back to article City of birth? Why password questions are a terrible idea

Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google. A white paper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" dug into the data of millions of users interactions with a range of password- …

Re: Even worse

Achievement unlocked! Longest. Name. Ever.

0
0

Re: Even worse

What about orange ? Both a fruit and a colour.

1
0
Silver badge
Boffin

Re: Even worse

What about orange ? Both a fruit and a colour.

Fun fact: No they aren't. Not really :D

0
0
Anonymous Coward

Re: Even worse

I could imagine some online forms choking on Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch as a place of birth

The Kiwis can go one better:

http://upload.wikimedia.org/wikipedia/commons/5/5b/New_Zealand_0577.jpg

1
0
Silver badge

Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google anyone with a brain.

Bleeding obvious really - unchangeable, factual answers (like city of birth) are easy to remember but the easiest for someone else to find out.

The best compromise for secret questions is to allow users to write their own questions as well as then the user can - if they are clever* - setup questions where the answers are easy to remember but very hard to guess or discover.

* - Big "if", I know . . .

24
1
Silver badge

"are easy to remember but the easiest for someone else to find out."

Hell, even Sarah Palin knows that...

1
1
Silver badge

My favorite question is when you can write your. I have a good question that very few people would the answer to.

0
0
Coat

Please input a question only you know the answer to

"You're letting me write my own question?"

Sorry, your reply must not contain any spaces or punctuation, and must have at least one capital and one small letter, and must contain at least one number.

"5oY0uWan7Me2AskAQuest1onL1keThi5"

Thank you. Now please type in the answer to that question.

*clicks 'forgotten your question' button*

2
0

easy to remermber? really?

Great post, Dan1980 but just one thing: "Bleeding obvious really - unchangeable, factual answers (like city of birth) are easy to remember but the easiest for someone else to find out."

Well, actually, no. I was born in .... well, sometimes that particular part of Melbourne is regarded as Elwood, sometimes it's East St Kilda, but people mostly save confusion and say Elsternwick (which is right next door and better known) or possibly St Kilda. On your power bill it might say "Elwood", but your electoral registration is "East St Kilda" .... and I haven't even mentioned the rates notice, which says "St Kilda, East". Then again, whichever way you think of it, it's part of the municipality of Caufield. That might be a better answer. On the other hand, maybe I should just say "Melbourne" as all these are suburbs of Melbourne. But that's too easy for third parties to guess - probably 70% of all Australiand living in Victoria were born somewhere in Melbourne.

Right: it's three years later and some stupid website is asking me where I was born so that I can get back into my account. Do I feel lucky?

(Disclaimer: I wasn't really born in the place(s) I mentioned, but in a different part of town with an equal multiplicity of possible names. Better not to menton these things on-line. At least not truthfully. Especially not when I don't even know for sure what the "truth" is! Should I just give a lat/long instead? Or possibly just go to a different website where the IT gnomes are slightly less stupid.)

5
2

Re: easy to remermber? really?

Surly the problem here, even if you can remember the "unique" answer you gave, or even the "unique" question you asked, is that once it's compromised it's compromised everywhere.

So, the only real solution is to give a different answer on each site which works like this and then record them somewhere... oh hang on a mo, if that's compromised we're back to the same problem....

2
0
Silver badge
Devil

@a_yank_lurker, and the answer is "2 inches".

6
0
Silver badge

Set your own questions ...

My erstwhile boss had something like:

Q: "I hope you don't think you're going out dressed like that, young lady!"

A: "I'll go out dressed how I like, I hate you and you aren't my real dad anyway!"

Ironically when these Q&A pairs get funny enough, you usually can't resist telling someone else ...

6
0
Anonymous Coward

@Evil Auditor

You are a_yank_lurker's other half, and I claim my £5!

0
0
Silver badge

The problem with allowing users to write their own question is that although it confers security to smart users, it confers broad new vistas of insecurity to dumb ones. Which is, unfortunately, most of us...

1
0

On one website I was using, when I created my account it asked me to create 2 questions and associated answers to be used in the event of needing to recover my password. 3 months later, I've forgotten the password and click on the "Forgotten my password" link.

"What is the answer to question 1?"

That was it. It didn't actually display my question, it just assumed that, despite the fact I've proven I'm incapable of remembering a password, you now think I can remember the questions I wrote, the answer AND the order in which I wrote them?!

1
0
Holmes

east st kilda

Was City of Caulfield. Now city of Glen Eira. But city of St Kilda now city of Bayside. So a few more chances of misremembering "correct" answer.

(Same logic applies to yr real suburb since all the council names were forcibly changed in the 90s.)

0
0
Facepalm

I once encountered a forum where they prompted for a custom secret question. Great idea, I thought, and put in a properly clever one. And some lengthy time later, had to do a password recovery, and it started with asking me a fill-in-the-blank "What is your secret question?" At which point I abandoned the site, never to return.

0
0

I've always preferred sites that allow you to create the question and answer yourself, so you create outside the box questions that are harder if not impossible to find via social engineering.

Plus I keep everything in a password safe with a copy online and with the questions in the notes section.

2
0
Silver badge

Questions

I've always preferred sites that allow you to create the question and answer yourself

Agreed. I have long wondered why there are prepared questions at all. When you write the question yourself, it can be made to relate to a personally memorable event or fact, which is easier to remember and far less likely to be discoverable by an attacker than something like mother's maiden name.

2
0
Anonymous Coward

Re: Questions

The "conventional wisdom" (take that as you wish) is that if you allow people to enter their own question then the majority will be too lazy, enter something like "2 + 2?" (with the correct answer!) and any semblance of security has vanished in a puff of smoke.

Now of course the retort to that is that those (of us) who are sensible and have a clue will not enter such a trivial question, or will enter a non-obvious answer.

Basically, do you try to get everyone to a level where there is a veneer of security by asking from a pre-defined list of supposedly non-obvious questions, or do you allow a free-for-all knowing that some will end up being more secure and some end up being significantly less secure?

2
0

Write your own question

Doesn't all this boil down to...

Question - "What's my other password?"

Answer - "MyOtherFavouritePassword"

Which isn't a million miles away from a two factor scheme which asks for two things? Which then let's you tick to "trust" this device (forever/30 days), which is the one that's hacked and can bypass the MFA anyway...

0
0

This post has been deleted by its author

Anonymous Coward

Eh?

If you keep the account details in a Password safe then why would you even need to go through the forgot password questions in the first place?

1
0
Anonymous Coward

One time when signing up to something I got a security question that asked

"First telephone number:"

I couldn't remember it so I took the only logical step and put

"1"

Which the form happily accepted.

11
0
Anonymous Coward

I see Alexander Graham Bell is making a comeback on The Register… and we thought he was dead!

14
0
Boffin

"Hello. You have reached the answering machine of Alexander Graham Bell, inventor of the first telephone. If you've invented another telephone..."

(From the Celebrity Answerphones round on I'm Sorry I Haven't A Clue a few years ago)

5
0
Anonymous Coward

(From the Celebrity Answerphones round on I'm Sorry I Haven't A Clue a few years ago)

God I miss that show… used to hear it on 4QR (aka ABC Radio National Brisbane; 792kHz) some mornings before 6AM as well as other BBC classics like My Word and The Goons.

0
0
Bronze badge

ISIHAC

Still going, with Jack Dee in the chair, and (surprisingly?) still quite good

3
0
Silver badge

My bank

The weakest passwords in use are for my bank, who claim - seriously - that allowing upper case and non-alphabetic characters would be too confusing for customers.

Unlike questions about my childhood, answers to which have either been forgotten or suppressed decades earlier.

3
0
Anonymous Coward

Choose a question (and answer) on car numbers

What was the registration of your first car?

What was the registration of your previous car?

What was the registration of your red car?

What was the registration of your father's car?

Etc.

Would work for quite a few people.

1
0

Re: Choose a question (and answer) on car numbers

What was the registration of your first car? (Ans: PWT-377. Easy.)

What was the registration of your previous car? (Ans: I didn't *have* a car previous to my first car! Or maybe you mean the one previous to the one I have now. Easy: IOW:682.)

What was the registration of your red car? (Ans: GTE-221. Simple)

What was the registration of your father's car? (Ans: TJQ:710. I'll never forget that one.)

What is the registration of your current car? (Ans: Um ... hang on a minute .... I'll just go outside and look.)

8
0

Re: What was the registration of your father's car?

His first car, his previous car or his red car?

4
0
Silver badge

Re: Choose a question (and answer) on car numbers

(Leaving aside that car registration numbers can be a bit short)

"What was the registration of your first car?"

Okay, fair enough.

"What was the registration of your previous car?"

What happens if you change cars one or more times after choosing that question and setting the answer?

You set it up and enter AB12 CDE as your answer - then n years down the line, you have to resort to answering that question. You think back, and remember that the registration of your previous car (to the one you now have) is VW12XYZ.

"What was the registration of your red car?"

Even if you select a colour for which you have only had one car, the n years later problem still applies - between setting that question and answer and the arbitrary point in the future when you need to answer that question, you may have had more.

"What was the registration of your father's car?"

Which one? (Car, not father!) My step dad has had quite a few in the 40+ years I've known him!

"Would work for quite a few people."

I see flaws. :)

The advice I generally give to people is to treat "secret questions" as password prompts, and enter a sensible password instead - especially on sites that have replaced passwords with secret questions (HSBC, I'm looking at you - the use of 2FA does not make this acceptable). However, since it's likely that (because they aren't passwords) many sites won't salt/hash the answers, this makes it even more important to ensure that password is unique. (So use a password manager such as KeePass)

2
0
Silver badge
Trollface

Re: Choose a question (and answer) on car numbers

"What was the registration of your favourite car?"

- OUTATIME

"Invalid, your answer must contain at least one number"

- Yeah, I already knew you were going to say that... fine, OUTATIME1

"Invalid, your answer must contain a least one symbol"

- Dang it... OUTATIME-1

"Invalid, your answer must contain eight characters or less"

- Arrrrgh!... TIME1

"Invalid, your answer is based on a dictionary word you miserable no-good two-timing bastard!"

- What the... Hey, is that you, KITT?!?

4
0

Re: Choose a question (and answer) on car numbers

Nope. I couldn't tell you the reg of my current car.

0
0
Silver badge

Re: Choose a question (and answer) on car numbers

The fucking car park has started to ask my registration number before it will give me a ticket these days!

I might learn it soon - but by the time I'm back at the car the dogs had a shit so no need for the ticket!

0
0

That'll work

The best (as in, most idiotic) security question I've come across was "Where did you go on your last holiday?". Presumably they decided "What did you eat last?" as too ridiculous.

2
0
Silver badge

"Where did you go on your last holiday?"

Chainsaw Juggling Resort?

Dignitas Clinic?

Thomas Cook?

2
0
Facepalm

Still too many failures

I'd think that for far too many people, Google's suggested questions still wouldn't work.

I wasn't born in a city, and my dad doesn't have a middle name.

(this post from the I-am-Spartacus department)

8
0
Silver badge

Re: Still too many failures

I wasn't born in a city, and my dad doesn't have a middle name.

My impression from completing web forms is that for Americans "city" means anything from a hamlet up.

0
0
TVC

I just don't see the problem

I've got over 200 sign ons and PINs to various online systems and similar. All the passwords are different. Sometime ago I started using fictitious answers to the security questions. All these are stored in a password vault that is password protected and encrypted and not stored anywhere online or in the "cloud" - but is backed up. The few systems I access regularly, I remember, anything I cannot remember I look up.

I have Power of Attorney over my mother's affairs and use the same system for her stuff.

Over the years I've spent so much time helping people access their systems, because they are too hopeless to even note the password they just set 3 minutes earlier or explaining to them that having the same password everywhere is just plain daft. Some people even find it impossible to remember their own name.

5
0

SQRL

Seems solid.

0
0
FAIL

You're all forgetting the rules...

Not only do they ask these "stupid" question but they set rules on the answer.

Where where you born? Bath

*Sorry please enter an answers longer than 5 characters.

Resetting by SMS is a nice idea, but I still work in an area of the UK that has zero mobile coverage. When my bank started using a 10 minute SMS message to grant access to my on-line account I was locked out from work. Very frustrating...

0
0
Windows

Too old to remember

I have no hope of remembering all of the passwords that I need these days, still less of remembering answers to questions.

So I use gibberish throughout and write it down in my little black book. Perfectly OK wrt on-line threats, but of course burglars are remotely a threat.

4
0

Re: Too old to remember

Ditto. In any case, I would bet the circles of real / virtual criminals (aka. burglars / hackers) don't have much overlap.

0
0

"Using SMS and another email address is more secure" said Google.

"Quite honestly your fathers middle name is pretty worthless to us. We much rather you gave us relevant and useful info...."

5
0

If I get free choice of question, then I tend to do jeopardy-style, the question goes in the answer box, the answer in the question... So 'please answer your security question: Bugsy?' with the answer 'what was your grandma's dog called'

Surprisingly easy to remember.

If not, I make up something rubbish like 'Where did you go to school?' 'Zamonia High' and store it in my password manager. Which is kind of redundant. If I have the password manager to get the answer from, then I also have the password.

Note: My grandma didn't have a dog.

0
0
Silver badge

I call BS on this, I think they just want to harvest phone numbers out of people - a way to identify you and better target their ads.

Their questions are rather silly, especially the family-related questions ... you would not want your wife/brother/sister/father to access your email account, would you ? City of birth is really silly, too many people know that. These, of course, make social engineering so much easier.

I think you should be able to ask your own questions, as for the mathematical "questions", those can be detected and vetoed.

I hate it when I cannot use spaces in passwords.

The worst website I have come across in recent years is www.apec.fr - THEY EMAIL YOUR PASSWORD TO YOU, IN 2015, HONEST!!!!!

5
0
Silver badge

I used to be registered on a job website that would send me my password in clear text with every job listing email - WHILE I WAS IN THE JOB CENTRE WORK CLUB!!!!! (JobClubsWorth: Why aren't you reading your jobs emails? Me: Because you're looking over my shoulder watching my emails!)

But, tangentially, WTF does a job website want super-secure authentication? WhoTF can do anything with the list of jobs I've applied for?

0
0

Secret questions are a hangover from the "security" procedures used by banks before the Internet. They never offered much security, for the obvious reasons outlined in the article.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017