion that a password system should accept any password consisting of at least 6 ASCII characters. By all means give a warning if the password seems to be guessable, but don't refuse it as the password may be automatically generated or shared between multiple systems. You can't force users to choose secure passwords if they don't want to, so don't bother trying as you'll only annoy the users who know what they're doing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid password restrictions

      That's pretty dangerous but I see where you're coming from.

      You can go too far with password restrictions and it actually makes it less secure in many cases.

      For example forcing users to change their password every 30 days results in passwords appended with 1, 2, 3 or the month which is hardly useful. But worse than that, faced with dozens of passwords changing all the time makes people much more likely to write them down. I've seen it many times now... a bit of paper with passwords on or worse, text files stored on shared storage with their passwords in!

    2. Allan George Dyer
      Headmaster

      ASCII characters?

      Including LF, NUL, EOJ? Good luck, or just choose the printable ones. Alternatively, allow all the printable Unicode characters.

  15. Blofeld's Cat
    FAIL

    Careful now

    Many years ago a friend of mine set the reset passphrase in some utility software to "I'm not telling you you fascist bastard".

    Oh how we laughed.

    His boss then sent copies to our distributors in Germany, USA, Israel...

  16. Anonymous Coward
    Paris Hilton

    Up the C**** or up the Ar**?

    - caused no end of embarassment to the poor girl on the helldesk who had to ask me that question over the phone before she could reset my password, I can tell you.

  17. Anonymous Coward
    Flame

    Hard questions

    Some bank I used asked for a whole bunch of these (so it could present me with random ones). I found them really hard -"who is your favourite author?", "who is your favourite band?" It was like one of those getting-to-know-you chain emails.

    Favourite author? It varies from time to time, and did I include "." after any initials? Same with my musical tastes, I like various bands. Favourite book? I think I can remember what I picked, but did I omit "The" from the title?

    Even my mother's maiden name is ambiguous, she sometimes uses a hyphenated double name for the family name, sometimes not.

  18. Anonymous Coward
    Anonymous Coward

    If you really think you might forget

    then answer the question truthfully, but spell it backward/ROT-13/shift left/whatever other transformation you can think of. This works, because you will still only be using the allowed characters, but the answer is not really predictable. Just be consistent, or at least only use two or three methods, so you can get it in three guesses.

  19. Anonymous Coward
    Anonymous Coward

    Scramble

    I can't say that I do it, but one answer to these conundrums would be to answer correctly, but scramble the correct answer in some way, following a procedure you can reasonably remember.

  20. Anonymous Coward
    Terminator

    "Hey Janelle...

    ... what's wrong with Wolfie?"

    "Wolfie's fine...."

    A little bit of knowledge can go a long way :D

  21. ElReg!comments!Pierre

    Oh heck no you didn't

    «Sending reset passwords via text messages to a mobile phone already associated with an account represents another step towards improved security.»

    Good idea, because everyone owns a cell phone of five, ain't it?

    Well, no they don't. Not to mention that text messages are not the most secure medium ever... plus a mobe is easily nicked, or borrowed.

  22. Robert Carnegie Silver badge

    On reflection

    Every penetration kit probably has the complete Finnish dictionary as potential passwords. Also backwards and ROT13.

    The argument really is that you may be unlikely to crack one person's account by guessing the name is "Smith", but if there are 1000 people's accounts then "Smith" will probably get you at least one working one to abuse.

    Do people remember names of their schoolteachers? I'm sorry, I mostly don't. But it's a time in my life I don't like to think about. Surely that isn't uncommon.

    If it must be passwords and must be cryptic then human nature demands that they are short and you can write them down. Or use a barcode on a card.

    If system A demands >= 8 characters password and system B allows <= 8 characters password then probably you can set the password of each to "penetration" but system B will treat it as "penetrat" and will let you type "penetratwrong" and still let you in. Or maybe it will be "penetran".

    SCO UNIX did not allow "moscow" as a password becaause it contains "sco" as a substring. And when set to reject real words or numbers, it sometimes objected to hexadecimal strings, so I set passwords in bulk as "0qz" plus a random hex number. Then when I had to change them all, I made them a random hex number plus "qz0".

    1. Andus McCoatover

      Finnish dictionary?

      What, with all 18 (possible) case-endings?

      Mine is about 3" thick. Fin-Eng.

      The Eng-Fin one (separate book) is the same. God, about a gigabyte! Doubt it...Even a bedroom-based script kiddie would have better things to do with their time.

      1. Robert Carnegie Silver badge

        The hacking dictionary -

        doesn't need to define meanings of all the words... I'd just sample text from Finnish Twitter or something.

  23. SteveB

    Father's First Name

    I had one of these sites ask for "Father's First Name" as a mandatory security question. With a 6 character minimum.

    Shame he's called John (or at least was for the purposes of that site)

  24. This post has been deleted by its author

  25. Anonymous Coward
    Paris Hilton

    Proper recovery answers

    All mine are like 'gerufh34uih328h23a' and stored in a heavily encrypted file with a key I would only ever forget if I was dead.

    Password reset questions are a huge vulnerability, like having a reinforced door with 5 locks on the front of a house, then a large unlocked window round the back

This topic is closed for new posts.